├── Dockerfile
├── blacklists
    └── sample
    │   └── domains
├── block.html
├── build-squidguard-conf.sh
├── docker-proxy.png
├── readme.md
├── squid.conf
└── start.sh


/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM ubuntu
 2 | MAINTAINER blaize.net
 3 | 
 4 | ENV BLACKLIST adult,virusinfected,warez
 5 | ENV IP_OR_HOSTNAME 192.168.99.101
 6 | 
 7 | RUN apt-get update && \
 8 | 	apt-get install -y squid squidguard lighttpd
 9 | 
10 | ADD squid.conf /etc/squid/squid.conf
11 | ADD blacklists /opt/blacklists
12 | ADD build-squidguard-conf.sh /build-squidguard-conf.sh
13 | ADD block.html /var/www/html/block.html
14 | ADD start.sh /start.sh
15 | RUN /bin/bash /build-squidguard-conf.sh
16 | 
17 | 
18 | CMD /bin/bash /start.sh


--------------------------------------------------------------------------------
/blacklists/sample/domains:
--------------------------------------------------------------------------------
1 | example.com


--------------------------------------------------------------------------------
/block.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 | 	<meta charset="utf-8">
 5 | 	<title>Page has been blocked.</title>
 6 | 
 7 | </head>
 8 | 
 9 | <body id="home">
10 | 
11 | 	<h1>Page has been blocked.</h1>
12 | 
13 | </body>
14 | </html>


--------------------------------------------------------------------------------
/build-squidguard-conf.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | CONFFILE="/etc/squidguard/squidGuard.conf"
 4 | DB="/opt/blacklists/"
 5 | 
 6 | rm $CONFFILE
 7 | touch $CONFFILE
 8 | 
 9 | chown -R proxy:proxy $DB
10 | chown -R proxy:proxy $CONFFILE
11 | chown -R proxy:proxy /var/log/squidguard/
12 | 
13 | echo "dbhome $DB" >> $CONFFILE
14 | echo "logdir /var/log/squidguard/" >> $CONFFILE
15 | 
16 | 
17 | for CATEGORY in $(echo $BLACKLIST | sed "s/,/ /g")
18 | do
19 | 	echo "dest $CATEGORY {" >> $CONFFILE
20 | 	
21 | 	if [ -e "$DB/$CATEGORY/domains" ]
22 | 	then
23 | 		    echo "	domainlist $CATEGORY/domains" >> $CONFFILE
24 | 	fi
25 | 	
26 | 	if [ -e "$DB/$CATEGORY/urls" ]
27 | 	then
28 | 		    echo "	urllist $CATEGORY/urls" >> $CONFFILE
29 | 	fi
30 | 	
31 | 	if [ -e "$DB/$CATEGORY/expressions" ]
32 | 	then
33 | 		echo "	expressionlist $CATEGORY/expressions" >> $CONFFILE
34 | 	fi
35 | 
36 |     echo "}" >> $CONFFILE
37 | done
38 | 
39 | NOT_LIST="${BLACKLIST//,/ !}"
40 | 
41 | echo "acl {" >> $CONFFILE
42 | echo "	default {" >> $CONFFILE
43 | echo "		pass !$NOT_LIST all" >> $CONFFILE
44 | echo "		redirect http://$IP_OR_HOSTNAME/block.html" >> $CONFFILE
45 | echo "	}" >> $CONFFILE
46 | echo "}" >> $CONFFILE
47 | 
48 | squidGuard -b -C all
49 | 
50 | chown -R proxy:proxy $DB
51 | chown -R proxy:proxy $CONFFILE
52 | chown -R proxy:proxy /var/log/squidguard/
53 | chown -R www-data:www-data /var/www/html/
54 | 
55 | exit 0
56 | 


--------------------------------------------------------------------------------
/docker-proxy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/theonemule/docker-proxy-server/7450f0c3249e0ff0eea99d875e30e97c43dc7a37/docker-proxy.png


