update squid to 6.13 (#147)

* bump squid to 6.13

* fix download links

.github/FUNDING.yml

@@ -0,0 +1 @@
+custom: ['https://boosty.to/0xffff', 'https://www.donationalerts.com/r/b4tman1']

.github/workflows/dockerimage.yml

@@ -23,23 +23,23 @@ jobs:
   test:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to DockerHub
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: b4tman
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Cache Docker layers
-        uses: actions/cache@v3.3.1
+        uses: actions/cache@v4.2.0
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ github.sha }}
@@ -47,7 +47,7 @@ jobs:
             ${{ runner.os }}-buildx-
 
       - name: Build squid image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: false
@@ -65,23 +65,48 @@ jobs:
           mv /tmp/.buildx-cache-new /tmp/.buildx-cache
 
       - name: Test image
-        run: docker compose -f docker-compose.test.yml up --pull never sut
+        run: |
+          set -ex
+          docker compose -f docker-compose.test.yml up --pull never sut --exit-code-from sut
+          docker compose -f docker-compose.test.yml down
 
-      - name: Build 'ssl-bump' image     
+      - name: set base image for 'ssl-bump'
         run: |
           sed -i "s%FROM b4tman/squid%FROM $TEST_TAG%" ssl-bump/Dockerfile
-          docker build ssl-bump
+      
+      - name: Build 'ssl-bump' image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false
+          load: true
+          tags: ${{ env.TEST_TAG }}-ssl-bump
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
 
+      # Temp fix
+      # https://github.com/docker/build-push-action/issues/252
+      # https://github.com/moby/buildkit/issues/1896
+      - name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+          
+      - name: Test 'ssl-bump' image
+        run: |
+          set -ex
+          TEST_TAG="${TEST_TAG}-ssl-bump" docker compose -f docker-compose.test.yml up --pull never sut --exit-code-from sut
+          docker compose -f docker-compose.test.yml down
   push:
     needs: test
     runs-on: ubuntu-20.04
     if: github.event_name != 'pull_request'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: |
             b4tman/squid
@@ -95,7 +120,7 @@ jobs:
 
       - name: Docker meta (ssl-bump)
         id: meta_ssl_bump
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: |
             b4tman/squid
@@ -110,7 +135,7 @@ jobs:
 
       - name: Docker meta (ssl-bump ghcr)
         id: meta_ssl_bump_ghcr
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: |
             ghcr.io/b4tman/squid-ssl-bump
@@ -122,13 +147,13 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Cache Docker layers
-        uses: actions/cache@v3.3.1
+        uses: actions/cache@v4.2.0
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ github.sha }}
@@ -136,20 +161,20 @@ jobs:
             ${{ runner.os }}-buildx-
 
       - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: b4tman
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to GHCR
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.CR_PAT }}
 
       - name: Build squid image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: true
@@ -168,7 +193,7 @@ jobs:
           mv /tmp/.buildx-cache-new /tmp/.buildx-cache
 
       - name: Build 'ssl-bump' image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v6
         with:
           context: ssl-bump
           push: true
@@ -188,7 +213,7 @@ jobs:
           mv /tmp/.buildx-cache-new /tmp/.buildx-cache
 
       - name: Build 'ssl-bump' image for ghcr
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v6
         with:
           context: ssl-bump
           push: true

.github/workflows/stale.yml

@@ -18,7 +18,7 @@ jobs:
       pull-requests: write
 
     steps:
-    - uses: actions/stale@v8
+    - uses: actions/stale@v9
       with:
         days-before-stale: 182
         days-before-close: 7

Dockerfile

@@ -1,6 +1,6 @@
-FROM alpine:3.18.2 as build
+FROM alpine:3.21.2 as build
 
-ARG SQUID_VER=6.2
+ARG SQUID_VER=6.13
 
 RUN set -x && \
 	apk add --no-cache  \
@@ -24,8 +24,8 @@ RUN set -x && \
 WORKDIR /tmp/build
 
 RUN set -x && \
-	curl -SsL http://www.squid-cache.org/Versions/v${SQUID_VER%%.*}/squid-${SQUID_VER}.tar.gz -o squid-${SQUID_VER}.tar.gz && \
-	curl -SsL http://www.squid-cache.org/Versions/v${SQUID_VER%%.*}/squid-${SQUID_VER}.tar.gz.asc -o squid-${SQUID_VER}.tar.gz.asc
+	curl -fSsL "https://github.com/squid-cache/squid/releases/download/SQUID_${SQUID_VER//./_}/squid-${SQUID_VER}.tar.gz" -o squid-${SQUID_VER}.tar.gz && \
+	curl -fSsL "https://github.com/squid-cache/squid/releases/download/SQUID_${SQUID_VER//./_}/squid-${SQUID_VER}.tar.gz.asc" -o squid-${SQUID_VER}.tar.gz.asc
 
