Initial commit for squid-proxy-deployment.

Author: robbinparrish

.dockerignore

@@ -0,0 +1 @@
+.git*

.gitignore

@@ -0,0 +1,31 @@
+#
+# .gitignore file - Ignore everything and recursive allow them.
+#
+
+#
+# Ignore everything.
+#
+*
+
+#
+# Recursive allow.
+#
+!.gitignore
+!README.md
+!docker-compose.yml
+!Dockerfile
+!.dockerignore
+!configs
+!configs/
+!configs/automatic-backup/
+!configs/automatic-backup/squid-proxy-deployment-backup.*
+!configs/automatic-backup/README.md
+!configs/backup-and-restore.md
+!configs/upgrading-squid.md
+!configs/user-based-authentication.md
+!configs/certificate-based-authentication.md
+!configs/site-based-access.md
+!configs/caching-configuration.md
+!configs/squid.conf
+!configs/squid.conf.d
+!configs/squid.conf.d/*.conf

Dockerfile

@@ -0,0 +1,21 @@
+FROM alpine:3.19
+
+ENV TZ=UTC
+
+RUN apk update && \
+    apk add --no-cache \
+    squid openssl ca-certificates curl wget \
+    apache2-utils tar zip unzip gzip && \
+    mkdir -p /etc/squid/conf.d/ && \
+    touch /etc/squid/conf.d/00-default.conf && \
+    addgroup squid tty
+
+ADD configs/squid.conf /etc/squid/squid.conf
+
+ENV HOME /etc/squid
+WORKDIR /etc/squid
+
+CMD squid -k parse && \
+    if [ -f /var/run/squid.pid ] ; then rm -f /var/run/squid.pid ; else true ; fi && \
+    if [ ! -d /var/spool/squid/00 ] ; then squid -N -f /etc/squid/squid.conf -z ; else true ; fi && \
+    squid -f /etc/squid/squid.conf -NYC

README.md

@@ -0,0 +1,51 @@
+## Disclaimer.
+The content on this account/repository provided solely for educational and informational purposes.
+It is not intended for use in making any kind of business, investment and/or legal decisions.
+Although every effort has been made to keep the information up-to-date and accurate, no representations and/or warranties, express and/or implied, completeness, accuracy, reliability, suitability, and/or availability of the content.
+
+## Squid.
+This can be used to setup a Squid Server as a Forwarding and Caching Proxy.  
+Squid - https://www.squid-cache.org/Doc/
+
+## Docker Compose Version.
+Always validate that [docker-compose](https://github.com/docker/compose/releases/) version is latest.
+If not then use the latest released version. As of updating this document `v2.24.0` was latest released version.
+
+### Starting the container.
+```bash
+docker-compose up -d
+```
+
+### Checking the container logs.
+```bash
+docker-compose logs -f
+```
+
+### Initial configuration validation.
+As the default configuration provided here is sufficient as it provides default access to private network. We can validate this with curl.
+```bash
+# Check that access is allowed for any website with port 80 (http) or 443 (https).
+# This should work.
+curl --proxy http://127.0.0.1:3128 http://SOME_HTTP_WEBSITE
+curl --proxy http://127.0.0.1:3128 https://SOME_HTTPS_WEBSITE
+
+# Check that access is blocked for any website with some other ports (eg. 8443).
+# This should not work.
+curl --proxy http://127.0.0.1:3128 https://SOME_HTTPS_WEBSITE:8443
+```
+
+### Additional configuration setup.
+
+[Documentation Config](https://www.squid-cache.org/Doc/config/)
+
+[Configure User based authentication](./configs/user-based-authentication.md)
+
+[Configure Certificate based authentication](./configs/certificate-based-authentication.md)
+
+[Configure Site based access](./configs/site-based-access.md)
+
+[Configure Caching](./configs/caching-configuration.md)
+
+[Backup and Restore](./configs/backup-and-restore.md)
+
+[Upgrading Squid](./configs/upgrading-squid.md)

configs/automatic-backup/README.md

@@ -0,0 +1,25 @@
+# Perform an automatic backup of Squid Deployment.
+
+## Copy backup script.
+```bash
+cp -a squid-proxy-deployment-backup.sh /usr/bin/
+chmod +x /usr/bin/squid-proxy-deployment-backup.sh
+```
+
+## Update the configuration path in the backup script.
+Update following in `/usr/bin/squid-proxy-deployment-backup.sh`
+```
+SQUID_DEPLOYMENT_DIR="${HOME}/squid-proxy-deployment"
+SQUID_DEPLOYMENT_BACKUP_PATH="${HOME}/squid-proxy-deployment-backup"
+```
+
+## Copy systemd unit and timer files.
+```bash
+cp squid-proxy-deployment-backup.timer squid-proxy-deployment-backup.service /etc/systemd/system/
+```
+
+## Enable the timer.
+```bash
+systemctl daemon-reload
+systemctl enable --now squid-proxy-deployment-backup.timer
+```

