In this article we will learn how to run a Squid instance inside a Docker container. This could be very useful in case we want to speed up our web surfing, or just apply some restrictions on it. Isolating squid inside a container is considered good practice when it comes to security, because it is the last line of defense between the user and the threats that are out there; also squid is exposed directly to the outside world, so it is a good idea to keep it isolated.
For this tutorial I picked the image chrisdaish/squid, because it is very small (approx 20MB). First let’s download our image, create the directories we will be working in and grab a default squid.conf file:
root@docker:~# docker pull chrisdaish/squid Using default tag: latest latest: Pulling from chrisdaish/squid 12b41071e6ce: Already exists Digest: sha256:bd0b6e9bd3bbed9d6d414df4a708f15fb987b97cba518c2a657047f053c6391f Status: Image is up to date for chrisdaish/squid:latest root@docker:~# mkdir -p /opt/squid/logs root@docker:/opt/squid# docker run -it --rm --name squid --entrypoint "/bin/sh" chrisdaish/squid -c "/bin/cat /etc/squid/squid.conf" >squid.conf
Here we need to pay attention to the last line where we create a removable container using the –rm flag, changing its entrypoint to /bin/sh in order to execute a custom command inside the container and grab the default squid.conf file from inside the container for later use.
Now open your favorite text mode editor, and add the following to the end of our squid.conf:
dns_v4_first on # fix no ipv6 dns error cache_mem 256 MB # should be total_container_memory/3 maximum_object_size_in_memory 1 MB maximum_object_size 50 MB buffered_logs on half_closed_clients off memory_pools on memory_pools_limit 256 MB ipcache_size 2048 ipcache_low 90 ipcache_high 95 cache_swap_low 90 cache_swap_high 90 cache_store_log none
Note that this is not the perfect configuration, the configuration can depend on the type of web traffic you usually have, also there are many other options that can be tweaked in order to obtain better results. By default squid allows access to all private IP classes, so it would be a good idea to restrict access to just the ones you want; for this you would have to edit the acl localnet options.
The final step is to start the container, and here we will use the -v option to mount the local logs directory and make the local squid.conf file available as read-only inside the container:
root@docker:/opt/squid# docker run -d --name squid -p 3128:3128 -v /opt/squid/logs:/var/log/squid -v /opt/squid/squid.conf:/etc/squid/squid.conf:ro chrisdaish/squid c0824898ac73ae74b0816aeaf7491b1fffe00915efb72b5a29bc49406ce59630
If everything works we should have a running instance of squid listening on port 3128, which stores the logs locally. You can easily test and see if everything works by configuring a browser to use it and watching the access.log file:
root@docker:/opt/squid# tail -f /opt/squid/logs/access.log 1464614676.039 172 10.2.128.210 TCP_MISS/200 1498 GET http://www.purplesrl.com/ajax_live_products? - HIER_DIRECT/220.127.116.11 text/html 1464614701.278 295267 10.2.128.210 TCP_TUNNEL/200 16126 CONNECT s1emagst.akamaized.net:443 - HIER_DIRECT/18.104.22.168 - 1464614701.278 535182 10.2.128.210 TCP_TUNNEL/200 35705 CONNECT s1emagst.akamaized.net:443 - HIER_DIRECT/22.214.171.124 -
We can also check if everything works from inside the container by entering it using exec and using the squidclient application:
root@docker:/opt/squid# docker exec -ti squid sh / # squidclient https://www.google.com HTTP/1.1 302 Found Location: https://www.google.ro/?gws_rd=cr&ei=uUJMV_X7NaKE6QSDyICQDQ Cache-Control: private [...] X-Cache: MISS from 761f45f900ab X-Cache-Lookup: MISS from 761f45f900ab:3128 Via: 1.1 761f45f900ab (squid/3.5.4) Connection: close