This repository defines the Docker Image for running Squid as a forward proxy in AWS environments.
To build this image the following prerequisites are required:
- Docker Client with access to a Docker Engine (1.12 or higher)
- Docker Compose 1.7 or higher
- GNU Make 3.82 or higher
- AWS CLI 1.10 or higher
- AWS profile/environment configured with privileges to push images to the ECR repository/public docker hub
To build the image use the make release command:
$ make release
Building squid
Step 1 : FROM alpine
latest: Pulling from library/alpine
Digest: sha256:1354db23ff5478120c980eca1611a51c9f2b88b61f24283ee8200bf9a54f2e5c
Status: Image is up to date for alpine:latest
---> baa5d63471ea
Step 2 : MAINTAINER Pema Geyleg <[email protected]>
---> Using cache
---> f0ecea783770
...
...
Step 11 : CMD squid -f /etc/squid/squid.conf -NYCd 1
---> Using cache
---> ad9b93514414
Successfully built ad9b93514414
=> Build complete
=> Starting squid service...
Creating network "squid_default" with the default driver
Creating squid_squid_1
=> Release environment created
=> Squid is running at http://172.16.154.128:32779
After building the image, you can test the image locally by configuring your browser or environment to use the Squid proxy URL output displayed at the end of the make release command.
Docker image tagging is following the Git Tags:
$ make version
=> App: squid Version: 1.x
With the image tagged, you can login to the AWS EC2 Container Service Registry (ECR) and publish the image:
$ make login
=> Logged in to Docker registry
$ make publish
=> Publishing release image to 429614120872.dkr.ecr.eu-west-1.amazonaws.com/cwds/squid...
The push refers to a repository [429614120872.dkr.ecr.eu-west-1.amazonaws.com/cwds/squid]
eb40ed4586e2: Pushed
d93c9b2eda1f: Pushed
66fb5c668a31: Pushed
02535d447192: Pushed
011b303988d2: Pushed
20161211161608.52ce7ab: digest: sha256:f347746ec71c7a1fc00f534af27392b0eec5b8d300c191bb87e74753f7b9bcd6 size: 7708
...
...
=> Publish complete
A default whitelist template is included with this image that permits access to AWS services.
The whitelist is generated by a whitelist template that is created on container startup based upon environment variables supplied to the container (see the Squid Configuration section below).
The following is the default whitelist that is generated if no configuration is provided to the container:
.eu-west-1.amazonaws.com
.s3-eu-west-1.amazonaws.com
iam.amazonaws.com
sts.amazonaws.com
support.us-east-1.amazonaws.com
waf.amazonaws.com
cloudfront.amazonaws.com
route53.amazonaws.com
route53domains.us-east-1.amazonaws.com
devicefarm.eu-west-1.amazonaws.com
importexport.amazonaws.com
The following table defines environment variables control the configuration of containers created from this image.
| Environment Variable | Required | Default Value | Description | Examples |
|---|---|---|---|---|
| SQUID_WHITELIST | No | Comma separated list of whitelisted domains. Note that this whitelist adds the default whitelist that permits access to AWS services. | .cloudreach.com,.google.com | |
| SQUID_BLACKLIST | No | Comma separated list of blacklisted domains. | .exploit-db.com | |
| SQUID_BLOCKALL | No | true | Squid Block all | `false |
| SQUID_SHUTDOWNLIFETIME | No | 20 | Squid shutdownlifetime | 30 |
| AWS_REGIONS | No | eu-west-1 | Comma separate list of regions that the whitelist should perform for access to AWS services. This only affects AWS services that are regional in nature. | eu-west-1,eu-central-1 |
| ALLOWED_CIDRS | No | RFC1918 ranges | Comma separated list of allowed CIDR ranges permitted to use the Proxy. This typically should be set to the CIDR block range of your VPC. | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 |