Skip to content

Feature squid proxy#144

Open
hh wants to merge 2 commits intoublue-os:mainfrom
iilabs:feature-squid-proxy
Open

Feature squid proxy#144
hh wants to merge 2 commits intoublue-os:mainfrom
iilabs:feature-squid-proxy

Conversation

@hh
Copy link
Copy Markdown

@hh hh commented Oct 16, 2025
edited
Loading

Summary

Builds on #142 but now includes a CA/squid server that will cache all http / https traffic for our Containerfile builds. Ideally these builds can be rebuilt offline, making way for very interesting and extremely fast iteration of ublue images.

The new Proxy section of the Justfile:

just  | grep -A7 '\[Proxy\]'
    [Proxy]
    proxy-create-ca subject=("/CN=" + `hostname` + "/O=" + `hostname` + "/OU=" + `basename "$PWD"` + "/C=AQ") # Generate a local proxy CA
    proxy-get-ca output="cache/https-proxy-ca.pem"  # Capture the HTTPS proxy certificate advertised by https_proxy
    proxy-setup                                     # Run proxy setup (creates config, CA, environment snippet)
    proxy-smoke target="https://example.com"        # Run the proxy smoke test against a target URL
    proxy-start                                     # Start the local proxy container
    proxy-status                                    # Show proxy container status
    proxy-stop                                      # Stop the local proxy container
  • add a scripts/proxy-ctl.sh controller that provisions cache directories, generates a self-signed CA, manages the
    satishweb Squid container, and prints certificate/fingerprint details for every action
  • expose friendlier recipes (just proxy-setup, proxy-start, proxy-stop, proxy-status, proxy-smoke, proxy-create-ca,
    proxy-get-ca) so users can drive the proxy without touching raw podman or openssl
  • default the local CA subject to /CN=$(hostname)/O=$(hostname)/OU=$(basename "$PWD")/C=AQ, allow overrides via
    --subject/--force, and capture upstream proxy certificates into cache/https-proxy-ca.pem
  • attempt a graceful shutdown through squidclient before falling back to podman stop, and update ignoring of generated
    artefacts

Testing

just proxy-create-ca
just proxy-setup
just proxy-start
just proxy-get-ca
https_proxy=http://localhost:4129 just proxy-smoke
just build

With that last command you should see the proxy working with our existing, unchanged Justfile.
To test put the following in your Containerfile:

RUN curl -o /dev/null -L https://speed.hetzner.de/100MB.bin
RUN curl -vk https://example.com 2>&1

It's a 100MB file, so first time should take a moment, subsequent times should be nearly instant. Even i f you us it in another part of your Containerfile or build process.

@hh
Add proxy helpers for Podman
ed0bdf8 
Introduce a proxy-cert helper to capture the proxy CA and a shared podman-proxy-flags.sh script so every podman build/run inherits proxy settings and mounts the captured certificate.
@hanthor hanthor mentioned this pull request Oct 16, 2025
Closed
@hh hh force-pushed the feature-squid-proxy branch 5 times, most recently from ff5c653 to 574124c Compare October 17, 2025 03:29
@hh
Simplify proxy CA workflow
c54f9e8 
- collapse certificate logging so every proxy command emits subject, issuer, validity window, and SHA256 fingerprint
- expose `just proxy-setup/start/stop/status/smoke` recipes to mirror controller subcommands
- default the proxy CA subject to `/CN=$(hostname)/O=$(hostname)/OU=$(basename "$PWD")/C=AQ` and undo earlier subject parsing
- try graceful shutdown via squidclient before stopping the container
- drop the separate proxy quickstart doc after review
- rename websocket helper to proxy-get-ca and keep README references up to date
@hh hh force-pushed the feature-squid-proxy branch from 574124c to c54f9e8 Compare October 17, 2025 03:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hh