Public | Automated Build

Last pushed: 2 years ago
Short Description
customised squid guard.
Full Description


this Dockerfile is an squidGuard addition to sameersbn/docker-squid. I find squidGuard very useful to limit access to certain internet pages and to reduce the risk for downloading dangerous software. A central filtering solution is preferred especially if you have a family with children and different devices.

This image includes also automatic proxy discovery based on WPAT and DHCP. Here a Webserver is required that serves wpat.dat.


Pull the image from the docker registry e.g.

docker pull muenchhausen/docker-squidguard

or build it

git clone

cd docker-squidguard

docker build --tag="$USER/squidguard" .

run your build:
docker run --name='squidguard' -it --rm -p 3128:3128 -p 80:80 "$USER/squidguard"

Please refer to sameersbn/docker-squid for details!

Quick Start

Run the downloaded image

docker run --name='squidguard' -it --rm -p 3128:3128 -p 80:80 muenchhausen/docker-squidguard:latest

or as daemon

docker run -d --name='squidguard' -it -p 3128:3128 -p 80:80 muenchhausen/docker-squidguard:latest

or run it including WPAT proxy autoconfig so your Operating system will find the settings automatically based on your DHCP settings:

docker run --name='squidguard' -it --env WPAT_IP= --env WPAT_NOPROXY_NET= --env WPAT_NOPROXY_MASK= --rm -p 3128:3128 -p 80:80 muenchhausen/docker-squidguard:latest

To use WPAT, add a cusom-proxy-server option 252 to your DHCP server. Use "http://${WPAT_IP}/wpat.dat" e.g. "" as your option value. See squidGuard Wiki for further details.

Test it

here curl should return the page:
curl --proxy

here an example of an advertising domain from the adv blacklist - curl gets blocked:
curl --proxy

Finally configure docker host IP and port 3128 in your browser proxy settings or operating system proxy configuration.

Or - if you decided for the WPAT autoproxy variant, just do now a DHCP release and you get your proxy settings :)


For Squid basis configuration, please refer to the documentation of sameersbn/docker-squid.

The central configuration file of squidGuard is squidGuard.conf. You can customize it either by building your own docker image or by specifying the -v /path/on/host/to/squidGuard.conf:/etc/squidguard/squidGuard.conf flag in the docker run command. A simple documentation of how to configure squidGuard blacklists can be found in the squidGuard configuration documentation.

Shell Access

For debugging and maintenance purposes you may want access the containers shell. Either add after the run command or tun e.g.

docker exec -it "$USER/squidguard" bash

docker ps
docker exec -it <container-id> bash

Autostart the container

add the parameter --restart=always to your docker run command.

Docker Pull Command
Source Repository

Comments (3)
a year ago

BTW. I decided to configure the wpad.dat manually in the browser, rather directly the proxy information. That way when my son is not at home, his computer will not attempt to use the proxy... But I did notice a typo. The variables are WPAD, not WPAT.

a year ago

BTW. I'm wondering about this Easteregg:

if (isInNet(host, "{{WPAD_NOPROXY_NET}}", "{{WPAD_NOPROXY_MASK}}") ||
    dnsDomainIs(host, ".cedars.dom"))

Why cedars.dom ?

a year ago

I could not get this to work effectively as a parental filter. This implementation effectively blocked http. However, so much is on https now that was not blocked. After many hours of trying various settings I finally decided to use opendns. The way I'm invoking this is:

docker run -d -P --restart=always --dns --dns --name='squidguard' --env
3128:3128 -p 80:80 -v /etc/squidguard:/etc/squidguard:ro sensimilla/docker-squidguard

The WPAT stuff isn't really doing anything for me since I don't have a way to set value 252 in my current router, but it doesn't hurt either. Likewise I'm not sure if the squidguard is doing anything for me, but it doesn't hurt.

The way I'm using this is I am blocking all internet access form my son's devices, and configuring the proxy manually. He is Savvy enough to be able to change a DNS setting, or remove a proxy. But since his only way to get to the internet is though the proxy it is an effective filter. At least until he figures out my opendns password...