squid.conf

http_port 3128 ssl-bump \
  cert=/etc/squid/ssl_cert/squid-proxy.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

acl docker-io dstdomain registry-1.docker.io
acl docker-io dstdomain auth.docker.io
# hack one line below
acl docker-io dstdomain dseasb33srnrn.cloudfront.net  # cdn for images for docker registry

ssl_bump peek step1 all
ssl_bump splice docker-io
ssl_bump bump all

acl Safe_ports port 1-65535
acl SSL_ports port 1-65535

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

sslcrtd_children 5

acl mutable_paths urlpath_regex ^/v2/[^\/]+/manifests/.*
acl mutable_paths urlpath_regex ^/v2/[^\/]+/tags/list
acl mutable_paths urlpath_regex ^/v2/_catalog$
acl get_method method GET
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow all

coredump_dir /var/cache/squid
maximum_object_size 10 GB
cache_dir ufs /var/cache/squid 1000 16 256
cache_mem 256 MB
maximum_object_size_in_memory 512 KB
cache_replacement_policy heap LFUDA
range_offset_limit -1
quick_abort_min -1 KB
offline_mode on

cache deny mutable_paths
cache deny !get_method          
cache allow all

access_log daemon:/var/log/squid/access.log common

refresh_pattern . 525600 100% 525600 ignore-reload ignore-no-store ignore-private ignore-auth ignore-must-revalidate store-stale