squid: ssl bumping

ignition/base.bu

@@ -22,6 +22,13 @@ passwd:
             - systemd-journal
           ssh_authorized_keys:
             - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFwawprQXEkGl38Q7T0PNseL0vpoyr4TbATMkEaZJTWQ
+storage:
+    files:
+        - path: /etc/squid/ca.pem
+          overwrite: true
+          contents:
+            # cryptme
+            inline: ENC[AES256_GCM,data:IlOWwFg+G7/Bx+8w0TOAcCZGaIEApzKQItxW94ZFXaqS+RoLbWzQmowllmYHpxPu2NrIJHa4eg0VO2waCkjo3dOCcKIrT1VWkXNnGPJWV1Uk45D6e3VaQv3E5pFpw5xh3HPNmeASXbFkiC8LGD1rz02JEDp54TovAnlOFwz+5YYFJdKwgPnG0FeCYbxW27S0XBNPCde73jlIHwYHni6flJyUVB0y28/l/w5oRPimFhxwkznLucpBpeDNIblpAY7ZnShOhKqwEHAtYz4dZ3NCn3SWjFhB9kzWK+QNluce/GVGIuWnCN54xZQKYbpOTtBt90ekLmDz06OFuVXdDLHctFztzbYct4S8Mj9ZJsdM6+v1ocwLjDaeZTpnvw2zG/m8XeSWbyL/Xt46Lrm476bz/aOLSw7lR/xhWFBs19epn8rOV+iHesmKNwTDglHq+4Ht0bRCW/qjlSWxIvODkNyd1vL+epRyE0gkXG7J7Vku4EBuQXyE9yg4tnhIZ2LAm9vYWxKlDfUYDuk2hjOPAgq6ktqbzH/E5N3Gr4K8KVqZVVX5AY55L9Pm+jx3ZUeWAhoQtL7iHupJbIgIRr2hWxxtVhX9gg69d6Llan6XByoVGdBGzZrkisAlu16/KZYYVvdiOVCTLlLimrchGSagAip7cILaJEvzeBnWOBUP2sIMwLaR/KozwLRp4+SYD4umBGY5BIdge1lnw9UL+qrCEjgcf2S7bpyUz2qyhDFcLyKfozPt2dSUtIXUxX/TitxSP6KnCxzKd3fQOHk3PwlLDGOzyBOB0NHyL8M/qJjXpMWAnrKq5nvVAxmqpOcdvAiH70rRHNFrM1cQ8Ack2IpCGJ3/lSE2UeTwyUTpqlOJGTd5d/MafDBFJXvce4bJvQSl2R6k0kA9I2ATrz2kzMb8u3M+3k47egUScaUVoLdTaMJdonfoshbC1+HjuOkA5F1ck0paYmzMYewLfIYxIf0nNIH7CUFFzGLsW8LCsSIQKT/rh7NJq++pzCk1kQyMIetaHQHXBd04ApfqyB9qdXlRX8tNWQLNPy1VaVhwa68iD5Qb1ZAMMqybWHKahWCcMcEspweN+vuQdqRnERISR8mV+LWSPwc29Q2SvxebGxpCvf/Jsbd9FcUmsmP64IsKr2nZ+xFvYdp5njtKrRcvW1gmRvofG4ZG1yZHuoEGJQz6ID/wqsQ8iaBjhqjwkoPa4j+NydoANZOjZr6I/qA8Bubt40s55XAjgiMgYoBR6RB4Pfvq1hl4ptjswZmkHH7AMSCKXRSpaUqv6/wqqplDmQOH27RoJeKZOSSgnCLnHBl99TxPwkR/S/5gI1GN5ZLuXfM6MbY/Ee417Op/3NFrzPNfFfOZWrtL1/Yae9uB8rMryWveUp7cHGZkOpq73yeOlAnUFMvPaYhcChbRRV/mBuhB6QNv0PRkrWOxc/JxTiQ+JlIILtpjNGC0aKNis+As8JB5e286YYKbeSKLP8ivfVVbPDAmGEq5UPlyugN5LUI8HK2W/LjeYEMIGc8d3+6tuVwp+P4hDsMoRNss7/WrI/emDGkk9Opga/OE6o8y15Qg4zrwmQp7IYon/kUHMAv2KKFgRv5q89Q82wXmR57dYVX1Xz5GQd1OkoyY1pVzdT2URdLPFQd71vMlbtDyMvcP5996tFHabMoiYKoh+eKhKvC9wnUzYxUqFNfTvyRLs9aY7GpygMxo/GpfgEZG0oOx//7aCpY3X7l0EuAyUr4p8F4lt32EX0YwcOYVKfpA97srilI8UXyHlGzTRD2o+RzHIOauMOlEye6Vg+/bINUJ4iA6vw0m2zmeVGACLgjTKch/PmWpo6nCOS2Decw/mxE8d3fLtmz93llOcfMJiz46coRm7D/tasHEHsXxy8Whoq5OcPlbgmJDlT27f4RvTeKmJp+ASKeEEeL6qimM051S2Vvyfzm/VytWzNOrQdDzbRZRmYppsCdiw0WGenA67pJ0xAq13hN81wDQ2gQed3hiyU5MC/3ES3cOnOa512azLhc/nvlMvV5DMmcAcKFwTqXLUZH6W3zJZwxANqyPFCc+Nn5PJYBLNtYEtzutz4lmGzIfSnrSfrO+jnRTF3Na3ccDJZOl2QdSMamhwYoac3NIuAz/GiNEwpkvvVTWfPqO86p3g1kKrXymGw9W2XVQsOw3J4gZy7HdiuXH0vkYGbU3hw45lTtb9jVGWQMwCn/hlhW5F9/s8Sng9osqAyv/DH8RNP3CkRLV2hkpS7y9ar9y5T67m8QdMo4FXY/XdHGua8nFj+q65Alq1aksr9lViAYIYxurBju4r64tI/tmArQI+z3dwynX4GdrIxKP8maJXEcbVJIU/A1yU/XO7F4z0VUOCGmuOhHW9HkU6uRih533eWODrNGXHJJ7c/fIW7T1dLqb66mJEDpCfC2zMvBqdN8wjs7vIwgONCmHeWOEcqVsLaB7wgCPGu4b8RMjqCq7u6cxnHMYfBHPY/bf1fi2ifavjbnlJIw0FuIYxegxeDs9nfZtgqDCiQz7dB+2ne9FLFtYtY+kF+Rqn+AZT9p/Ffabn6A3MdmtM8LJKGvGgY6do4Fb3/B4wlip1Y+vh+OCTH4CS8Kq8SutuPLgO8Q78li/vBNe95U9n3Gc0G9ZoXhJAE0FxMEE5klm81Kgfr0iEutBR06gZyaI0JC8xwtZc3x07AW7GtNuD24HuoHAfu/nxIba24I3v1FOofG/30PFaLrD/0UwqRyyrxD5cPUFWyGR8cp9u0IkeBaipRXzwSSPVUdov79e0xF5/PT2L6lRr6HCNigv5bBoqOwg2peosAdHZFx8a8tJaswn8XMJ3y0JsD6N9XFZWr9iGd3qSdOYo5y4gsd10YJXUWsdPltWZPnm8Y50HfpEwylBbRd88pCdHkspWP80DMu3LOHA4WrImW2C5s1Kn8FESq56D+JmrwottLV1v1PkWTLOVdGPMCAxXfQ/RhW2P9yGnORGTTlWhX7r3uKweGRNnwGyslGRXS9uEWFbLh3V1HtxOXCt4GQ7+j/Ik/iWdEqGuUe232KZ/GS50JqYTusTKeFciheQhIpjSBw9e+Hzr+6DjlReO67M+CJTc6smvZtnUznT4bZrK8CBVUeD+g61Hzx/C68xwRDiXA1MRTISkmBERSOS9ltcjMcuj01EHHXN6y47YxtoSetptIZ/2yptSnXeZwlmTFlgL8jlaJWCSe1Ff01Yy3PZJalbRVWgiz2I+HDoC5041NGvkXolLTBhIe8XjMwB230s5wSmUEeKQ0fkT6XglmNM4E/4auh2w0EceMqnoB9J1jyl0XHVR0bUPNTBSGAoMEL98bNXP0V1l8MNR+PbxDZWJ9cnp/KGmJZVjhVF6LSCkRAMfiyvNKhv4PkhvgU1gUOgjWxHt2pTiW1naE1/8w+yPKE+GTPpx3TRpjbKhZIUeezpJOLCRqcRtQvgRKB7f+D7En4ArODzz/TeP4xfqmqNMOcVNtaZj2oipL5WQBMkQ/YS4i++wXJFlrCuh+fiVPO18T25boJ/MCxUOeCcWKcLNdfj7zA1Om1faQW2Fu2/QAnRAXDR/QVecI+rQkeQePDyeP3zdy1by7SWpN0aMpATbw8T+9i0i2kYEf/SgHwsKUGoFJaMJWekA8pHkIM8oqF2ZuIpRb4P81XwwWPxQBZWHQKIgm0PJ88G7R01qI7VqE7svap2XyBP82vs/iISaVSjyiue3kdC1PkNiUTAlUwHTlAR29ITLgUYeUBtJyqMD/9C6yi1lazPaLluLgqSs8hJxlvNEMDnJ61QfuoD1P4iTnX9hE7QTUr7/StjD9wtPGCs0VaZygMzdjpwm8xJaS5YbESI8pJDaykUf1G3V66qhUOyIxzesj98YwCVBNbn1cdAbFeeJ5K2/05/QXvJWoDwBr+19UUZCC3X3volRuRAe03b4A==,iv:GHUxg8HoYVilgGcu1geLsx2xFUqhsOOpZoTodaNvUtk=,tag:0ZwVW6nvSZ0xrkjrUqmWUA==,type:str]
 systemd:
     units:
         - name: init-rebase.service
@@ -60,8 +67,8 @@ sops:
             Z1BrNWZudm5VV3R3SzdFSDB2VzdERHcK6iFxAbKL16w2H/lD12R5SKsQ82M8dESk
             nn0/+f/sSy32vZX3W+8pSHVWRw9YnNOHRhD8tzipvE16DPhLRP4iZw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-02T10:52:32Z"
-    mac: ENC[AES256_GCM,data:Ue7ambVpjlMCJ7ybL/f48krKGxgVJrzostdLxM1GFflLbe0U1fE4typcUu/QBD4GW/XfAbgAdMGIjB/COgMeWbwO/BQi+vaOJrf4Vn82ky1ZaRTp7CXmlE7sTT1vsuzlglwHfJQphT0h+9fckxoPCKw6ap/AzOz+pkbxS9d3Nx8=,iv:uUxrApdoRTAllTTBY22+q44BK0qd2+OkMLDo1wEcV1o=,tag:f0o2UiG+8No4EE01VGWXHQ==,type:str]
+    lastmodified: "2024-07-02T14:32:05Z"
+    mac: ENC[AES256_GCM,data:nW0oSrlXTaUE86J+/DUMsGTtxBjGMJR7YsKCOMfMTsAf/iFPCUeari/BSmif+lPB95gQ99LK5rviUDV3z3e+vS51Btj39Xkw1r3UDW24G3wFGDhAbKE9InjPaWoOUYDtoRuFaGaqrBwnyMeZufUHCIBLNBpA8RkV4HLj5lg/NPM=,iv:ApRLJXeoRbaiXvtzKfcAsmI+3ZPXr2T+TyRMS6wNYfQ=,tag:zDbffvr/bLbacRIhBd898g==,type:str]
     pgp: []
     encrypted_comment_regex: cryptme
     version: 3.9.0

