[draft] Squid를 Docker 컨테이너로 실행하는 방법

Squid를 Docker 컨테이너로 실행하는 방법

1. Docker 설치

Docker를 설치해야 합니다.

2. Squid Docker 이미지 다운로드

Docker Hub에서 Squid의 공식 이미지를 다운로드하실 수 있습니다.

 

docker hub

• https://hub.docker.com/r/ubuntu/squid

docker hub

3. docker compose 파일 생성

vim docker-compose.yaml

version: '3.9'
services:
  squid-container:
    image: ubuntu/squid:5.2-22.04_beta
    restart: always
    container_name: squid-container
    volumes:
      - ./squid.conf:/etc/squid/squid.conf
    ports:
      - 8080:3128

4. Squid 환경 설정 파일

Squid 컨테이너를 실행하기 위해서는 몇 가지 환경 변수와 포트 매핑을 설정해야 합니다.

cat squid.conf

acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

include /etc/squid/conf.d/*.conf

http_access allow localhost

http_access deny all

http_port 3128

coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims

refresh_pattern .               0       20%     4320

/etc/squid/conf.d/*.conf

---

$ cat conf.d/debian.conf

#
# Squid configuration settings for Debian
#

# Logs are managed by logrotate on Debian
logfile_rotate 0

# For extra security Debian packages only allow
# localhost to use the proxy on new installs
#
http_access allow localnet

$ cat conf.d/rock.conf

# Set max_filedescriptors to avoid using system's RLIMIT_NOFILE. See LP: #1978272
max_filedescriptors 1024

---

728x90

squid 운영을 위한 설정

docker compose 파일 편집

vim docker-compose.yaml

version: '3.9'
services:
  squid-container:
    image: ubuntu/squid:5.2-22.04_beta
    restart: always
    container_name: squid-container
    volumes:
      - ./squid.conf:/etc/squid/squid.conf
      - ./domains.list:/etc/squid/domains.txt
      - ./ips.list:/etc/squid/ips.txt
      - ./log:/var/log/squid
    ports:
      - 8080:3128

Squid 환경 설정 파일 편집

vim squid.conf

# Access Control Lists (ACLs)
acl aws_vpc_cidr src 172.16.0.0/16
acl idc_cidr src 192.168.50.0/24
acl idc_cidr src 192.168.20.0/24

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# 특정 IP 주소 또는 도메인 허용
acl allow_ip dst "/etc/squid/ips.txt"
acl allow_domain dstdomain "/etc/squid/domains.txt"

http_access allow aws_vpc_cidr allow_ip
http_access allow aws_vpc_cidr allow_domain
http_access allow idc_cidr allow_ip
http_access allow idc_cidr allow_domain

# Deny all other connections
http_access deny all

# Port Configuration
http_port 3128

# Log Configuration
access_log daemon:/var/log/squid/access.log

# Cache Configuration
cache_mem 512 MB
maximum_object_size 128 MB
cache_dir ufs /var/spool/squid 10000 16 256

# Refresh Patterns
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern . 0 20% 4320

# via version off
via off

# Server version off
httpd_suppress_version_string on
reply_header_access Server deny all

# Cache version off
reply_header_access X-Cache deny all
reply_header_access X-Cache-Lookup deny all

도메인 리스트 파일 생성

vim domains.list

.ubuntu.com
.naver.com

아이피 주소 리스트 파일 생성

vim ips.list

27.0.236.139

Squid log 디렉토리 생성

mkdir log

Squid log의 소유권 설정

chown 13.13 log

docker compose 유효성 검사

docker-compose config

docker compose 실행

docker-compose up -d

docker compose 컨테이너 목록 확인

docker-compose ps

$ docker-compose ps
     Name                    Command               State           Ports         
---------------------------------------------------------------------------------
squid-container   entrypoint.sh -f /etc/squi ...   Up      0.0.0.0:8080->3128/tcp

docker-compose exec squid-container bash