 COPY squid-keys.asc /tmp/build
 
@@ -86,7 +86,7 @@ RUN set -x && \
 		--enable-storeio="diskd rock" \
 		--enable-ipv6 \
 		--enable-translation \
-		--disable-snmp \
+		--enable-snmp \
 		--disable-dependency-tracking \
 		--with-large-files \
 		--with-default-user=squid \
@@ -106,7 +106,7 @@ RUN sed -i '1s;^;include /etc/squid/conf.d/*.conf\n;' /etc/squid/squid.conf && \
 
 # --- --- --- --- --- --- --- --- ---
 
-FROM alpine:3.18.2
+FROM alpine:3.21.2
 	
 ENV SQUID_CONFIG_FILE /etc/squid/squid.conf
 ENV TZ Europe/Moscow
@@ -119,13 +119,16 @@ RUN apk add --no-cache \
 		libstdc++ \
 		heimdal-libs \
 		libcap \
-		libltdl
+		libltdl \
+		tzdata
 
 COPY --from=build /etc/squid/ /etc/squid/
 COPY --from=build /usr/lib/squid/ /usr/lib/squid/
 COPY --from=build /usr/share/squid/ /usr/share/squid/
 COPY --from=build /usr/sbin/squid /usr/sbin/squid
 COPY --from=build /usr/bin/squidclient /usr/bin/squidclient
+
+COPY --chmod=755 run.sh /
 
 RUN install -d -o squid -g squid \
 		/var/cache/squid \
@@ -138,14 +141,9 @@ RUN install -d -o squid -g squid \
 	touch /etc/squid/conf.d/placeholder.conf
 COPY squid-log.conf /etc/squid/conf.d.tail/
 
-RUN	set -x && \
-	apk add --no-cache --virtual .tz alpine-conf tzdata && \
-	/sbin/setup-timezone -z $TZ && \
-	apk del .tz
-
 VOLUME ["/var/cache/squid"]
 EXPOSE 3128/tcp
 
 USER squid
 
-CMD ["sh", "-c", "rm -f /var/run/squid/squid.pid ; /usr/sbin/squid -f ${SQUID_CONFIG_FILE} --foreground -z && exec /usr/sbin/squid -f ${SQUID_CONFIG_FILE} --foreground -YCd 1"]
+CMD ["/run.sh"]

docker-compose.test.yml

@@ -2,6 +2,8 @@ version: '2.3'
 services:
   proxy:
     image: "${TEST_TAG}"
+    volumes:
+      - './test_localnet.conf:/etc/squid/conf.d/test_localnet.conf:ro'
     healthcheck:
       test: ["CMD", "sh", "-exc", "squidclient -T 3 mgr:info 2> /dev/null | grep -qF '200 OK'"]
       interval: 5s

run.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -x
+
+# force remove pid
+if [ -e /var/run/squid/squid.pid ]; then
+	rm -f /var/run/squid/squid.pid
+fi
+
+# init cache
+/usr/sbin/squid -f "${SQUID_CONFIG_FILE}" --foreground -z
+
+# run squid
+exec /usr/sbin/squid -f "${SQUID_CONFIG_FILE}" --foreground -YCd 1

ssl-bump/Dockerfile

@@ -1,4 +1,9 @@
 FROM b4tman/squid
 
+COPY run.sh /
 USER root
-CMD ["sh", "-c", "(test -d /var/cache/squid/ssl_db || /usr/lib/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -M 4MB) && /usr/sbin/squid -f ${SQUID_CONFIG_FILE} --foreground -z && exec /usr/sbin/squid -f ${SQUID_CONFIG_FILE} --foreground -YCd 1"]
+RUN chmod 755 /run.sh
+
+USER squid
+
+CMD ["/run.sh"]

ssl-bump/run.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -x
+
+# init ssl_db
+if [ ! -d /var/cache/squid/ssl_db ]; then
+	/usr/lib/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -M 4MB
+fi
+
+# init cache
+/usr/sbin/squid -f "${SQUID_CONFIG_FILE}" --foreground -z
+
+# run squid
+exec /usr/sbin/squid -f "${SQUID_CONFIG_FILE}" --foreground -YCd 1

test_localnet.conf

@@ -0,0 +1,11 @@
+acl localnet1 src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
+acl localnet1 src 10.0.0.0/8            # RFC 1918 local private network (LAN)
+acl localnet1 src 100.64.0.0/10         # RFC 6598 shared address space (CGN)
+acl localnet1 src 169.254.0.0/16        # RFC 3927 link-local (directly plugged) machines
+acl localnet1 src 172.16.0.0/12         # RFC 1918 local private network (LAN)
+acl localnet1 src 192.168.0.0/16                # RFC 1918 local private network (LAN)
+acl localnet1 src fc00::/7              # RFC 4193 local private network range
+acl localnet1 src fe80::/10             # RFC 4291 link-local (directly plugged) machines
+
+http_access allow localnet1
+http_access allow localhost manager