Squid Proxy as a Helm Chart

February 4, 2024

Caching network requests with Squid hosted in Kubernetes

While working on a project I spent some time learning how to build a portable live image running Debian.

The Helm Chart I wrote for Squid Proxy can be found here

As I was doing this in CI and in locally in VMs I noticed I was regularly making a ton of requests to the APT repos. I had always been curious about using Squid Proxy and now I host my own Gitea instance and [Act Runner(https://docs.gitea.com/usage/actions/act-runner) (Github Actions for Gitea).

Some observations. I thought I could create an ingress via ingress-nginx and just point it at that domain. This ended up sending the request for the APT repos to nginx and nginx didn't know what to do with those hostnames.

sudo https_proxy=https://squid.mydomain.com apt-get upgrade 

When you think about this though it's a proxy behind a proxy and it kinda makes sense that it's not supposed to work.

Once I changed the Squid Kubernetes service to a node port started to see requests in the squid logs.

sudo http_proxy=http://squid.mydomain.com:31773 apt-get upgrade 
1707099153.064      1 TCP_MEM_HIT/200 175307 GET http://deb.debian.org/debian/pool/main/g/gettext/gettext-base_0.21-4_amd64.deb - HIER_NONE/- application/vnd.debian.binary-package
1707099153.076     22 TCP_HIT/200 2767715 GET http://security.debian.org/pool/updates/main/g/grub2/grub-common_2.06-3%7edeb11u6_amd64.deb - HIER_NONE/- application/vnd.debian.binary-package
1707099153.083      5 TCP_HIT/200 1566159 GET http://security.debian.org/pool/updates/main/g/grub2/grub-efi-amd64-bin_2.06-3%7edeb11u6_amd64.deb - HIER_NONE/- application/vnd.debian.binary-package
1707099153.088      5 TCP_HIT/200 1241436 GET http://security.debian.org/pool/updates/main/g/grub-efi-amd64-signed/grub-efi-amd64-signed_1%2b2.06%2b3%7edeb11u6_amd64.deb - HIER_NONE/- application/vnd.debian.binary-package
1707099153.091      2 TCP_HIT/200 611858 GET http://security.debian.org/pool/updates/main/g/grub2/grub2-common_2.06-3%7edeb11u6_amd64.deb - HIER_NONE/- application/vnd.debian.binary-package

1707099153.237     46 TCP_REFRESH_UNMODIFIED/200 418514 GET http://deb.debian.org/debian/pool/main/f/freetype/libfreetype6_2.10.4%2bdfsg-1%2bdeb11u1_amd64.deb - HIER_DIRECT/ application/vnd.debian.binary-package

In the above logs where after some nice hits had been made, initially I noticed a lot of

, the default config doesn't cache the release requests though.

  refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
  refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
  refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
  refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims