Skip to content

Commit af0bc2d

Browse files
CopilotMossaka
Copilot
and
Mossaka
committed
fix: address SSL Bump issues and improve documentation
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
1 parent 34b0ec9 commit af0bc2d

6 files changed

Lines changed: 49 additions & 13 deletions

File tree

containers/squid/entrypoint.sh

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,5 +6,27 @@ set -e
66
chown -R proxy:proxy /var/log/squid
77
chmod -R 755 /var/log/squid
88

9+
# Initialize SSL certificate database if SSL Bump is enabled
10+
# Check if ssl_db directory is mounted (indicates SSL Bump mode)
11+
if [ -d "/var/spool/squid_ssl_db" ]; then
12+
echo "[squid-entrypoint] SSL Bump mode detected - initializing SSL certificate database..."
13+
14+
# Initialize the SSL database if it's empty or not yet initialized
15+
if [ ! -f "/var/spool/squid_ssl_db/index.txt" ]; then
16+
echo "[squid-entrypoint] Creating SSL certificate database..."
17+
# Use Squid's security_file_certgen to initialize the database
18+
# Using 16MB for the certificate cache (sufficient for typical AI agent sessions)
19+
/usr/lib/squid/security_file_certgen -c -s /var/spool/squid_ssl_db -M 16MB
20+
chown -R proxy:proxy /var/spool/squid_ssl_db
21+
echo "[squid-entrypoint] SSL certificate database initialized"
22+
else
23+
echo "[squid-entrypoint] SSL certificate database already exists"
24+
fi
25+
26+
# Fix permissions on SSL database
27+
chown -R proxy:proxy /var/spool/squid_ssl_db
28+
chmod -R 700 /var/spool/squid_ssl_db
29+
fi
30+
931
# Start Squid
1032
exec squid -N -d 1

docs-site/src/content/docs/reference/ssl-bump.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,10 @@ title: SSL Bump
33
description: Enable HTTPS content inspection for URL path filtering with per-session CA certificates.
44
---
55

6+
:::note[Power-User Feature]
7+
SSL Bump is an advanced feature that intercepts HTTPS traffic. It requires local Docker image builds and adds performance overhead. Only enable this when you need URL path filtering for HTTPS traffic. For most use cases, domain-based filtering (default mode) is sufficient.
8+
:::
9+
610
SSL Bump enables deep inspection of HTTPS traffic, allowing URL path filtering instead of just domain-based filtering.
711

812
## Overview

docs/ssl-bump.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
# SSL Bump: HTTPS Content Inspection
22

3+
> ⚠️ **Power-User Feature**: SSL Bump is an advanced feature that intercepts HTTPS traffic. It requires local Docker image builds and adds performance overhead. Only enable this when you need URL path filtering for HTTPS traffic. For most use cases, domain-based filtering (default mode) is sufficient.
4+
35
SSL Bump enables deep inspection of HTTPS traffic, allowing URL path filtering instead of just domain-based filtering.
46

57
## Overview

src/docker-manager.ts

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ import execa from 'execa';
66
import { DockerComposeConfig, WrapperConfig, BlockedTarget } from './types';
77
import { logger } from './logger';
88
import { generateSquidConfig } from './squid-config';
9-
import { generateSessionCa, initSslDb, CaFiles } from './ssl-bump';
9+
import { generateSessionCa, initSslDb, CaFiles, parseUrlPatterns } from './ssl-bump';
1010

1111
const SQUID_PORT = 3128;
1212

@@ -184,7 +184,8 @@ export function generateDockerCompose(
184184
if (sslConfig) {
185185
squidVolumes.push(`${sslConfig.caFiles.certPath}:${sslConfig.caFiles.certPath}:ro`);
186186
squidVolumes.push(`${sslConfig.caFiles.keyPath}:${sslConfig.caFiles.keyPath}:ro`);
187-
squidVolumes.push(`${sslConfig.sslDbPath}:${sslConfig.sslDbPath}:rw`);
187+
// Mount SSL database at /var/spool/squid_ssl_db (Squid's expected location)
188+
squidVolumes.push(`${sslConfig.sslDbPath}:/var/spool/squid_ssl_db:rw`);
188189
}
189190