configs/automatic-backup/squid-proxy-deployment-backup.service

@@ -0,0 +1,5 @@
+[Unit]
+Description=Squid Deployment Backup
+
+[Service]
+ExecStart=/usr/bin/squid-proxy-deployment-backup.sh

configs/automatic-backup/squid-proxy-deployment-backup.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# Path where the Squid deployment is configured.
+# NEED TO REPLACE THEASE TO CORRECT PATH.
+SQUID_DEPLOYMENT_DIR="${HOME}/squid-proxy-deployment"
+SQUID_DEPLOYMENT_BACKUP_PATH="${HOME}/squid-proxy-deployment-backup"
+
+# Backup directory.
+BACKUP_TIME=$(date "+%d%m%Y%H%M%S")
+SQUID_DEPLOYMENT_BACKUP_DIR="${SQUID_DEPLOYMENT_BACKUP_PATH}/${BACKUP_TIME}"
+
+cd "${SQUID_DEPLOYMENT_DIR}" || exit 1
+
+# Backup configuration files.
+mkdir -p "${SQUID_DEPLOYMENT_BACKUP_DIR}"
+cp -av ./squid-data/cache-dir ./configs/squid.conf ./configs/squid.conf.d "${SQUID_DEPLOYMENT_BACKUP_DIR}"/
+sync
+ 
+# Compress the backup.
+cd "${SQUID_DEPLOYMENT_BACKUP_PATH}" || exit 1
+tar -cvzf "${BACKUP_TIME}".tar.gz "${BACKUP_TIME}"
+rm -rf "${BACKUP_TIME}"
+sync

configs/automatic-backup/squid-proxy-deployment-backup.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Squid Deployment Backup
+
+[Timer]
+# Run every night at 1 AM.
+OnCalendar=*-*-* 01:00:00
+Unit=squid-proxy-deployment-backup.service
+
+[Install]
+WantedBy=timers.target

configs/backup-and-restore.md

@@ -0,0 +1,58 @@
+## Backup and Restore.
+
+### Backup Squid instance.
+Since Squid stores all data in the configuration files so we will just need to backup the all configuration files.
+
+For the backup following directories must be `manually` backed up.  
+```
+./squid-data/cache-dir
+./configs/squid.conf
+./configs/squid.conf.d
+```
+
+#### Triggering Backup.
+Run following command to trigger the backup.
+This will copy all the configuration files in the `./squid-data/backups` directory.
+```bash
+cp -a ./squid-data/cache-dir ./configs/squid.conf ./configs/squid.conf.d ./squid-data/backups/
+```
+
+#### Triggering Restore.
+Followings conditions must be met for restore.
+- A working Squid instance.
+
+#### Restore.
+- Stop the Squid container.
+```bash
+docker-compose down squid
+```
+
+- Restore/Copy the configuration files.
+```
+First remove existing directories.
+./squid-data/cache-dir
+./configs/squid.conf
+./configs/squid.conf.d
+
+Now copy backed up directories.
+Copy cache-dir to ./squid-data/cache-dir
+Copy squid.conf to ./configs/squid.conf
+Copy squid.conf.d to ./configs/squid.conf.d
+```
+
+### Stop all the container.
+```
+docker-compose down
+```
+
+### Starting the container.
+```
+docker-compose up -d
+```
+
+### Checking the container logs.
+```
+docker-compose logs -f
+```
+
+[Automatic Backup Setup](./automatic-backup/README.md)

