Squid Proxy as a Helm Chart
Caching network requests with Squid hosted in Kubernetes
While working on a project I spent some time learning how to build a portable live image running Debian.
The Helm Chart I wrote for Squid Proxy can be found here
As I was doing this in CI and in locally in VMs I noticed I was regularly making a ton of requests to the APT repos. I had always been curious about using Squid Proxy and now I host my own Gitea instance and [Act Runner(https://docs.gitea.com/usage/actions/act-runner) (Github Actions for Gitea).
Some observations. I thought I could create an ingress via ingress-nginx and just point it at that domain. This ended up sending the request for the APT repos to nginx and nginx didn't know what to do with those hostnames.
sudo https_proxy=https://squid.mydomain.com apt-get upgrade
When you think about this though it's a proxy behind a proxy and it kinda makes sense that it's not supposed to work.
Once I changed the Squid Kubernetes service to a node port started to see requests in the squid logs.
sudo http_proxy=http://squid.mydomain.com:31773 apt-get upgrade
1707099153.064 1 10.42.0.1 TCP_MEM_HIT/200 175307 GET http://deb.debian.org/debian/pool/main/g/gettext/gettext-base_0.21-4_amd64.deb - HIER_NONE/- application/vnd.debian.binary-package 1707099153.076 22 10.42.0.1 TCP_HIT/200 2767715 GET http://security.debian.org/pool/updates/main/g/grub2/grub-common_2.06-3%7edeb11u6_amd64.deb - HIER_NONE/- application/vnd.debian.binary-package 1707099153.083 5 10.42.0.1 TCP_HIT/200 1566159 GET http://security.debian.org/pool/updates/main/g/grub2/grub-efi-amd64-bin_2.06-3%7edeb11u6_amd64.deb - HIER_NONE/- application/vnd.debian.binary-package 1707099153.088 5 10.42.0.1 TCP_HIT/200 1241436 GET http://security.debian.org/pool/updates/main/g/grub-efi-amd64-signed/grub-efi-amd64-signed_1%2b2.06%2b3%7edeb11u6_amd64.deb - HIER_NONE/- application/vnd.debian.binary-package 1707099153.091 2 10.42.0.1 TCP_HIT/200 611858 GET http://security.debian.org/pool/updates/main/g/grub2/grub2-common_2.06-3%7edeb11u6_amd64.deb - HIER_NONE/- application/vnd.debian.binary-package 1707099153.237 46 10.42.0.1 TCP_REFRESH_UNMODIFIED/200 418514 GET http://deb.debian.org/debian/pool/main/f/freetype/libfreetype6_2.10.4%2bdfsg-1%2bdeb11u1_amd64.deb - HIER_DIRECT/151.101.198.132 application/vnd.debian.binary-package
In the above logs where after some nice hits had been made, initially I noticed a lot of
TCP_REFRESH_UNMODIFIED
, the default config doesn't cache the release requests though.
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims refresh_pattern \/InRelease$ 0 0% 0 refresh-ims refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims