Configuring Squid on Docker in conjuction with ClamAV antivirus and SquidGuard content filter
Basic configuration
Create a folder for storing containers configuration
mkdir /etc/docker/proxy
Create /etc/docker/proxy/squid/Dockerfile file
FROM ubuntu:latest
RUN \
apt -y update && \
apt -y install squid-openssl iptables iproute2
RUN \
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/CN=Squid" -keyout /etc/squid/bump.key -out /etc/squid/bump.crt
RUN \
cat > /etc/squid/squid.conf <<EOF
cache_effective_user proxy
cache_effective_group proxy
http_port 0.0.0.0:3128
http_port 0.0.0.0:10080 intercept
https_port 0.0.0.0:10443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB tls-cert=/etc/squid/bump.crt tls-key=/etc/squid/bump.key
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 512MB
acl step1 at_step SslBump1
ssl_bump peek step1 all
ssl_bump bump all
http_access allow all
http_reply_access allow all
EOF
RUN \
mkdir /var/lib/squid && \
/usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 512MB && \
chown -R proxy:proxy /var/lib/squid/ssl_db
ENTRYPOINT \
rm -f /run/squid.pid && \
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 10080 && \
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 10443 && \
squid -N
Create /etc/docker/proxy/docker-compose.yml file
version: '3.8'
networks:
default:
driver: bridge
ipam:
driver: default
config:
- subnet: "10.20.30.0/24"
volumes:
squid_conf:
squid_db:
services:
squid:
build:
context: ./squid/
cap_add:
- NET_ADMIN
networks:
default:
ipv4_address: 10.20.30.2
volumes:
- squid_conf:/etc/squid
- squid_db:/var/lib/squid/ssl_db
Build and start the containers
docker-compose -f /etc/docker/proxy/docker-compose.yml up -d
Note: in this configuration only traffic originating in the squid container itself will be intercepted (e.g. if some VPN server will also be running in the container) and in order to intercept traffic from another container from the same Docker network the additional routing table and rouring rules should be created in that container
ip route add table 1000 default nexthop dev eth0 via 10.20.30.2
ip rule add priority 1000 ipproto tcp dport 80 table 1000
ip rule add priority 1001 ipproto tcp dport 443 table 1000
ClamAV
Create /etc/docker/proxy/icap/Dockerfile file
FROM debian:12.5
RUN \
apt -y update && \
apt -y install curl git build-essential
RUN \
curl -o /tmp/icap.tar.gz -L https://sourceforge.net/projects/c-icap/files/c-icap/0.6.x/c_icap-0.6.3.tar.gz/download && \
tar -xf /tmp/icap.tar.gz -C /tmp && \
rm /tmp/icap.tar.gz && \
mv /tmp/*icap* /tmp/icap && \
cd /tmp/icap && \
./configure --prefix=/opt/c-icap --enable-large-files && \
make && \
make install
RUN \
cd /tmp && \
git clone https://github.com/darold/squidclamav && \
cd squidclamav && \
./configure --with-c-icap=/opt/c-icap/ && \
make && \
make install
RUN \
mkdir /opt/c-icap/var/run /opt/c-icap/var/tmp
ENTRYPOINT \
rm -f /opt/c-icap/var/run/* && \
/opt/c-icap/bin/c-icap -N -D -d 5
Create /etc/docker/proxy/clamav/Dockerfile file
FROM debian:12.5
RUN \
apt -y update && \
apt -y install clamav clamav-daemon && \
freshclam
ENTRYPOINT \
clamd -F
Edit /etc/docker/proxy/docker-compose.yml file
version: '3.8'
networks:
default:
driver: bridge
ipam:
driver: default
config:
- subnet: "10.20.30.0/24"
volumes:
squid_conf:
squid_db:
icap_conf:
clamav_conf:
services:
squid:
build:
context: ./squid/
cap_add:
- NET_ADMIN
networks:
default:
ipv4_address: 10.20.30.2
volumes:
- squid_conf:/etc/squid
- squid_db:/var/lib/squid/ssl_db
icap:
build:
context: ./icap/
networks:
default:
ipv4_address: 10.20.30.3
volumes:
- icap_conf:/opt/c-icap/etc
clamav:
build:
context: ./clamav/
networks:
default:
ipv4_address: 10.20.30.4
volumes:
- clamav_conf:/etc/clamav/
Rebuild and restart the containers
docker-compose -f /etc/docker/proxy/docker-compose.yml down
docker-compose -f /etc/docker/proxy/docker-compose.yml build --no-cache
docker-compose -f /etc/docker/proxy/docker-compose.yml up -d
Edit /etc/squid/squid.conf file in the squid container
cache_effective_user proxy
cache_effective_group proxy
http_port 0.0.0.0:3128
http_port 0.0.0.0:10080 intercept
https_port 0.0.0.0:10443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB tls-cert=/etc/squid/bump.crt tls-key=/etc/squid/bump.key
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 512MB
acl step1 at_step SslBump1
ssl_bump peek step1 all
ssl_bump bump all
http_access allow all
http_reply_access allow all
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache icap://10.20.30.3:1344/squidclamav bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://10.20.30.3:1344/squidclamav bypass=on
adaptation_access service_avi_resp allow all
Edit /opt/c-icap/etc/c-icap.conf file in the icap container
...
