Speed Up Your Web Browsing Using Squid Inside Docker

06 June 2016

In this article we will learn how to run a Squid instance inside a Docker container. This could be very useful in case we want to speed up our web surfing, or just apply some restrictions on it. Isolating squid inside a container is considered good practice when it comes to security, because it is the last line of defense between the user and the threats that are out there; also squid is exposed directly to the outside world, so it is a good idea to keep it isolated.

For this tutorial I picked the image chrisdaish/squid, because it is very small (approx 20MB). First let’s download our image, create the directories we will be working in and grab a default squid.conf file:

root@docker:~# docker pull chrisdaish/squid
Using default tag: latest
latest: Pulling from chrisdaish/squid
12b41071e6ce: Already exists 
Digest: sha256:bd0b6e9bd3bbed9d6d414df4a708f15fb987b97cba518c2a657047f053c6391f
Status: Image is up to date for chrisdaish/squid:latest
root@docker:~# mkdir -p /opt/squid/logs
root@docker:/opt/squid# docker run -it --rm --name squid --entrypoint "/bin/sh" chrisdaish/squid -c "/bin/cat /etc/squid/squid.conf" >squid.conf

Here we need to pay attention to the last line where we create a removable container using the –rm flag, changing its entrypoint to /bin/sh in order to execute a custom command inside the container and grab the default squid.conf file from inside the container for later use.

Now open your favorite text mode editor, and add the following to the end of our squid.conf:

dns_v4_first on # fix no ipv6 dns error
cache_mem 256 MB # should be total_container_memory/3
maximum_object_size_in_memory 1 MB
maximum_object_size 50 MB
buffered_logs on
half_closed_clients off
memory_pools on
memory_pools_limit 256 MB
ipcache_size 2048
ipcache_low 90
ipcache_high 95
cache_swap_low 90
cache_swap_high 90
cache_store_log none

Note that this is not the perfect configuration, the configuration can depend on the type of web traffic you usually have, also there are many other options that can be tweaked in order to obtain better results. By default squid allows access to all private IP classes, so it would be a good idea to restrict access to just the ones you want; for this you would have to edit the acl localnet options.

The final step is to start the container, and here we will use the -v option to mount the local logs directory and make the local squid.conf file available  as read-only inside the container:

root@docker:/opt/squid# docker run -d --name squid -p 3128:3128 -v /opt/squid/logs:/var/log/squid -v /opt/squid/squid.conf:/etc/squid/squid.conf:ro  chrisdaish/squid

If everything works we should have a running instance of squid listening on port 3128, which stores the logs locally. You can easily test and see if everything works by configuring a browser to use it and watching the access.log file:

root@docker:/opt/squid# tail -f /opt/squid/logs/access.log 
1464614676.039    172 TCP_MISS/200 1498 GET http://www.purplesrl.com/ajax_live_products? - HIER_DIRECT/ text/html
1464614701.278 295267 TCP_TUNNEL/200 16126 CONNECT s1emagst.akamaized.net:443 - HIER_DIRECT/ -
1464614701.278 535182 TCP_TUNNEL/200 35705 CONNECT s1emagst.akamaized.net:443 - HIER_DIRECT/ -

We can also check if everything works from inside the container by entering it using exec and using the squidclient application:

root@docker:/opt/squid# docker exec -ti squid sh
/ # squidclient https://www.google.com
HTTP/1.1 302 Found
Location: https://www.google.ro/?gws_rd=cr&ei=uUJMV_X7NaKE6QSDyICQDQ
Cache-Control: private
X-Cache: MISS from 761f45f900ab
X-Cache-Lookup: MISS from 761f45f900ab:3128
Via: 1.1 761f45f900ab (squid/3.5.4)
Connection: close


Want to learn more?