Squid Proxy
Squid Proxy is an open-source caching and forwarding web proxy server that is widely used in both small and large networks due to its flexibility and robust feature set. It acts as a gateway, enabling clients to access various internet resources such as websites, files, and other content from servers.
Key Features
- Caching: Stores copies of web pages and files to serve future requests faster.
- Access Control: Allows administrators to control who can access certain websites or resources.
- Content Filtering: Can block access to specific websites or types of content.
- Authentication: Supports user authentication for secure access.
- Logging and Monitoring: Provides detailed logs of web traffic for analysis.
Common Uses
- Improving internet speed in organizations or schools.
- Reducing bandwidth costs for ISPs and businesses.
- Enhancing security and privacy for users.
- Controlling and monitoring employee or student internet usage.
Squid Container
Nullafi provides a publicly available container image that makes setting up Squid Proxy as an ICAP client to Nullafi Shield simple and easy. It is used in our Deployment Examples and our Quick Start Guide.
Container Registry
Nullafi's Squid container image is hosted at the Amazon ECR Public Gallery: public.ecr.aws/nullafi/proxy
In order to make configuration simple, our Squid container image uses environment variables to control the proxy's settings. The following table describes the available environment variables and their functions:
| Environment Variable | Possible Values | Default | Description |
|---|---|---|---|
| HTTP_PORT | [0-65535] |
44509 |
Squid Proxy's listening port for proxy connections |
| ENABLE_ICAP | [yes | no] |
yes |
Use an ICAP server for proxied connections |
| ENABLE_ICAPS | [yes | no] |
no |
Use a Secure ICAP server for proxied connections. |
| ICAP_URL | a valid ICAP URL | none | When ENABLE_ICAP is set to yes, this controls the location of the ICAP service to use. Should be in the form of icap://<Shield hostname or IP>:<port> (do not include a path -- the container image will append '/respmod' and '/reqmod' as appropriate) |
| BYPASS_URLS | a valid path to a file | none | A list of URLs to send directly to the client, without scanning. Use a volume mount to supply the file. |
| MITM_PROXY | [yes | no] |
yes |
Enables MITM SSL proxy functionality (requires CERT and KEY) |
| MITM_CERT | a path to the TLS certificate file (.crt) | a self-signed certificate | The given PEM certificate is copied and used as the CA authority for MITM SSL connections. Use a volume mount to supply the file. |
| MITM_KEY | a path to the TLS key file (.pem) | a self-signed certificate | The given PEM certificate is copied and used as the signing key for the MITM CA. Use a volume mount to supply the file. |