Squid를 Docker 컨테이너로 실행하는 방법

IT/도커(Docker)

Squid를 Docker 컨테이너로 실행하는 방법

MirDaTe 2023. 10. 18. 22:31

728x90

원문출처 : https://scbyun.com/entry/%EB%A6%AC%EB%88%85%EC%8A%A4-squiddocker-container-%EC%98%AC%EB%A6%AC%EA%B8%B0

Squid를 Docker 컨테이너로 실행하는 방법

Squid를 Docker 컨테이너로 실행하는 방법 1. Docker 설치 Docker를 설치해야 합니다. 2. Squid Docker 이미지 다운로드 Docker Hub에서 Squid의 공식 이미지를 다운로드하실 수 있습니다. docker hub https://hub.docker.c

scbyun.com

Squid를 Docker 컨테이너로 실행하는 방법

1. Docker 설치

Docker를 설치해야 합니다.

2. Squid Docker 이미지 다운로드

Docker Hub에서 Squid의 공식 이미지를 다운로드하실 수 있습니다.

docker hub
- https://hub.docker.com/r/ubuntu/squid

3. docker compose 파일 생성

vim docker-compose.yaml

version: '3.9'
services:
  squid-container:
    image: ubuntu/squid:5.2-22.04_beta
    restart: always
    container_name: squid-container
    volumes:
      - ./squid.conf:/etc/squid/squid.conf
    ports:
      - 8080:3128

4. Squid 환경 설정 파일

Squid 컨테이너를 실행하기 위해서는 몇 가지 환경 변수와 포트 매핑을 설정해야 합니다.

cat squid.conf

acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

include /etc/squid/conf.d/*.conf

http_access allow localhost

http_access deny all

http_port 3128

coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims

refresh_pattern .               0       20%     4320

/etc/squid/conf.d/*.conf

$ cat conf.d/debian.conf

#
# Squid configuration settings for Debian
#

# Logs are managed by logrotate on Debian
logfile_rotate 0

# For extra security Debian packages only allow
# localhost to use the proxy on new installs
#
http_access allow localnet

$ cat conf.d/rock.conf

# Set max_filedescriptors to avoid using system's RLIMIT_NOFILE. See LP: #1978272
max_filedescriptors 1024

---

squid 운영을 위한 설정

docker compose 파일 편집

vim docker-compose.yaml

version: '3.9'
services:
  squid-container:
    image: ubuntu/squid:5.2-22.04_beta
    restart: always
    container_name: squid-container
    volumes:
      - ./squid.conf:/etc/squid/squid.conf
      - ./domains.list:/etc/squid/domains.txt
      - ./ips.list:/etc/squid/ips.txt
      - ./log:/var/log/squid
    ports:
      - 8080:3128

Squid 환경 설정 파일 편집

vim squid.conf

# Access Control Lists (ACLs)
acl aws_vpc_cidr src 172.16.0.0/16
acl idc_cidr src 192.168.50.0/24
acl idc_cidr src 192.168.20.0/24

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# 특정 IP 주소 또는 도메인 허용
acl allow_ip dst "/etc/squid/ips.txt"
acl allow_domain dstdomain "/etc/squid/domains.txt"

http_access allow aws_vpc_cidr allow_ip
http_access allow aws_vpc_cidr allow_domain
http_access allow idc_cidr allow_ip
http_access allow idc_cidr allow_domain

# Deny all other connections
http_access deny all

# Port Configuration
http_port 3128

# Log Configuration
access_log daemon:/var/log/squid/access.log

# Cache Configuration
cache_mem 512 MB
maximum_object_size 128 MB
cache_dir ufs /var/spool/squid 10000 16 256

# Refresh Patterns
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern . 0 20% 4320

# via version off
via off

# Server version off
httpd_suppress_version_string on
reply_header_access Server deny all

# Cache version off
reply_header_access X-Cache deny all
reply_header_access X-Cache-Lookup deny all

도메인 리스트 파일 생성

vim domains.list

.ubuntu.com #허용할 Domains / URL
.naver.com

아이피 주소 리스트 파일 생성

vim ips.list

200.200.200.200 #허용할 IP

Squid log 디렉토리 생성

mkdir log

Squid log의 소유권 설정

chown 13.13 log

docker compose 유효성 검사

docker-compose config

docker compose 실행

docker-compose up -d

docker compose 컨테이너 목록 확인

docker-compose ps

$ docker-compose ps
     Name                    Command               State           Ports         
---------------------------------------------------------------------------------
squid-container   entrypoint.sh -f /etc/squi ...   Up      0.0.0.0:8080->3128/tcp

docker-compose exec squid-container bash