Squid transparent proxy on Docker -

Configuring Squid on Docker in conjuction with ClamAV antivirus and SquidGuard content filter

Basic configuration

Create a folder for storing containers configuration

mkdir /etc/docker/proxy

Create /etc/docker/proxy/squid/Dockerfile file

FROM ubuntu:latest
 
RUN \
apt -y update && \
apt -y install squid-openssl iptables iproute2
 
RUN \
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/CN=Squid" -keyout /etc/squid/bump.key -out /etc/squid/bump.crt
 
RUN \
cat > /etc/squid/squid.conf <<EOF
cache_effective_user proxy
cache_effective_group proxy
http_port 0.0.0.0:3128
http_port 0.0.0.0:10080 intercept
https_port 0.0.0.0:10443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB tls-cert=/etc/squid/bump.crt tls-key=/etc/squid/bump.key
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 512MB
acl step1 at_step SslBump1
ssl_bump peek step1 all
ssl_bump bump all
http_access allow all
http_reply_access allow all
EOF
 
RUN \
mkdir /var/lib/squid && \
/usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 512MB  && \
chown -R proxy:proxy /var/lib/squid/ssl_db
 
ENTRYPOINT \
rm -f /run/squid.pid && \
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 10080 && \
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 10443 && \
squid -N

Create /etc/docker/proxy/docker-compose.yml file

version: '3.8'
 
networks:
  default:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: "10.20.30.0/24"
 
volumes:
  squid_conf:
  squid_db:
 
services:
  squid:
    build:
      context: ./squid/
    cap_add:
      - NET_ADMIN
    networks:
      default:
        ipv4_address: 10.20.30.2
    volumes:
      - squid_conf:/etc/squid
      - squid_db:/var/lib/squid/ssl_db

Build and start the containers

docker-compose -f /etc/docker/proxy/docker-compose.yml up -d

Note: in this configuration only traffic originating in the squid container itself will be intercepted (e.g. if some VPN server will also be running in the container) and in order to intercept traffic from another container from the same Docker network the additional routing table and rouring rules should be created in that container
ip route add table 1000 default nexthop dev eth0 via 10.20.30.2
ip rule add priority 1000 ipproto tcp dport 80 table 1000
ip rule add priority 1001 ipproto tcp dport 443 table 1000

ClamAV

Create /etc/docker/proxy/icap/Dockerfile file

FROM debian:12.5
 
RUN \
apt -y update && \
apt -y install curl git build-essential
 
RUN \
curl -o /tmp/icap.tar.gz -L https://sourceforge.net/projects/c-icap/files/c-icap/0.6.x/c_icap-0.6.3.tar.gz/download && \
tar -xf /tmp/icap.tar.gz -C /tmp && \
rm /tmp/icap.tar.gz && \
mv /tmp/*icap* /tmp/icap && \
cd /tmp/icap && \
./configure --prefix=/opt/c-icap --enable-large-files && \
make && \
make install
 
RUN \
cd /tmp && \
git clone https://github.com/darold/squidclamav && \
cd squidclamav && \
./configure --with-c-icap=/opt/c-icap/ && \
make && \
make install
 
RUN \
mkdir /opt/c-icap/var/run /opt/c-icap/var/tmp
 
ENTRYPOINT \
rm -f /opt/c-icap/var/run/* && \
/opt/c-icap/bin/c-icap -N -D -d 5

Create /etc/docker/proxy/clamav/Dockerfile file

FROM debian:12.5
 
RUN \
apt -y update && \
apt -y install clamav clamav-daemon && \
freshclam
 
ENTRYPOINT \
clamd -F

Edit /etc/docker/proxy/docker-compose.yml file

version: '3.8'
 
networks:
  default:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: "10.20.30.0/24"
 
volumes:
  squid_conf:
  squid_db:
  icap_conf:
  clamav_conf:
 
services:
  squid:
    build:
      context: ./squid/
    cap_add:
      - NET_ADMIN
    networks:
      default:
        ipv4_address: 10.20.30.2
    volumes:
      - squid_conf:/etc/squid
      - squid_db:/var/lib/squid/ssl_db
 
  icap:
    build:
      context: ./icap/
    networks:
      default:
        ipv4_address: 10.20.30.3
    volumes:
        - icap_conf:/opt/c-icap/etc
 
  clamav:
    build:
      context: ./clamav/
    networks:
      default:
        ipv4_address: 10.20.30.4
    volumes:
      - clamav_conf:/etc/clamav/

Rebuild and restart the containers

docker-compose -f /etc/docker/proxy/docker-compose.yml down
docker-compose -f /etc/docker/proxy/docker-compose.yml build --no-cache
docker-compose -f /etc/docker/proxy/docker-compose.yml up -d

Edit /etc/squid/squid.conf file in the squid container

cache_effective_user proxy
cache_effective_group proxy
http_port 0.0.0.0:3128
http_port 0.0.0.0:10080 intercept
https_port 0.0.0.0:10443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB tls-cert=/etc/squid/bump.crt tls-key=/etc/squid/bump.key
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 512MB
acl step1 at_step SslBump1
ssl_bump peek step1 all
ssl_bump bump all
http_access allow all
http_reply_access allow all
 
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache icap://10.20.30.3:1344/squidclamav bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://10.20.30.3:1344/squidclamav bypass=on
adaptation_access service_avi_resp allow all

Edit /opt/c-icap/etc/c-icap.conf file in the icap container

...
PidFile /opt/c-icap/var/run/c-icap.pid
CommandsSocket /opt/c-icap/var/run/c-icap.ctl
TmpDir /opt/c-icap/var/tmp
Service squidclamav squidclamav.so
...