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
 1 | Docker Proxy Server With Content Filter
 2 | ===
 3 | Docker has sparked a revolution in Platform as a Service. Numerous applications have been ported to Docker containers to run applications loads, and even more so Docker is replacing even some components that have traditionally been reserved for infrastructure. Now it is possible to run things like Web Application Firewalls and even outgoing proxy servers in containers. 
 4 | 
 5 | This project grew out of a need to replace an aging filtering system that I had been using that wasn't being updated anymore. I had previously patched the aging system to give it a new lease on life, but it has since been deprecated. Wanting to use the same blacklists as before and also wanting to Dockerize the proxy, I built a container image to use Squid and Squidguard to proxy and filter content on my LAN and VPN.
 6 | 
 7 | The inherent limitation of containerized applications is that they can't do low-level. Most containers can only do OSI layer 4+ sorts of applications. Lower level applications are reserved for routers, switches, and the like. Given that Proxies are usually layer 4 or layer 7 applications, they can be containerized, but the traffic needs to be routed through the container for it to be filtered.
 8 | 
 9 | ![Docker Proxy Server](docker-proxy.png)
10 | 
11 | 1. Traffic from the LAN hits the external firewall/router.
12 | 1. HTTP/HTTPS traffic is routed to the proxy/filter container, which filters the content.
13 | 1. Passed traffic is routed back to the firewall/router.
14 | 1. The firewall/router forwards the request back to the internet.
15 | 
16 | ##Prerequisites
17 | 
18 | 1. The files in this repository
19 | 1. A blacklist database. A list can be [found here](http://www.squidguard.org/blacklists.html).
20 | 1. The Docker Engine installed
21 | 1. The IP or Hostname of the machine or VM running the Docker Engine. This is needed to setup redirection in the container as well as to setup forwarding on the firewall.
22 | 
23 | 
24 | ## Using this Proxy
25 | 
26 | 1. Download/Extract as a ZIP file or clone this repository with Git
27 | 
28 | 1. Download a blacklist database. Squidguard maintains a list of [available blacklists here](http://www.squidguard.org/blacklists.html).
29 | 
30 | 1. Extract the list into the blacklists folder. The folder structure should be **blacklists/category/file**. Each **category** has at least one **file**, either **domains**, **urls**, and/or **expressions**. So a domains file category ads would be /blacklists/ads/domains.
31 | 
32 | 1. Edit the Dockerfile in your favorite text editor. The file has a variable called **BLACKLIST** that contains a comma separated list of categories. Edit this list with the categories to filter. The category matches the name of the category in the blacklists directory.
33 | 
34 | 	**Example:**
35 | 
36 | 	````
37 | 	ENV BLACKLIST adult,warez,weapons
38 | 	````
39 | 
40 | 1. The file also contains a variable called **IP_OR_HOSTNAME**. Edit this varible to match the IP address or hostname of the Docker Engine's external name or IP. This is where the firewall/router will forward HTTP and HTTPS traffic to, and Docker will map ports to the container's ports.
41 | 
42 | 	**Example:**
43 | 
44 | 	````
45 | 	ENV IP_OR_HOSTNAME 192.168.99.100
46 | 	````
47 | 
48 | 1. Build the image with Docker. In a command line provisioned to use docker, change directory to the folder working folder for the repository and run docker build.
49 | 
50 | 	````
51 | 	docker build --tag docker-proxy .
52 | 	````
53 | 
54 | 1. Lastly, push the image to a repository or run it directly on the machine used to build it with docker run.
55 | 
56 | 	````
57 | 	docker run -dit -p 3128:3128 -p 80:80 --name proxy docker-proxy
58 | 	````
59 | 
60 | 	The container needs two **-p** directives. **Port 3128** is the proxy port for the container. **Port 80** is the port for the redirect for the block page. The first number in the colon pairs is the external port, and the second is the internal port. The second number shouldn't be changed, however the first name can be changed. the **--name** directive can be anything, as this is the name of the container. The last parameter is the image tag.
61 | 
62 | 1. The last step is to configure the router/firewall to use the proxy. Most firewalls allow rules to be defined based on the source of the traffic and its destination. For HTTP and HTTPS traffic, two forwarding rules need to be added wherein the source IP address is a LAN IP and the destination port is port 80 (for HTTP) and 443 (for HTTPS) respectively. Squid can handle both HTTPS and HTTP on the same port, so redirect the traffic to port the IP or hostname of the Docker Engine on port 3128.
63 | 
64 | 1. Enjoy the proxy/content filter on Docker.


--------------------------------------------------------------------------------
/squid.conf:
--------------------------------------------------------------------------------
 1 | acl CONNECT method CONNECT
 2 | 
 3 | http_access allow manager localhost
 4 | http_access deny manager
 5 | 
 6 | http_access deny to_localhost
 7 | icp_access deny all
 8 | htcp_access deny all
 9 | 
10 | http_port 3128 transparent
11 | 
12 | hierarchy_stoplist cgi-bin ?
13 | access_log /var/log/squid/access.log squid
14 | 
15 | # Leave coredumps in the first cache dir
16 | coredump_dir /var/spool/squid
17 | 
18 | # Allow all machines to all sites
19 | http_access allow all 
20 | 
21 | redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
22 | 


--------------------------------------------------------------------------------
/start.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | lighttpd -f /etc/lighttpd/lighttpd.conf
4 | squid -N -d 1 -D


--------------------------------------------------------------------------------