eikarna
commited on
Commit
·
6c06868
1
Parent(s):
df6eb01
fix(permission): change default squid dir to tmp dir
Browse files- Dockerfile +18 -38
- README.md +0 -1
Dockerfile
CHANGED
|
@@ -4,74 +4,52 @@ FROM ubuntu:24.04
|
|
| 4 |
# Set environment variables to avoid interactive prompts during installation
|
| 5 |
ENV DEBIAN_FRONTEND=noninteractive
|
| 6 |
|
| 7 |
-
# Install Squid
|
| 8 |
RUN apt-get update && \
|
| 9 |
-
apt-get install -y squid && \
|
| 10 |
apt-get clean && \
|
| 11 |
rm -rf /var/lib/apt/lists/*
|
| 12 |
|
| 13 |
-
# Create directories for logs and cache
|
| 14 |
-
RUN mkdir -p /var/log/squid && \
|
| 15 |
-
mkdir -p /var/spool/squid && \
|
| 16 |
-
chown -R proxy:proxy /var/log/squid && \
|
| 17 |
-
chown -R proxy:proxy /var/spool/squid
|
| 18 |
-
|
| 19 |
# Create squid configuration with high anonymity features
|
| 20 |
-
|
| 21 |
-
\n\
|
| 22 |
-
# Port settings\n\
|
| 23 |
http_port 7860\n\
|
| 24 |
-
\n\
|
| 25 |
-
# Cache settings\n\
|
| 26 |
-
cache_dir ufs /var/spool/squid 100 16 256\n\
|
| 27 |
cache_mem 128 MB\n\
|
| 28 |
maximum_object_size 4096 KB\n\
|
| 29 |
cache_swap_high 95\n\
|
| 30 |
cache_swap_low 90\n\
|
| 31 |
-
\n\
|
| 32 |
-
# Anonymize headers\n\
|
| 33 |
forwarded_for delete\n\
|
| 34 |
via off\n\
|
| 35 |
-
\n\
|
| 36 |
-
|
|
|
|
|
|
|
| 37 |
acl SSL_ports port 443\n\
|
| 38 |
acl Safe_ports port 80\n\
|
| 39 |
acl Safe_ports port 443\n\
|
| 40 |
acl CONNECT method CONNECT\n\
|
| 41 |
-
\n\
|
| 42 |
-
# Allow connections to safe ports\n\
|
| 43 |
http_access allow all\n\
|
| 44 |
-
\n\
|
| 45 |
-
# Deny requests to certain unsafe ports\n\
|
| 46 |
http_access deny !Safe_ports\n\
|
| 47 |
-
\n\
|
| 48 |
-
# Deny CONNECT to non-SSL ports\n\
|
| 49 |
http_access deny CONNECT !SSL_ports\n\
|
| 50 |
-
\n\
|
| 51 |
-
# Final deny rule\n\
|
| 52 |
http_access deny all\n\
|
| 53 |
-
\n\
|
| 54 |
-
|
| 55 |
-
|
| 56 |
-
cache_log /var/log/squid/cache.log\n\
|
| 57 |
-
cache_store_log /var/log/squid/store.log\n\
|
| 58 |
-
\n\
|
| 59 |
-
# Refresh patterns\n\
|
| 60 |
refresh_pattern ^ftp: 1440 20% 10080\n\
|
| 61 |
refresh_pattern ^gopher: 1440 0% 1440\n\
|
| 62 |
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0\n\
|
| 63 |
refresh_pattern . 0 20% 4320\n\
|
| 64 |
-
\n\
|
| 65 |
-
# Performance settings\n\
|
| 66 |
-
pipeline_prefetch on\n\
|
| 67 |
half_closed_clients off' > /etc/squid/squid.conf
|
| 68 |
|
| 69 |
# Set proper permissions for configuration
|
| 70 |
RUN chown root:proxy /etc/squid/squid.conf && \
|
| 71 |
chmod 644 /etc/squid/squid.conf
|
| 72 |
|
| 73 |
-
#
|
| 74 |
-
|
|
|
|
| 75 |
|
| 76 |
# Expose HTTP port
|
| 77 |
EXPOSE 7860
|
|
@@ -80,5 +58,7 @@ EXPOSE 7860
|
|
| 80 |
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
|
| 81 |
CMD squid -k check
|
| 82 |
|
|
|
|
|
|
|
| 83 |
# Start Squid proxy server
|
| 84 |
CMD ["squid", "-NYC"]
|
|
|
|
| 4 |
# Set environment variables to avoid interactive prompts during installation
|
| 5 |
ENV DEBIAN_FRONTEND=noninteractive
|
| 6 |
|
| 7 |
+
