Configuring Squid on Docker in conjuction with ClamAV antivirus and SquidGuard content filter


Basic configuration


Create a folder for storing containers configuration

mkdir /etc/docker/proxy

Create /etc/docker/proxy/squid/Dockerfile file

FROM ubuntu:latest

RUN \
apt -y update && \
apt -y install squid-openssl iptables iproute2

RUN \
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/CN=Squid" -keyout /etc/squid/bump.key -out /etc/squid/bump.crt

RUN \
cat > /etc/squid/squid.conf <<EOF
cache_effective_user proxy
cache_effective_group proxy
http_port 0.0.0.0:3128
http_port 0.0.0.0:10080 intercept
https_port 0.0.0.0:10443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB tls-cert=/etc/squid/bump.crt tls-key=/etc/squid/bump.key
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 512MB
acl step1 at_step SslBump1
ssl_bump peek step1 all
ssl_bump bump all
http_access allow all
http_reply_access allow all
EOF

RUN \
mkdir /var/lib/squid && \
/usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 512MB  && \
chown -R proxy:proxy /var/lib/squid/ssl_db

ENTRYPOINT \
rm -f /run/squid.pid && \
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 10080 && \
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 10443 && \
squid -N

Create /etc/docker/proxy/docker-compose.yml file

version: '3.8'

networks:
  default:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: "10.20.30.0/24"

volumes:
  squid_conf:
  squid_db:

services:
  squid:
    build:
      context: ./squid/
    cap_add:
      - NET_ADMIN
    networks:
      default:
        ipv4_address: 10.20.30.2
    volumes:
      - squid_conf:/etc/squid
      - squid_db:/var/lib/squid/ssl_db

Build and start the containers

docker-compose -f /etc/docker/proxy/docker-compose.yml up -d

Note: in this configuration only traffic originating in the squid container itself will be intercepted (e.g. if some VPN server will also be running in the container) and in order to intercept traffic from another container from the same Docker network the additional routing table and rouring rules should be created in that container
ip route add table 1000 default nexthop dev eth0 via 10.20.30.2
ip rule add priority 1000 ipproto tcp dport 80 table 1000
ip rule add priority 1001 ipproto tcp dport 443 table 1000


ClamAV


Create /etc/docker/proxy/icap/Dockerfile file

FROM debian:12.5

RUN \
apt -y update && \
apt -y install curl git build-essential

RUN \
curl -o /tmp/icap.tar.gz -L https://sourceforge.net/projects/c-icap/files/c-icap/0.6.x/c_icap-0.6.3.tar.gz/download && \
tar -xf /tmp/icap.tar.gz -C /tmp && \
rm /tmp/icap.tar.gz && \
mv /tmp/*icap* /tmp/icap && \
cd /tmp/icap && \
./configure --prefix=/opt/c-icap --enable-large-files && \
make && \
make install

RUN \
cd /tmp && \
git clone https://github.com/darold/squidclamav && \
cd squidclamav && \
./configure --with-c-icap=/opt/c-icap/ && \
make && \
make install

RUN \
mkdir /opt/c-icap/var/run /opt/c-icap/var/tmp

ENTRYPOINT \
rm -f /opt/c-icap/var/run/* && \
/opt/c-icap/bin/c-icap -N -D -d 5

Create /etc/docker/proxy/clamav/Dockerfile file

FROM debian:12.5

RUN \
apt -y update && \
apt -y install clamav clamav-daemon && \
freshclam

ENTRYPOINT \
clamd -F

Edit /etc/docker/proxy/docker-compose.yml file

version: '3.8'

networks:
  default:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: "10.20.30.0/24"

volumes:
  squid_conf:
  squid_db:
  icap_conf:
  clamav_conf:

services:
  squid:
    build:
      context: ./squid/
    cap_add:
      - NET_ADMIN
    networks:
      default:
        ipv4_address: 10.20.30.2
    volumes:
      - squid_conf:/etc/squid
      - squid_db:/var/lib/squid/ssl_db

  icap:
    build:
      context: ./icap/
    networks:
      default:
        ipv4_address: 10.20.30.3
    volumes:
        - icap_conf:/opt/c-icap/etc

  clamav:
    build:
      context: ./clamav/
    networks:
      default:
        ipv4_address: 10.20.30.4
    volumes:
      - clamav_conf:/etc/clamav/

Rebuild and restart the containers

docker-compose -f /etc/docker/proxy/docker-compose.yml down
docker-compose -f /etc/docker/proxy/docker-compose.yml build --no-cache
docker-compose -f /etc/docker/proxy/docker-compose.yml up -d

Edit /etc/squid/squid.conf file in the squid container

cache_effective_user proxy
cache_effective_group proxy
http_port 0.0.0.0:3128
http_port 0.0.0.0:10080 intercept
https_port 0.0.0.0:10443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB tls-cert=/etc/squid/bump.crt tls-key=/etc/squid/bump.key
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 512MB
acl step1 at_step SslBump1
ssl_bump peek step1 all
ssl_bump bump all
http_access allow all
http_reply_access allow all

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache icap://10.20.30.3:1344/squidclamav bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://10.20.30.3:1344/squidclamav bypass=on
adaptation_access service_avi_resp allow all

Edit /opt/c-icap/etc/c-icap.conf file in the icap container

...
PidFile /opt/c-icap/var/run/c-icap.pid
CommandsSocket /opt/c-icap/var/run/c-icap.ctl
TmpDir /opt/c-icap/var/tmp
Service squidclamav squidclamav.so
...