configs/caching-configuration.md

@@ -0,0 +1,37 @@
+## Caching Configuration.
+
+The default configuration provided here does not includes Caching functionality. This can be easily configured here.
+
+### Enable Caching Configuration.
+First enable the caching in [Caching Configuration](./squid.conf.d/caching-configuration.conf) file. We will need to `uncomment` the lines those enable the caching.
+
+### Create Cache directory..
+```bash
+docker-compose exec -it squid chown -R squid.squid /var/spool/squid
+```
+
+### Restart the container.
+```bash
+docker-compose restart
+```
+
+### Initial configuration validation.
+As this configuration enable the Caching of any contents. We can validate this with curl.
+```bash
+# Check the Caching storage information.
+du -sh ./squid-data/cache-dir/
+
+# Download a file, the first time it will take some time.
+curl --proxy http://127.0.0.1:3128 SOME_FILE_URL -o SOME_FILE_NAME
+
+# Download the same file again. this time it should get downloaded from Cached contents.
+curl --proxy http://127.0.0.1:3128 SOME_FILE_URL -o SOME_FILE_NAME
+
+# Check the Caching storage information.
+du -sh ./squid-data/cache-dir/
+```
+
+### Purging the Cache.
+```bash
+docker-compose exec -it squid rm -rf /var/spool/squid/*
+```

configs/certificate-based-authentication.md

@@ -0,0 +1,42 @@
+## Certificate based authentication.
+
+The default configuration provided here does not includes Certificate based authentication. This can be easily configured here.  
+https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
+
+For this we will need to create RootCA that will be used to intercept the SSL certificates of https sites.
+
+### Generate RootCA.
+```bash
+openssl genrsa -out ./configs/squid.conf.d/Squid-RootCA.key 4096
+openssl req -x509 -new -nodes -key ./configs/squid.conf.d/Squid-RootCA.key -days 365 -out ./configs/squid.conf.d/Squid-RootCA.crt -subj '/CN=Squid Root CA/C=/ST=/L=/O=Squid RootCA'
+```
+
+### Enable Certificate based authentication.
+First enable the certificate based authentication in [Certificate Based Authentication](squid.conf.d/certificate-based-authentication.conf) file. We will need to `uncomment` the lines those enable the authentication.
+
+### Disable default configuration.
+We will need to comment out the default `http_port 3128` line in [Squid.conf](./squid.conf) file. Along with this, if requires then we can enable the [User based authentication](./user-based-authentication.md). This will make sure that every access must provide the user authentication. For https requests must provide the RootCA along with user authentication.
+
+### Create SSL certificate database.
+```bash
+docker-compose exec -it squid /usr/lib/squid/security_file_certgen -c -s /etc/squid/conf.d/ssl_db -M 4MB
+docker-compose exec -it squid chown -R squid.squid /etc/squid/conf.d/ssl_db
+```
+
+### Restart the container.
+```bash
+docker-compose restart
+```
+
+### Initial configuration validation.
+As this configuration require a certificate based authentication. We can validate this with curl.
+```bash
+# Access a website with certificate authentication.
+# Here we can also check that certificate is issued by Squid-RootCA by using `-v` option in curl.
+# This should work.
+curl --proxy http://127.0.0.1:3128 --cacert configs/squid.conf.d/Squid-RootCA.crt https://SOME_HTTPS_WEBSITE
+
+# Access a website without certificate authentication.
+# This should not work.
+curl --proxy http://127.0.0.1:3128 https://SOME_HTTPS_WEBSITE
+```

configs/site-based-access.md

@@ -0,0 +1,42 @@
+## Site based access configuration.
+
+The default configuration provided here does not includes site based access configuration. This can be easily configured here.
+
+For this we can create some text files that will contains domain list which need to be either allowed or denied.
+
+### Enable Site based access.
+First enable the site based access in [Site Based Access](./squid.conf.d/site-based-access.conf) file. We will need to `uncomment` the lines those enable the authentication.
+
+### Enable site based access for private network.
+By default private network will be allowed to access squid server without any site based access. To enable site based access for private network comment out `http_access allow private-network` line in [Squid.conf](./squid.conf) file.
+
+### Allowed domain list.
+Create a file that will contain all domain names which are in allowed list.
+```bash
+touch ./configs/squid.conf.d/allowed_urls.txt
+# Add all domain names in the file.
+```
+
+### Denied domain list.
+Create a file that will contain all domain names which are in denied list.
+```bash
+touch ./configs/squid.conf.d/denied_urls.txt
+# Add all domain names in the file.
+```
+
+### Restart the container.
+```bash
+docker-compose restart
+```
+
+### Initial configuration validation.
+As this configuration allow and deny certain domain names. We can validate this with curl.
+```bash
+# Access a website from allowed list.
+# This should work.
+curl --proxy http://127.0.0.1:3128  https://SOME_ALLOWED_HTTPS_WEBSITE
+
+# Access a website from denied list.
+# This should not work.
+curl --proxy http://127.0.0.1:3128 https://SOME_DENIED_HTTPS_WEBSITE
+```