# Install Squid and sudo (needed to run command as proxy user during build)
|
| 8 |
RUN apt-get update && \
|
| 9 |
+
apt-get install -y squid sudo && \
|
| 10 |
apt-get clean && \
|
| 11 |
rm -rf /var/lib/apt/lists/*
|
| 12 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
# Create squid configuration with high anonymity features
|
| 14 |
+
# Note: cache_dir is set to /tmp to avoid permission issues with root /tmp
|
| 15 |
+
RUN echo 'cache_dir ufs /tmp 100 16 256\n\
|
|
|
|
| 16 |
http_port 7860\n\
|
| 17 |
+
pid_filename /tmp/squid.pid\n\
|
|
|
|
|
|
|
| 18 |
cache_mem 128 MB\n\
|
| 19 |
maximum_object_size 4096 KB\n\
|
| 20 |
cache_swap_high 95\n\
|
| 21 |
cache_swap_low 90\n\
|
|
|
|
|
|
|
| 22 |
forwarded_for delete\n\
|
| 23 |
via off\n\
|
| 24 |
+
follow_x_forwarded_for deny all\n\
|
| 25 |
+
request_header_access X-Forwarded-For deny all\n\
|
| 26 |
+
request_header_access Via deny all\n\
|
| 27 |
+
visible_hostname squid-proxy-hf\n\
|
| 28 |
acl SSL_ports port 443\n\
|
| 29 |
acl Safe_ports port 80\n\
|
| 30 |
acl Safe_ports port 443\n\
|
| 31 |
acl CONNECT method CONNECT\n\
|
|
|
|
|
|
|
| 32 |
http_access allow all\n\
|
|
|
|
|
|
|
| 33 |
http_access deny !Safe_ports\n\
|
|
|
|
|
|
|
| 34 |
http_access deny CONNECT !SSL_ports\n\
|
|
|
|
|
|
|
| 35 |
http_access deny all\n\
|
| 36 |
+
access_log stdio:/dev/stdout\n\
|
| 37 |
+
cache_log stdio:/dev/stderr\n\
|
| 38 |
+
cache_store_log stdio:/dev/stdout\n\
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39 |
refresh_pattern ^ftp: 1440 20% 10080\n\
|
| 40 |
refresh_pattern ^gopher: 1440 0% 1440\n\
|
| 41 |
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0\n\
|
| 42 |
refresh_pattern . 0 20% 4320\n\
|
| 43 |
+
pipeline_prefetch 1\n\
|
|
|
|
|
|
|
| 44 |
half_closed_clients off' > /etc/squid/squid.conf
|
| 45 |
|
| 46 |
# Set proper permissions for configuration
|
| 47 |
RUN chown root:proxy /etc/squid/squid.conf && \
|
| 48 |
chmod 644 /etc/squid/squid.conf
|
| 49 |
|
| 50 |
+
# Create cache directory with correct ownership and initialize it as proxy user
|
| 51 |
+
# This is a workaround for permission issues in HuggingFace Spaces
|
| 52 |
+
RUN sudo -u proxy squid -z
|
| 53 |
|
| 54 |
# Expose HTTP port
|
| 55 |
EXPOSE 7860
|
|
|
|
| 58 |
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
|
| 59 |
CMD squid -k check
|
| 60 |
|
| 61 |
+
USER proxy
|
| 62 |
+
|
| 63 |
# Start Squid proxy server
|
| 64 |
CMD ["squid", "-NYC"]
|
README.md
CHANGED
|
@@ -40,7 +40,6 @@ The proxy is configured with the following settings:
|
|
| 40 |
|
| 41 |
- Port: 7860
|
| 42 |
- Anonymity: High (removes Via, Forwarded-For, and other identifying headers)
|
| 43 |
-
- User-Agent: Spoofed to Chrome 91
|
| 44 |
- Access Control: Open to all IPs (0.0.0.0/0)
|
| 45 |
|
| 46 |
## Deployment on Hugging Face Spaces
|
|
|
|
| 40 |
|
| 41 |
- Port: 7860
|
| 42 |
- Anonymity: High (removes Via, Forwarded-For, and other identifying headers)
|
|
|
|
| 43 |
- Access Control: Open to all IPs (0.0.0.0/0)
|
| 44 |
|
| 45 |
## Deployment on Hugging Face Spaces
|