Edit /opt/c-icap/etc/squidclamav.conf file in the icap container

...
#redirect http://proxy.domain.dom/cgi-bin/clwarn.cgi
#clamd_local /var/run/clamav/clamd.ctl
clamd_ip 10.20.30.4
...

Edit /etc/clamav/clamav.conf file in the clamav container

...
#LocalSocket /var/run/clamav/clamd.ctl
#FixStaleSocket true
#LocalSocketGroup clamav
#LocalSocketMode 666
TCPSocket 3310
...

Restart the containers

docker-compose -f /etc/docker/proxy/docker-compose.yml restart


SquidGuard


Edit /etc/docker/proxy/squid/Dockerfile file

FROM ubuntu:latest

RUN \
apt -y update && \
apt -y install squid-openssl iptables iproute2 squidguard

RUN \
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/CN=Squid" -keyout /etc/squid/bump.key -out /etc/squid/bump.crt

RUN \
cat > /etc/squid/squid.conf <<EOF
cache_effective_user proxy
cache_effective_group proxy
http_port 0.0.0.0:3128
http_port 0.0.0.0:10080 intercept
https_port 0.0.0.0:10443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB tls-cert=/etc/squid/bump.crt tls-key=/etc/squid/bump.key
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 512MB
acl step1 at_step SslBump1
ssl_bump peek step1 all
ssl_bump bump all
http_access allow all
http_reply_access allow all
EOF

RUN \
mkdir /var/lib/squid && \
/usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 512MB  && \
chown -R proxy:proxy /var/lib/squid/ssl_db

ENTRYPOINT \
rm -f /run/squid.pid && \
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 10080 && \
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 10443 && \
squid -N

Edit /etc/docker/proxy/docker-compose.yml file

version: '3.8'

networks:
  default:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: "10.20.30.0/24"

volumes:
  squid_conf:
  squid_db:
  squidguard_conf:
  squidguard_db:
  icap_conf:
  clamav_conf:

services:
  squid:
    build:
      context: ./squid/
    cap_add:
      - NET_ADMIN
    networks:
      default:
        ipv4_address: 10.20.30.2
    volumes:
      - squid_conf:/etc/squid
      - squid_db:/var/lib/squid/ssl_db
      - squidguard_conf:/etc/squidguard
      - squidguard_db:/var/lib/squidguard/db/

  icap:
    build:
      context: ./icap/
    networks:
      default:
        ipv4_address: 10.20.30.3
    volumes:
        - icap_conf:/opt/c-icap/etc

  clamav:
    build:
      context: ./clamav/
    networks:
      default:
        ipv4_address: 10.20.30.4
    volumes:
      - clamav_conf:/etc/clamav/

Rebuild and restart the containers

docker-compose -f /etc/docker/proxy/docker-compose.yml down
docker-compose -f /etc/docker/proxy/docker-compose.yml build --no-cache
docker-compose -f /etc/docker/proxy/docker-compose.yml up -d

Edit /etc/squid/squid.conf file in the squid container

cache_effective_user proxy
cache_effective_group proxy
http_port 0.0.0.0:3128
http_port 0.0.0.0:10080 intercept
https_port 0.0.0.0:10443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB tls-cert=/etc/squid/bump.crt tls-key=/etc/squid/bump.key
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 512MB
acl step1 at_step SslBump1
ssl_bump peek step1 all
ssl_bump bump all
http_access allow all
http_reply_access allow all

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache icap://10.20.30.3:1344/squidclamav bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://10.20.30.3:1344/squidclamav bypass=on
adaptation_access service_avi_resp allow all

url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf

Replace the content of /etc/squidguard/squidGuard.conf file in the squid container

dbhome /var/lib/squidguard/db
logdir /var/log/squidguard

dest restricted {
    domainlist manual/domains
    urllist manual/urls
}

acl {
    default {
        pass !restricted all
        redirect https://google.com
    }
}

Create /var/lib/squidguard/db/manual/domains file in the squid container

blacklisted-domain.com

Create /var/lib/squidguard/db/manual/urls file in the squid container

blacklisted-domain.com/blacklisted-path

Restart the containers

docker-compose -f /etc/docker/proxy/docker-compose.yml restart

Leave a Reply