Edit /opt/c-icap/etc/squidclamav.conf file in the icap container

...
#redirect http://proxy.domain.dom/cgi-bin/clwarn.cgi
#clamd_local /var/run/clamav/clamd.ctl
clamd_ip 10.20.30.4
...

Edit /etc/clamav/clamav.conf file in the clamav container

...
#LocalSocket /var/run/clamav/clamd.ctl
#FixStaleSocket true
#LocalSocketGroup clamav
#LocalSocketMode 666
TCPSocket 3310
...

Restart the containers

docker-compose -f /etc/docker/proxy/docker-compose.yml restart

SquidGuard

Edit /etc/docker/proxy/squid/Dockerfile file

FROM ubuntu:latest
 
RUN \
apt -y update && \
apt -y install squid-openssl iptables iproute2 squidguard
 
RUN \
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/CN=Squid" -keyout /etc/squid/bump.key -out /etc/squid/bump.crt
 
RUN \
cat > /etc/squid/squid.conf <<EOF
cache_effective_user proxy
cache_effective_group proxy
http_port 0.0.0.0:3128
http_port 0.0.0.0:10080 intercept
https_port 0.0.0.0:10443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB tls-cert=/etc/squid/bump.crt tls-key=/etc/squid/bump.key
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 512MB
acl step1 at_step SslBump1
ssl_bump peek step1 all
ssl_bump bump all
http_access allow all
http_reply_access allow all
EOF
 
RUN \
mkdir /var/lib/squid && \
/usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 512MB  && \
chown -R proxy:proxy /var/lib/squid/ssl_db
 
ENTRYPOINT \
rm -f /run/squid.pid && \
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 10080 && \
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 10443 && \
squid -N

Edit /etc/docker/proxy/docker-compose.yml file

version: '3.8'
 
networks:
  default:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: "10.20.30.0/24"
 
volumes:
  squid_conf:
  squid_db:
  squidguard_conf:
  squidguard_db:
  icap_conf:
  clamav_conf:
 
services:
  squid:
    build:
      context: ./squid/
    cap_add:
      - NET_ADMIN
    networks:
      default:
        ipv4_address: 10.20.30.2
    volumes:
      - squid_conf:/etc/squid
      - squid_db:/var/lib/squid/ssl_db
      - squidguard_conf:/etc/squidguard
      - squidguard_db:/var/lib/squidguard/db/
 
  icap:
    build:
      context: ./icap/
    networks:
      default:
        ipv4_address: 10.20.30.3
    volumes:
        - icap_conf:/opt/c-icap/etc
 
  clamav:
    build:
      context: ./clamav/
    networks:
      default:
        ipv4_address: 10.20.30.4
    volumes:
      - clamav_conf:/etc/clamav/

Rebuild and restart the containers

docker-compose -f /etc/docker/proxy/docker-compose.yml down
docker-compose -f /etc/docker/proxy/docker-compose.yml build --no-cache
docker-compose -f /etc/docker/proxy/docker-compose.yml up -d

Edit /etc/squid/squid.conf file in the squid container

cache_effective_user proxy
cache_effective_group proxy
http_port 0.0.0.0:3128
http_port 0.0.0.0:10080 intercept
https_port 0.0.0.0:10443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB tls-cert=/etc/squid/bump.crt tls-key=/etc/squid/bump.key
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 512MB
acl step1 at_step SslBump1
ssl_bump peek step1 all
ssl_bump bump all
http_access allow all
http_reply_access allow all
 
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache icap://10.20.30.3:1344/squidclamav bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://10.20.30.3:1344/squidclamav bypass=on
adaptation_access service_avi_resp allow all
 
url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf

Replace the content of /etc/squidguard/squidGuard.conf file in the squid container

dbhome /var/lib/squidguard/db
logdir /var/log/squidguard
 
dest restricted {
    domainlist manual/domains
    urllist manual/urls
}
 
acl {
    default {
        pass !restricted all
        redirect https://google.com
    }
}

Create /var/lib/squidguard/db/manual/domains file in the squid container

1	`blacklisted-domain.com`

Create /var/lib/squidguard/db/manual/urls file in the squid container

1	`blacklisted-domain.com/blacklisted-path`

Restart the containers

docker-compose -f /etc/docker/proxy/docker-compose.yml restart

Configuring hardware, deploying software, performing troubleshooting

Basic configuration

ClamAV

SquidGuard

Leave a Reply Cancel reply