A containerized secure proxy with advanced filtering capabilities, real-time monitoring, and a modern web UI.
- High-Performance Proxy Engine: Built on Squid with optimized caching capabilities
- Advanced Filtering:
- IP Blacklisting with CIDR support
- Domain Blacklisting with wildcard support
- Content Type Filtering
- Direct IP Access Control
- Time-based Access Restrictions
- Comprehensive Security:
- HTTPS Filtering with proper certificate management
- Rate Limiting protection against brute force attacks
- Security scoring and recommendations
- Configurable content policies
- Modern Dashboard:
- Real-time traffic monitoring
- Resource usage statistics
- Cache performance metrics
- Security status visualization
- Detailed Analytics:
- Full request logging and analysis
- Traffic pattern visualization
- Blocked request reporting
- Exportable reports
- Enterprise Management:
- Configuration backup and restore
- Role-based access control
- API for automation and integration
- Health monitoring endpoints
The application consists of three main containerized components:
- Proxy Service: Squid-based proxy with customized configurations for enhanced security
- Backend API: RESTful API built with Flask providing management capabilities
- Web UI: Modern Bootstrap 5 interface for administration and monitoring
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ │ │ │ │ │
│ Web UI │◄────►│ Backend │◄────►│ Proxy │
│ (Flask) │ │ API │ │ (Squid) │
│ │ │ (Flask) │ │ │
└─────────────┘ └─────────────┘ └─────────────┘
│ │ │
│ │ │
▼ ▼ ▼
┌─────────────────────────────────────────────────────┐
│ │
│ Shared Volumes │
│ (Configuration, Logs, Database, Certificates) │
│ │
└─────────────────────────────────────────────────────┘
- Docker (v20.10.0+)
- Docker Compose (v2.0.0+)
- Minimum System Requirements:
- 1 CPU core
- 1GB RAM
- 5GB disk space
- Network Requirements:
- Open ports for HTTP (8011) and Proxy (3128)
-
Clone the repository:
git clone https://github.com/yourusername/secure-proxy.git cd secure-proxy -
Start the application:
docker-compose up -d
-
Access the web interface:
http://localhost:8011Default credentials: username:
admin, password:admin -
Configure your client devices:
- Set proxy server to your host's IP address, port 3128
- For transparent proxying, see the Network Configuration section
| Variable | Description | Default |
|---|---|---|
PROXY_HOST |
Proxy service hostname | proxy |
PROXY_PORT |
Proxy service port | 3128 |
BASIC_AUTH_USERNAME |
Basic auth username | admin |
BASIC_AUTH_PASSWORD |
Basic auth password | admin |
SECRET_KEY |
Flask secret key | Auto-generated |
LOG_LEVEL |
Logging level | INFO |
| Feature | Description | Configuration |
|---|---|---|
| IP Blacklisting | Block specific IP addresses or ranges | Web UI > Blacklists > IP |
| Domain Blacklisting | Block specific domains (wildcard support) | Web UI > Blacklists > Domains |
| Content Filtering | Block specific file types | Web UI > Settings > Filtering |
| HTTPS Filtering | Inspect and filter HTTPS traffic | Web UI > Settings > Security |
| Rate Limiting | Prevent brute force attacks | Auto-configured |
| Setting | Description | Default | Recommended |
|---|---|---|---|
| Cache Size | Disk space allocated for caching | 1GB | 5-10GB for production |
| Max Object Size | Maximum size of cached objects | 50MB | 100MB for media-heavy usage |
| Connection Timeout | Timeout for stalled connections | 30s | 15-60s based on network |
| DNS Timeout | Timeout for DNS lookups | 5s | 3-10s based on DNS infrastructure |
| Max Connections | Maximum concurrent connections | 100 | 100-500 based on hardware |
For HTTPS filtering with your own certificate:
-
Place your certificate and key in the
/configdirectory:ssl_cert.pem: Your SSL certificatessl_key.pem: Your private key
-
Enable HTTPS filtering in the web interface:
- Settings > Security > Enable HTTPS Filtering
-
Install the certificate on client devices to avoid warnings
To use Secure Proxy as a transparent proxy:
-
Configure iptables on your router/gateway:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3129
-
Enable transparent proxy mode in the web interface:
- Settings > Advanced > Transparent Mode
Integrate with external threat intelligence:
-
Import blacklists via the API:
curl -X POST http://localhost:8011/api/blacklists/import \ -H "Content-Type: application/json" \ -H "Authorization: Basic $(echo -n admin:admin | base64)" \ -d '{"url": "https://example.com/blacklist.txt", "type": "ip"}'
-
Schedule automatic updates with the maintenance endpoint:
curl -X POST http://localhost:8011/api/maintenance/update-blacklists \ -H "Authorization: Basic $(echo -n admin:admin | base64)"
- Proxy Status: Real-time operational status
- Traffic Statistics: Request volume over time
- Resource Usage: Memory and CPU consumption
- Cache Performance: Hit ratio and response time
- Security Score: Overall security assessment
All proxy traffic is logged and can be analyzed in the web interface:
- Access Logs: All requests with filtering and search
- Security Events: Authentication attempts and blocked requests
- System Logs: Application and service events
Health status endpoints are available for monitoring:
curl -I http://localhost:8011/healthCreate a full system backup:
-
Via Web UI:
- Maintenance > Backup Configuration > Download Backup
-
Via API:
curl -X GET http://localhost:8011/api/maintenance/backup-config \ -H "Authorization: Basic $(echo -n admin:admin | base64)" \ > secure-proxy-backup.json
Restore from a previous backup:
-
Via Web UI:
- Maintenance > Restore Configuration > Upload Backup
-
Via API:
curl -X POST http://localhost:8011/api/maintenance/restore-config \ -H "Content-Type: application/json" \ -H "Authorization: Basic $(echo -n admin:admin | base64)" \ -d @secure-proxy-backup.json
curl -x http://localhost:3128 http://example.comcurl -x http://localhost:3128 https://example.com --insecureTo test if blacklisting works:
- Add an IP or domain to the blacklist
- Attempt to access a resource from that IP or domain
- Verify the request is blocked (check logs)
| Issue | Possible Cause | Resolution |
|---|---|---|
| Cannot access web UI | Port conflict | Change port mapping in docker-compose.yml |
| Proxy not filtering | Incorrect network configuration | Verify client proxy settings |
| SSL warnings | Certificate not trusted | Install certificate on client devices |
| Performance issues | Insufficient resources | Increase container resource limits |
| Database errors | Permission issues | Check volume permissions |
-
Service Logs:
docker-compose logs -f backend docker-compose logs -f ui docker-compose logs -f proxy
-
Database Check:
docker-compose exec backend sqlite3 /data/secure_proxy.db .tables -
Network Validation:
docker-compose exec proxy ping -c 3 google.com -
Cache Analysis:
docker-compose exec proxy squidclient -h localhost mgr:info
Secure Proxy provides a comprehensive RESTful API for integration and automation:
curl -X POST http://localhost:8011/api/login \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": "admin"}'| Endpoint | Method | Description |
|---|---|---|
/api/status |
GET | Get proxy service status |
/api/settings |
GET | Get all proxy settings |
/api/ip-blacklist |
GET/POST | Manage IP blacklist |
/api/domain-blacklist |
GET/POST | Manage domain blacklist |
/api/logs |
GET | Get proxy access logs |
/api/logs/import |
POST | Import logs from Squid |
/api/maintenance/clear-cache |
POST | Clear the proxy cache |
/api/security/score |
GET | Get security assessment |
Full API documentation is available at /api/docs when the service is running.
- Change default credentials immediately after installation
- Enable HTTPS for the admin interface in production
- Restrict access to the admin interface to trusted IPs
- Regular backups of configuration and database
- Keep the system updated with security patches
- Monitor logs for suspicious activity
- Use strong certificates for HTTPS filtering
- Authentication Integration: LDAP/Active Directory support
- Advanced Analytics: ML-based traffic pattern analysis
- Threat Intelligence: Integration with external threat feeds
- Clustering: Multi-node deployment for high availability
- Content Inspection: DLP capabilities for data protection
- Mobile Support: Improved UI for mobile administration
- Notification System: Alerts via email, Slack, etc.
Contributions are welcome and appreciated!
- Fork the repository
- Create a feature branch:
git checkout -b feature-name - Commit your changes:
git commit -m 'Add some feature' - Push to the branch:
git push origin feature-name - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
- Squid Proxy for the core proxy engine
- Flask for the web framework
- Bootstrap for the UI components
- Docker for containerization
- All our contributors who have helped shape this project
- Create an issue in the GitHub repository
- Contact the maintainers at: [[email protected]]
- Community forum: [https://community.example.com]