From 0c98291b4940fc7f5cc32de2a1f7f8a592eeae43 Mon Sep 17 00:00:00 2001
From: jpickard <joshua.pickard@laurelcountycorrections.org>
Date: Wed, 8 Dec 2021 16:04:17 -0500
Subject: [PATCH] Upload files to ''

---
 Dockerfile       | 12 ++++++++++
 README.md        | 57 ++++++++++++++++++++++++++++++++++++++++++++++--
 keywordblock.txt |  1 +
 squid.conf       | 39 +++++++++++++++++++++++++++++++++
 whitelist.txt    | 19 ++++++++++++++++
 5 files changed, 126 insertions(+), 2 deletions(-)
 create mode 100644 Dockerfile
 create mode 100644 keywordblock.txt
 create mode 100644 squid.conf
 create mode 100644 whitelist.txt

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..48a7cd1
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,12 @@
+FROM debian:buster
+
+RUN apt-get update -y && apt-get install squid nano -y
+
+ADD *.txt /etc/squid/
+ADD *.css /etc/squid/
+ADD *.conf /etc/squid/
+
+EXPOSE 3128/tcp
+EXPOSE 3128/udp
+
+CMD ["/usr/sbin/squid", "-NYCd1"]
diff --git a/README.md b/README.md
index 74ca01a..64bf31f 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,56 @@
-# squid-whitelist
+# Docker Squid Proxy - Strict Whitelist
 
-Squid Proxy server in Docker.
\ No newline at end of file
+## [Docker Hub Repository](https://hub.docker.com/r/signaln9ne/squidproxy-strict-whitelist)
+
+![GitHub last commit](https://img.shields.io/github/last-commit/signal-9/docker-squid-whitelist?color=blue&style=for-the-badge)
+![Docker Pulls](https://img.shields.io/docker/pulls/signaln9ne/squidproxy-strict-whitelist?style=for-the-badge)
+
+## docker-compose
+```
+---
+version: "3"
+services:
+  squidproxy:
+    image: signaln9ne/squidproxy-strict-whitelist:latest
+    container_name: squidproxy
+    volumes:
+      - squid-proxy:/config
+    ports:
+      - 3128:3128
+    restart: unless-stopped
+volumes:
+  squid-proxy:
+```
+
+## Build the image
+
+```
+git clone https://github.com/signal-9/docker-squid-whitelist.git
+cd docker-squid-whitelist
+```
+
+Edit ```/etc/squid/squid.conf```, changing the values for:
+```
+acl localnet src 192.168.1.0/24    # Change to your own network
+dns_nameservers 9.9.9.9            # DNS servers (change if you want)
+```
+
+and ```/etc/squid/whitelist.txt```, adding or removing domains as you wish.  Any domains in this list will be reachable, any that are not will be denied.
+
+Once the container is running, you can edit these documents in ```/etc/squid``` as needed.  ```whitelist.txt``` will need the most adjusting.
+
+## Run the container
+
+```
+sudo docker build -t signaln9nesquidproxy .
+docker volume create squid
+docker run -dit \
+    -p 3128:3128 \
+    --name=squidproxy \
+    --restart=always \
+    -v squid:/etc/squid \
+    signaln9nesquidproxy
+```
+Point your client machines to the container IP port 3128.  Only approved domains in the ```whitelist.txt``` file should be accessible.
+
+You can ```tail -f /var/log/squid/access.log``` to see what domains are being approved, denied, etc.
diff --git a/keywordblock.txt b/keywordblock.txt
new file mode 100644
index 0000000..125f526
--- /dev/null
+++ b/keywordblock.txt
@@ -0,0 +1 @@
+proxy
diff --git a/squid.conf b/squid.conf
new file mode 100644
index 0000000..1ec749a
--- /dev/null
+++ b/squid.conf
@@ -0,0 +1,39 @@
+acl localnet src 192.168.1.0/24		# Change to your own network
+
+acl SSL_ports port 443
+acl Safe_ports port 80		
+acl Safe_ports port 21		
+acl Safe_ports port 443		
+acl Safe_ports port 70		
+acl Safe_ports port 210		
+acl Safe_ports port 1025-65535	
+acl Safe_ports port 280		
+acl Safe_ports port 488		
+acl Safe_ports port 591		
+acl Safe_ports port 777		
+acl CONNECT method CONNECT
+http_access deny !Safe_ports
+http_access deny CONNECT !SSL_ports
+http_access allow localhost manager
+http_access deny manager
+acl whitelist dstdomain "/etc/squid/whitelist.txt"
+http_access allow whitelist
+http_access deny all
+http_access deny all
+acl keyword_block url_regex "/etc/squid/keywordblock.txt"
+http_access deny keyword_block
+http_access deny all
+http_access allow localhost
+http_access allow localnet
+http_access deny all
+
+http_port 3128				# Port to listen on
+
+coredump_dir /var/spool/squid
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
+refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
+refresh_pattern .		0	20%	4320
+
+dns_nameservers 9.9.9.9			# DNS servers (change if you want)
diff --git a/whitelist.txt b/whitelist.txt
new file mode 100644
index 0000000..f8fc01c
--- /dev/null
+++ b/whitelist.txt
@@ -0,0 +1,19 @@
+.google.com
+.googleapis.com
+ocsp.pki.goog
+fonts.gstatic.com
+
+.duckduckgo.com
+.ddg.gg
+
+.ecs.office.com
+.windowsupdate.com
+.events.data.microsoft.com
+assets.msn.com
+.windows.com
+.officeapps.live.com
+.officeclient.microsoft.com
+.login.live.com
+.msauth.net
+.azureedge.net
+.live.net