PidFile /opt/c-icap/var/run/c-icap.pid
CommandsSocket /opt/c-icap/var/run/c-icap.ctl
TmpDir /opt/c-icap/var/tmp
Service squidclamav squidclamav.so
...
Edit /opt/c-icap/etc/squidclamav.conf file in the icap container
...
#redirect http://proxy.domain.dom/cgi-bin/clwarn.cgi
#clamd_local /var/run/clamav/clamd.ctl
clamd_ip 10.20.30.4
...
Edit /etc/clamav/clamav.conf file in the clamav container
...
#LocalSocket /var/run/clamav/clamd.ctl
#FixStaleSocket true
#LocalSocketGroup clamav
#LocalSocketMode 666
TCPSocket 3310
...
Restart the containers
docker-compose -f /etc/docker/proxy/docker-compose.yml restart
SquidGuard
Edit /etc/docker/proxy/squid/Dockerfile file
FROM ubuntu:latest
RUN \
apt -y update && \
apt -y install squid-openssl iptables iproute2 squidguard
RUN \
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/CN=Squid" -keyout /etc/squid/bump.key -out /etc/squid/bump.crt
RUN \
cat > /etc/squid/squid.conf <<EOF
cache_effective_user proxy
cache_effective_group proxy
http_port 0.0.0.0:3128
http_port 0.0.0.0:10080 intercept
https_port 0.0.0.0:10443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB tls-cert=/etc/squid/bump.crt tls-key=/etc/squid/bump.key
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 512MB
acl step1 at_step SslBump1
ssl_bump peek step1 all
ssl_bump bump all
http_access allow all
http_reply_access allow all
EOF
RUN \
mkdir /var/lib/squid && \
/usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 512MB && \
chown -R proxy:proxy /var/lib/squid/ssl_db
ENTRYPOINT \
rm -f /run/squid.pid && \
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 10080 && \
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 10443 && \
squid -N
Edit /etc/docker/proxy/docker-compose.yml file
version: '3.8'
networks:
default:
driver: bridge
ipam:
driver: default
config:
- subnet: "10.20.30.0/24"
volumes:
squid_conf:
squid_db:
squidguard_conf:
squidguard_db:
icap_conf:
clamav_conf:
services:
squid:
build:
context: ./squid/
cap_add:
- NET_ADMIN
networks:
default:
ipv4_address: 10.20.30.2
volumes:
- squid_conf:/etc/squid
- squid_db:/var/lib/squid/ssl_db
- squidguard_conf:/etc/squidguard
- squidguard_db:/var/lib/squidguard/db/
icap:
build:
context: ./icap/
networks:
default:
ipv4_address: 10.20.30.3
volumes:
- icap_conf:/opt/c-icap/etc
clamav:
build:
context: ./clamav/
networks:
default:
ipv4_address: 10.20.30.4
volumes:
- clamav_conf:/etc/clamav/
Rebuild and restart the containers
docker-compose -f /etc/docker/proxy/docker-compose.yml down
docker-compose -f /etc/docker/proxy/docker-compose.yml build --no-cache
docker-compose -f /etc/docker/proxy/docker-compose.yml up -d
Edit /etc/squid/squid.conf file in the squid container
cache_effective_user proxy
cache_effective_group proxy
http_port 0.0.0.0:3128
http_port 0.0.0.0:10080 intercept
https_port 0.0.0.0:10443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB tls-cert=/etc/squid/bump.crt tls-key=/etc/squid/bump.key
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 512MB
acl step1 at_step SslBump1
ssl_bump peek step1 all
ssl_bump bump all
http_access allow all
http_reply_access allow all
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache icap://10.20.30.3:1344/squidclamav bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://10.20.30.3:1344/squidclamav bypass=on
adaptation_access service_avi_resp allow all
url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
Replace the content of /etc/squidguard/squidGuard.conf file in the squid container
dbhome /var/lib/squidguard/db
logdir /var/log/squidguard
dest restricted {
domainlist manual/domains
urllist manual/urls
}
acl {
default {
pass !restricted all
redirect https://google.com
}
}
Create /var/lib/squidguard/db/manual/domains file in the squid container
blacklisted-domain.com
Create /var/lib/squidguard/db/manual/urls file in the squid container
blacklisted-domain.com/blacklisted-path
Restart the containers
docker-compose -f /etc/docker/proxy/docker-compose.yml restart