mxschmitt · mxschmitt · Sep 12, 2024 · Nov 4, 2025 · Nov 4, 2025 · Nov 4, 2025
diff --git a/squid/Dockerfile b/squid/Dockerfile
@@ -1,9 +1,9 @@
-FROM alpine:3.16
+FROM alpine:3.20
 
 EXPOSE 3128
 
-ADD ./squid/squid.conf /etc/squid/squid.con
+ADD ./squid/squid.conf /etc/squid/squid.conf
 
-RUN apk add squid=5.5-r1
+RUN apk add squid=6.9-r0
 
 ENTRYPOINT ["squid", "-f", "/etc/squid/squid.conf", "-NYCd", "1"]
diff --git a/squid/squid.conf b/squid/squid.conf
@@ -3,6 +3,12 @@
 # should be allowed
 acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
 
+# Deny access to private IP ranges as destinations (prevent access to internal services)
+acl private_dst dst 10.0.0.0/8          # RFC 1918
+acl private_dst dst 172.16.0.0/12       # RFC 1918
+acl private_dst dst 192.168.0.0/16      # RFC 1918
+acl private_dst dst 127.0.0.0/8         # Loopback
+
 acl SSL_ports port 443
 acl Safe_ports port 80          # http
 acl Safe_ports port 443         # https
@@ -16,6 +22,9 @@ http_access deny !Safe_ports
 # Deny CONNECT to other than secure SSL ports
 http_access deny CONNECT !SSL_ports
 
+# Deny access to private IP destinations (internal services)
+http_access deny private_dst
+
 # Only allow cachemgr access from localhost
 http_access allow localhost manager
 http_access deny manager
@@ -28,9 +37,14 @@ http_access deny to_localhost
 #
 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 #
+http_access allow localnet
+http_access allow localhost
 
 # And finally deny all other access to this proxy
 http_access deny all
 
+# Disable caching (forward proxy only)
+cache deny all
+
 # Squid normally listens to port 3128
 http_port 3128