Skip to content

Latest commit

 

History

History
115 lines (88 loc) · 4.49 KB

Readme.md

File metadata and controls

115 lines (88 loc) · 4.49 KB

Squid Proxy Docker Image

This repository defines the Docker Image for running Squid as a forward proxy in AWS environments.

Building the Image

To build this image the following prerequisites are required:

  • Docker Client with access to a Docker Engine (1.12 or higher)
  • Docker Compose 1.7 or higher
  • GNU Make 3.82 or higher
  • AWS CLI 1.10 or higher
  • AWS profile/environment configured with privileges to push images to the ECR repository/public docker hub

To build the image use the make release command:

$ make release
Building squid
Step 1 : FROM alpine
latest: Pulling from library/alpine
Digest: sha256:1354db23ff5478120c980eca1611a51c9f2b88b61f24283ee8200bf9a54f2e5c
Status: Image is up to date for alpine:latest
 ---> baa5d63471ea
Step 2 : MAINTAINER Pema Geyleg <[email protected]>
 ---> Using cache
 ---> f0ecea783770
...
...
Step 11 : CMD squid -f /etc/squid/squid.conf -NYCd 1
 ---> Using cache
 ---> ad9b93514414
Successfully built ad9b93514414
=> Build complete
=> Starting squid service...
Creating network "squid_default" with the default driver
Creating squid_squid_1
=> Release environment created
=> Squid is running at http://172.16.154.128:32779

After building the image, you can test the image locally by configuring your browser or environment to use the Squid proxy URL output displayed at the end of the make release command.

Tagging the Image

Docker image tagging is following the Git Tags:

$ make version
=> App: squid Version: 1.x

Publishing the Image

With the image tagged, you can login to the AWS EC2 Container Service Registry (ECR) and publish the image:

$ make login
=> Logged in to Docker registry
$ make publish
=> Publishing release image to 429614120872.dkr.ecr.eu-west-1.amazonaws.com/cwds/squid...
The push refers to a repository [429614120872.dkr.ecr.eu-west-1.amazonaws.com/cwds/squid]
eb40ed4586e2: Pushed
d93c9b2eda1f: Pushed
66fb5c668a31: Pushed
02535d447192: Pushed
011b303988d2: Pushed
20161211161608.52ce7ab: digest: sha256:f347746ec71c7a1fc00f534af27392b0eec5b8d300c191bb87e74753f7b9bcd6 size: 7708
...
...
=> Publish complete

Runtime Configuration

Squid Whitelist

A default whitelist template is included with this image that permits access to AWS services.

The whitelist is generated by a whitelist template that is created on container startup based upon environment variables supplied to the container (see the Squid Configuration section below).

The following is the default whitelist that is generated if no configuration is provided to the container:

.eu-west-1.amazonaws.com
.s3-eu-west-1.amazonaws.com
iam.amazonaws.com
sts.amazonaws.com
support.us-east-1.amazonaws.com
waf.amazonaws.com
cloudfront.amazonaws.com
route53.amazonaws.com
route53domains.us-east-1.amazonaws.com
devicefarm.eu-west-1.amazonaws.com
importexport.amazonaws.com

Squid Configuration

The following table defines environment variables control the configuration of containers created from this image.

Environment Variable Required Default Value Description Examples
SQUID_WHITELIST No Comma separated list of whitelisted domains. Note that this whitelist adds the default whitelist that permits access to AWS services. .cloudreach.com,.google.com
SQUID_BLACKLIST No Comma separated list of blacklisted domains. .exploit-db.com
SQUID_BLOCKALL No true Squid Block all `false
SQUID_SHUTDOWNLIFETIME No 20 Squid shutdownlifetime 30
AWS_REGIONS No eu-west-1 Comma separate list of regions that the whitelist should perform for access to AWS services. This only affects AWS services that are regional in nature. eu-west-1,eu-central-1
ALLOWED_CIDRS No RFC1918 ranges Comma separated list of allowed CIDR ranges permitted to use the Proxy. This typically should be set to the CIDR block range of your VPC. 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

Thanks