<docker-compose.yml>

 

services:
  squid:
    image: ubuntu/squid
    restart: always
    container_name: squid
    volumes:
      - ./squid.conf:/etc/squid/squid.conf
      - ./domains.txt:/etc/squid/domains.txt
      - ./ips.txt:/etc/squid/ips.txt
      - ./debian.conf:/etc/squid/conf.d/debian.conf
      - ./log:/var/log/squid
    environment:
      - TZ=Asia/Seoul
    ports:
      - 3128:3128
    ulimits:
      nofile:
        soft: 65535
        hard: 65535
      nproc: 65535
 

<docker-compose.yml 파일 생성 후>

mkdir -p ./log #필수

sudo chown -R 13.13 ./log #필수

 

<domains.txt> #허용 도메인

.fss.or.kr
.fsec.or.kr
.fsc.go.kr
.fsb.or.kr
.law.go.kr
.foresys.co.kr
.microsoft.com
.windowsupdate.com
.windows.com
.office.com
.office.net
.microsoftonline.com
.ahnlab.com

 

<ips.txt> #허용 IP

172.23.38.0/24
172.23.39.0/24
10.2.2.0/24
1.1.1.1
1.0.0.1
8.8.8.8
8.8.4.4
9.9.9.9

 

<squid.conf>

# Access Control Lists (ACLs)
# acl charmbank src 0.0.0.0/0.0.0.0
#acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl charmbank src 172.23.38.0/24
acl charmbank src 172.23.39.0/24
#acl idc_cidr src 192.168.50.0/24
#acl idc_cidr src 192.168.20.0/24

 

acl SSL_ports port 443
acl SSL_ports port 20000
#acl SSL_ports port 389
#acl SSL_ports port 8100
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
#acl Safe_ports port 389         # Koscom TSA 시점확인(PPR)
#acl Safe_ports port 8100        # MMS_MO 웹팩스연동 LG U+
acl Safe_ports port 20000       # 금감원 보고서작성기
acl CONNECT method CONNECT

 

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

 

# 특정 IP 주소 또는 도메인 허용
acl allow_ip dst "/etc/squid/ips.txt"
acl allow_domain dstdomain "/etc/squid/domains.txt"

 

#http_access allow SSL_ports
http_access allow charmbank allow_ip
http_access allow charmbank allow_domain
#http_access allow idc_cidr allow_ip
#http_access allow idc_cidr allow_domain

 

# Deny all other connections
http_access deny all

 

# Port Configuration
http_port 3128

 

# Log Configuration
access_log daemon:/var/log/squid/access.log

 

# Cache Configuration
cache_mem 512 MB
maximum_object_size 128 MB
cache_dir ufs /var/spool/squid 10000 16 256

 

# Refresh Patterns
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern . 0 20% 4320

 

# via version off
via off

 

# Server version off
httpd_suppress_version_string on
reply_header_access Server deny all

 

# Cache version off
reply_header_access X-Cache deny all
reply_header_access X-Cache-Lookup deny all
#cache_effective_user proxy
#cache_effective_group proxy
 

<debian.conf>

#
# Squid configuration settings for Debian
#

# Logs are managed by logrotate on Debian
logfile_rotate 0

# For extra security Debian packages only allow
# localhost to use the proxy on new installs
#
#http_access allow localnet
http_access allow charmbank