node/Dockerfile

@@ -25,8 +25,6 @@ COPY usr/ /usr
 RUN chmod 700 /etc/kubeadm.conf.d && \
     ostree container commit
 
-RUN echo 'include /etc/squid/conf.d/*.conf' >> /etc/squid/squid.conf
-
 # enable services
 RUN systemctl enable \
         containerd.service \

node/etc/squid/conf.d/ssl-bump.conf

@@ -0,0 +1 @@
+ssl_bump bump all

node/etc/squid/squid.conf

@@ -0,0 +1,88 @@
+#
+# Recommended minimum configuration:
+#
+
+# Example rule allowing access from your local networks.
+# Adapt to list your (internal) IP networks from where browsing
+# should be allowed
+acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
+acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
+acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
+acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
+acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
+acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
+acl localnet src fc00::/7       	# RFC 4193 local private network range
+acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines
+
+acl SSL_ports port 443
+acl Safe_ports port 80		# http
+acl Safe_ports port 21		# ftp
+acl Safe_ports port 443		# https
+acl Safe_ports port 70		# gopher
+acl Safe_ports port 210		# wais
+acl Safe_ports port 1025-65535	# unregistered ports
+acl Safe_ports port 280		# http-mgmt
+acl Safe_ports port 488		# gss-http
+acl Safe_ports port 591		# filemaker
+acl Safe_ports port 777		# multiling http
+
+#
+# Recommended minimum Access Permission configuration:
+#
+# Deny requests to certain unsafe ports
+http_access deny !Safe_ports
+
+# Deny CONNECT to other than secure SSL ports
+http_access deny CONNECT !SSL_ports
+
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+
+# This default configuration only allows localhost requests because a more
+# permissive Squid installation could introduce new attack vectors into the
+# network by proxying external TCP connections to unprotected services.
+http_access allow localhost
+
+# The two deny rules below are unnecessary in this default configuration
+# because they are followed by a "deny all" rule. However, they may become
+# critically important when you start allowing external requests below them.
+
+# Protect web applications running on the same server as Squid. They often
+# assume that only local users can access them at "localhost" ports.
+http_access deny to_localhost
+
+# Protect cloud servers that provide local users with sensitive info about
+# their server via certain well-known link-local (a.k.a. APIPA) addresses.
+http_access deny to_linklocal
+
+#
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+#
+
+# For example, to allow access from your local networks, you may uncomment the
+# following rule (and/or add rules that match your definition of "local"):
+# http_access allow localnet
+
+# And finally deny all other access to this proxy
+http_access deny all
+
+# Squid normally listens to port 3128
+http_port 3128 ssl-bump \
+  cert=/etc/squid/ca.pem \
+  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
+
+# Uncomment and adjust the following to add a disk cache directory.
+#cache_dir ufs /var/spool/squid 100 16 256
+
+# Leave coredumps in the first cache dir
+coredump_dir /var/spool/squid
+
+#
+# Add any of your own refresh_pattern entries above these.
+#
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+refresh_pattern .		0	20%	4320
+
+include /etc/squid/conf.d/*.conf