190191
// Squid service configuration
@@ -482,15 +483,23 @@ export async function writeConfigs(config: WrapperConfig): Promise<void> {
482483
}
483484
}
484485

486+
// Transform user URL patterns to regex patterns for Squid ACLs
487+
let urlPatterns: string[] | undefined;
488+
if (config.allowedUrls && config.allowedUrls.length > 0) {
489+
urlPatterns = parseUrlPatterns(config.allowedUrls);
490+
logger.debug(`Parsed ${urlPatterns.length} URL pattern(s) for SSL Bump filtering`);
491+
}
492+
485493
// Write Squid config
494+
// Note: Use container path for SSL database since it's mounted at /var/spool/squid_ssl_db
486495
const squidConfig = generateSquidConfig({
487496
domains: config.allowedDomains,
488497
blockedDomains: config.blockedDomains,
489498
port: SQUID_PORT,
490499
sslBump: config.sslBump,
491500
caFiles: sslConfig?.caFiles,
492-
sslDbPath: sslConfig?.sslDbPath,
493-
urlPatterns: config.allowedUrls,
501+
sslDbPath: sslConfig ? '/var/spool/squid_ssl_db' : undefined,
502+
urlPatterns,
494503
});
495504
const squidConfigPath = path.join(config.workDir, 'squid.conf');
496505
fs.writeFileSync(squidConfigPath, squidConfig);

src/squid-config.test.ts

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -968,7 +968,7 @@ describe('generateSquidConfig', () => {
968968
expect(result).toContain('HTTPS traffic will be intercepted');
969969
});
970970

971-
it('should configure HTTPS port with SSL Bump', () => {
971+
it('should configure HTTP port with SSL Bump', () => {
972972
const config: SquidConfig = {
973973
domains: ['github.com'],
974974
port: defaultPort,
@@ -980,7 +980,7 @@ describe('generateSquidConfig', () => {
980980
sslDbPath: '/tmp/test/ssl_db',
981981
};
982982
const result = generateSquidConfig(config);
983-
expect(result).toContain('https_port 3129 intercept ssl-bump');
983+
expect(result).toContain('http_port 3128 ssl-bump');
984984
});
985985

986986
it('should include CA certificate path', () => {

src/squid-config.ts

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -104,19 +104,18 @@ function generateSslBumpSection(
104104
# WARNING: This enables TLS interception - traffic is decrypted for inspection
105105
# A per-session CA certificate is used for dynamic certificate generation
106106
107-
# HTTP port for transparent proxy
108-
http_port 3128
109-
110-
# HTTPS port with SSL Bump for interception
111-
https_port 3129 intercept ssl-bump \\
107+
# HTTP port with SSL Bump enabled for HTTPS interception
108+
# This handles both HTTP requests and HTTPS CONNECT requests
109+
http_port 3128 ssl-bump \\
112110
cert=${caFiles.certPath} \\
113111
key=${caFiles.keyPath} \\
114112
generate-host-certificates=on \\
115-
dynamic_cert_mem_cache_size=4MB \\
113+
dynamic_cert_mem_cache_size=16MB \\
116114
options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1
117115
118116
# SSL certificate database for dynamic certificate generation
119-
sslcrtd_program /usr/lib/squid/security_file_certgen -s ${sslDbPath} -M 4MB
117+
# Using 16MB for certificate cache (sufficient for typical AI agent sessions)
118+
sslcrtd_program /usr/lib/squid/security_file_certgen -s ${sslDbPath} -M 16MB
120119
sslcrtd_children 5
121120
122121
# SSL Bump ACL steps:

0 commit comments

Comments
 (0)