fix: resolve SSL Bump initialization and config ordering issues

- Fix SSL database initialization: security_file_certgen requires the
  directory to NOT exist, but Docker volume mounts create it. Now
  initSslDb() creates the complete DB structure (certs/, index.txt,
  size) directly on the host.

- Simplify entrypoint.sh: Since DB is pre-initialized on host, the
  entrypoint only needs to fix permissions for the proxy user.

- Fix Squid config ordering: ACL definitions must appear before
  ssl_bump rules that reference them. Moved ${aclSection} before
  ${sslBumpSection} in the config template.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: Mossaka

containers/squid/entrypoint.sh

@@ -6,26 +6,17 @@ set -e
 chown -R proxy:proxy /var/log/squid
 chmod -R 755 /var/log/squid
 
-# Initialize SSL certificate database if SSL Bump is enabled
-# Check if ssl_db directory is mounted (indicates SSL Bump mode)
+# Fix permissions on SSL certificate database if SSL Bump is enabled
+# The database is initialized on the host side by awf, but the permissions
+# need to be fixed for the proxy user inside the container.
 if [ -d "/var/spool/squid_ssl_db" ]; then
-  echo "[squid-entrypoint] SSL Bump mode detected - initializing SSL certificate database..."
-  
-  # Initialize the SSL database if it's empty or not yet initialized
-  if [ ! -f "/var/spool/squid_ssl_db/index.txt" ]; then
-    echo "[squid-entrypoint] Creating SSL certificate database..."
-    # Use Squid's security_file_certgen to initialize the database
-    # Using 16MB for the certificate cache (sufficient for typical AI agent sessions)
-    /usr/lib/squid/security_file_certgen -c -s /var/spool/squid_ssl_db -M 16MB
-    chown -R proxy:proxy /var/spool/squid_ssl_db
-    echo "[squid-entrypoint] SSL certificate database initialized"
-  else
-    echo "[squid-entrypoint] SSL certificate database already exists"
-  fi
-  
-  # Fix permissions on SSL database
+  echo "[squid-entrypoint] SSL Bump mode detected - fixing SSL database permissions..."
+
+  # Fix ownership for Squid (runs as proxy user)
   chown -R proxy:proxy /var/spool/squid_ssl_db
   chmod -R 700 /var/spool/squid_ssl_db
+
+  echo "[squid-entrypoint] SSL certificate database ready"
 fi
 
 # Start Squid

src/squid-config.ts

@@ -399,12 +399,12 @@ access_log /var/log/squid/access.log firewall_detailed
 cache_log /var/log/squid/cache.log
 cache deny all
 
+${aclSection}
+
 # Port configuration
 ${portConfig}
 ${sslBumpSection}
 
-${aclSection}
-
 # Network ACLs
 acl localnet src 10.0.0.0/8
 acl localnet src 172.16.0.0/12

src/ssl-bump.ts

@@ -110,19 +110,45 @@ export async function generateSessionCa(config: SslBumpConfig): Promise<CaFiles>
  * Initializes Squid's SSL certificate database
  *
  * Squid requires a certificate database to store dynamically generated
- * certificates for SSL Bump mode.
+ * certificates for SSL Bump mode. The database structure expected by Squid is:
+ * - ssl_db/certs/ - Directory for storing generated certificates
+ * - ssl_db/index.txt - Index file for certificate lookups
+ * - ssl_db/size - File tracking current database size
+ *
+ * NOTE: We create this structure on the host because security_file_certgen
+ * (Squid's DB initialization tool) requires the directory to NOT exist when
+ * it runs. Since Docker volume mounts create the directory, we need to
+ * pre-populate the structure ourselves.
  *
  * @param workDir - Working directory
  * @returns Path to the SSL database directory
  */
 export async function initSslDb(workDir: string): Promise<string> {
   const sslDbPath = path.join(workDir, 'ssl_db');
+  const certsPath = path.join(sslDbPath, 'certs');
+  const indexPath = path.join(sslDbPath, 'index.txt');
+  const sizePath = path.join(sslDbPath, 'size');
 
-  // Create directory if it doesn't exist
+  // Create the database structure
   if (!fs.existsSync(sslDbPath)) {
     fs.mkdirSync(sslDbPath, { recursive: true, mode: 0o700 });
   }
 
+  // Create certs subdirectory
+  if (!fs.existsSync(certsPath)) {
+    fs.mkdirSync(certsPath, { mode: 0o700 });
+  }
+
+  // Create index.txt (empty file for certificate index)
+  if (!fs.existsSync(indexPath)) {
+    fs.writeFileSync(indexPath, '', { mode: 0o600 });
+  }
+
+  // Create size file (tracks current DB size, starts at 0)
+  if (!fs.existsSync(sizePath)) {
+    fs.writeFileSync(sizePath, '0\n', { mode: 0o600 });
+  }
+
   logger.debug(`SSL certificate database initialized at: ${sslDbPath}`);
   return sslDbPath;
 }