diff --git a/Dockerfile b/Dockerfile index 658d9e0..1439588 100644 --- a/Dockerfile +++ b/Dockerfile @@ -127,8 +127,8 @@ COPY --from=build /usr/lib/squid/ /usr/lib/squid/ COPY --from=build /usr/share/squid/ /usr/share/squid/ COPY --from=build /usr/sbin/squid /usr/sbin/squid COPY --from=build /usr/bin/squidclient /usr/bin/squidclient - -COPY --chmod=755 run.sh / + +COPY --chmod=755 run.sh / RUN install -d -o squid -g squid \ /var/cache/squid \ @@ -139,6 +139,7 @@ RUN install -d -o squid -g squid \ /etc/squid/conf.d \ /etc/squid/conf.d.tail && \ touch /etc/squid/conf.d/placeholder.conf +COPY localnet.conf /etc/squid/conf.d/ COPY squid-log.conf /etc/squid/conf.d.tail/ VOLUME ["/var/cache/squid"] diff --git a/README.md b/README.md index ad9d24d..8d668c7 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,9 @@ docker-compose up # Configuration +By default, the image now includes a local network allow-list (`/etc/squid/conf.d/localnet.conf`) so clients from RFC1918/RFC4193 ranges can connect without mounting an extra ACL file. + + ## Environment variables: - **SQUID_CONFIG_FILE**: Specify the configuration file for squid. Defaults to `/etc/squid/squid.conf`. diff --git a/docker-compose.test.yml b/docker-compose.test.yml index 7acf030..ecfb78b 100644 --- a/docker-compose.test.yml +++ b/docker-compose.test.yml @@ -2,8 +2,6 @@ version: '2.3' services: proxy: image: "${TEST_TAG}" - volumes: - - './test_localnet.conf:/etc/squid/conf.d/test_localnet.conf:ro' healthcheck: test: ["CMD", "sh", "-exc", "squidclient -T 3 mgr:info 2> /dev/null | grep -qF '200 OK'"] interval: 5s diff --git a/test_localnet.conf b/localnet.conf similarity index 98% rename from test_localnet.conf rename to localnet.conf index dedc763..de73bf4 100644 --- a/test_localnet.conf +++ b/localnet.conf @@ -1,11 +1,11 @@ -acl localnet1 src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) -acl localnet1 src 10.0.0.0/8 # RFC 1918 local private network (LAN) -acl localnet1 src 100.64.0.0/10 # RFC 6598 shared address space (CGN) -acl localnet1 src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines -acl localnet1 src 172.16.0.0/12 # RFC 1918 local private network (LAN) -acl localnet1 src 192.168.0.0/16 # RFC 1918 local private network (LAN) -acl localnet1 src fc00::/7 # RFC 4193 local private network range -acl localnet1 src fe80::/10 # RFC 4291 link-local (directly plugged) machines - -http_access allow localnet1 -http_access allow localhost manager +acl localnet1 src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) +acl localnet1 src 10.0.0.0/8 # RFC 1918 local private network (LAN) +acl localnet1 src 100.64.0.0/10 # RFC 6598 shared address space (CGN) +acl localnet1 src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines +acl localnet1 src 172.16.0.0/12 # RFC 1918 local private network (LAN) +acl localnet1 src 192.168.0.0/16 # RFC 1918 local private network (LAN) +acl localnet1 src fc00::/7 # RFC 4193 local private network range +acl localnet1 src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +http_access allow localnet1 +http_access allow localhost manager