Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@bodsch

bodsch/README.md

Forked from int128/README.md
Last active August 11, 2021 13:05
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save bodsch/ab822b8cea758dc84adb8db324a4af23 to your computer and use it in GitHub Desktop.
Save bodsch/ab822b8cea758dc84adb8db324a4af23 to your computer and use it in GitHub Desktop.
Download ZIP
Transparent proxy for Docker containers
Raw
README.md

Transparent proxy for Docker containers

If the Docker host is placed inside a proxy server, it needs to add the proxy configuration to each Dockerfile such as ENV http_proxy.

Following allows transparent access from the container to outside without any proxy configuration.

  1. Set up the transparent proxy
  2. Apply iptables rule for the transparent proxy

Note that it solves only http access but not https access.

1. Set up the transparent proxy

Install squid and edit /etc/squid/squid.conf.

2. Apply iptables rule

Create /etc/systemd/system/docker-proxy-dnat.service and start it.

sudo systemctl start docker-proxy-dnat
sudo systemctl enable docker-proxy-dnat

Example: access to www.google.com

curl http://www.google.com/
|
| DNAT rule:
| Rewrites destination of the packet to 172.17.42.1:9090
|
172.17.42.1:9090
|
| Squid:
| Proxies the request to 127.0.0.1:9090
|
127.0.0.1:9090
|
| SSH port forward:
| Forwards the request to your local proxy
|
Your local proxy
|
|
www.google.com
Raw
docker-proxy-dnat.service
[Unit]
Description=Apply DNAT rule for transparent proxy
After=docker.service
[Service]
Type=oneshot
Environment = LOCAL_NET=192.168.110.10
Environment = DOCKER_NET=172.17.0.0/16
Environment = PROXY_PORT=9090
ExecStart = /usr/sbin/iptables -t nat -A PREROUTING -s ${DOCKER_NET} ! -d ${DOCKER_NET} -p tcp --dport 80 -j DNAT -$
ExecStop = /usr/sbin/iptables -t nat -D PREROUTING -s ${DOCKER_NET} ! -d ${DOCKER_NET} -p tcp --dport 80 -j DNAT -$
RemainAfterExit = yes
[Install]
WantedBy=multi-user.target
Raw
squid.conf
# common settings
# ---------------
http_port 127.0.0.1:888
http_port 3128
http_port 9090 intercept
visible_hostname squid
workers 1
dns_nameservers 192.168.110.10 141.1.1.1
# Standard ACL configuration
# --------------------------
# Allow proxing standard web traffic only
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
# ACLs to target for logging
acl success_codes http_status 100-199 # informational
acl success_codes http_status 200-299 # successful transactions
acl success_codes http_status 300-399 # redirection
acl failure_codes http_status 400-499 # client error
acl failure_codes http_status 500-599 # server error
acl success_hier hier_code HIER_DIRECT
acl failure_hier hier_code HIER_NONE
acl failure all-of CONNECT failure_hier
acl failure all-of !CONNECT failure_codes
acl success all-of CONNECT success_hier
acl success all-of !CONNECT success_codes
acl localnet src 127.0.0.1
acl localnet src 192.168.0.0/16
acl docker src 172.17.0.0/16
acl safe_ports port 80
acl safe_ports port 443
# ACL operators
# -------------
http_access allow localhost
http_access allow localnet
http_access allow docker
http_access deny to_localhost
http_access deny CONNECT !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny !Safe_ports
http_access allow Safe_ports
http_access deny all
follow_x_forwarded_for allow localhost
follow_x_forwarded_for allow localnet
follow_x_forwarded_for allow docker
# Logging configuration
# ---------------------
log_mime_hdrs on
# access_log daemon:/var/log/squid/access.log squid !success
cache_log stdio:/var/log/squid/cache.log
cache_store_log stdio:/var/log/squid/store.log
access_log stdio:/var/log/squid/access.log# strip_query_terms off
# debug_options ALL,1
coredump_dir /var/cache/squid
cache_mem 2 GB
cache_replacement_policy heap LFUDA
cache_dir ufs /var/cache/squid 256 4 8
offline_mode on
maximum_object_size 12288 MB
maximum_object_size_in_memory 6 MB
pipeline_prefetch on
# http://www.squid-cache.org/Versions/v2/2.6/cfgman/refresh_pattern.html
# refresh_pattern [-i] regex min percent max [options]
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^rsync: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
#refresh_pattern (cgi-bin|\?) 0 0% 0
#refresh_pattern . 0 20% 10080
# ignore-no-cache bzw. override-expire bricht das http-Protokoll!
# refresh_pattern \.ttweb\.net 5 99% 10080 ignore-no-cache override-expire
# refresh_pattern . 360 50% 10080 ignore-no-cache ignore-private
# refresh_pattern -i \.html 3600 50% 10080 ignore-no-cache override-expire ignore-private
#refresh_pattern -i \.jpg$ 7200 40% 10080 ignore-no-cache override-expire ignore-private
#refresh_pattern -i \.gif$ 7200 40% 10080 ignore-no-cache override-expire ignore-private
#refresh_pattern -i \.png$ 7200 40% 10080 ignore-no-cache override-expire ignore-private
refresh_pattern \.tar\.bz2$ 7200 40% 10080 ignore-no-cache override-expire ignore-private refresh-ims
refresh_pattern \.tar\.gz$ 7200 40% 10080 ignore-no-cache override-expire ignore-private refresh-ims
refresh_pattern \.tar\.xz$ 7200 40% 10080 ignore-no-cache override-expire ignore-private refresh-ims
refresh_pattern \.apk$ 7200 40% 10080 ignore-no-cache override-expire ignore-private refresh-ims
refresh_pattern \.deb$ 0 40% 10080 ignore-no-cache override-expire ignore-private refresh-ims
refresh_pattern . 0 20% 4320
# Logging configuration
# ---------------------
visible_hostname linux
forwarded_for off
request_header_access X-FORWARDED-FOR deny all
request_header_access Via deny all
request_header_access Cache-Control deny all
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
# strip_query_terms off
# debug_options ALL,1
coredump_dir /var/cache/squid
cache_mem 2 GB
cache_replacement_policy heap LFUDA
cache_dir ufs /var/cache/squid 256 4 8
offline_mode on
maximum_object_size 12288 MB
maximum_object_size_in_memory 6 MB
pipeline_prefetch on
# http://www.squid-cache.org/Versions/v2/2.6/cfgman/refresh_pattern.html
# refresh_pattern [-i] regex min percent max [options]
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^rsync: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
# ignore-no-cache bzw. override-expire bricht das http-Protokoll!
refresh_pattern \.tar\.bz2$ 7200 40% 10080 ignore-no-cache override-expire ignore-private refresh-ims
refresh_pattern \.tar\.gz$ 7200 40% 10080 ignore-no-cache override-expire ignore-private refresh-ims
refresh_pattern \.tar\.xz$ 7200 40% 10080 ignore-no-cache override-expire ignore-private refresh-ims
refresh_pattern \.apk$ 7200 40% 10080 ignore-no-cache override-expire ignore-private refresh-ims
refresh_pattern \.deb$ 0 40% 10080 ignore-no-cache override-expire ignore-private refresh-ims
refresh_pattern . 0 20% 4320
# ---------------------
forwarded_for off
request_header_access X-FORWARDED-FOR deny all
request_header_access Via deny all
request_header_access Cache-Control deny all
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment