14 - Docker 部署
第十四章:Docker 部署
14.1 容器化概述
将 Squid 容器化部署带来环境一致性、快速部署、易于扩展等优势。
┌──────────────────────────────────────────┐
│ Docker Host │
│ │
│ ┌─────────────────────────────────────┐ │
│ │ Squid Container │ │
│ │ ┌───────────┐ ┌───────────────┐ │ │
│ │ │ /etc/squid │ │ /var/spool │ │ │
│ │ │ (config) │ │ (cache) │ │ │
│ │ └─────┬─────┘ └──────┬────────┘ │ │
│ │ │ │ │ │
│ │ ┌─────┴────────────────┴────────┐ │ │
│ │ │ Squid Process │ │ │
│ │ │ :3128 │ │ │
│ │ └───────────────────────────────┘ │ │
│ └─────────────────────────────────────┘ │
│ │
│ Volumes: │
│ ├── squid-config:/etc/squid │
│ ├── squid-cache:/var/spool/squid │
│ └── squid-logs:/var/log/squid │
└──────────────────────────────────────────┘
14.2 快速启动
14.2.1 使用官方镜像
# 拉取镜像
docker pull ubuntu/squid:latest
# 创建目录
mkdir -p /opt/squid/{config,cache,logs}
# 生成默认配置
docker run --rm ubuntu/squid cat /etc/squid/squid.conf > /opt/squid/config/squid.conf
# 启动容器
docker run -d \
--name squid \
--restart unless-stopped \
-p 3128:3128 \
-v /opt/squid/config/squid.conf:/etc/squid/squid.conf:ro \
-v /opt/squid/cache:/var/spool/squid \
-v /opt/squid/logs:/var/log/squid \
ubuntu/squid:latest
# 验证
curl -x http://localhost:3128 http://example.com
14.3 自定义 Dockerfile
14.3.1 基础 Dockerfile
FROM ubuntu:22.04
# 安装 Squid 和辅助工具
RUN apt-get update && \
apt-get install -y \
squid \
squidclient \
curl \
htop && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
# 创建必要目录
RUN mkdir -p /var/spool/squid /var/log/squid && \
chown -R proxy:proxy /var/spool/squid /var/log/squid
# 复制自定义配置
COPY squid.conf /etc/squid/squid.conf
# 初始化缓存目录
RUN squid -z -f /etc/squid/squid.conf 2>/dev/null || true
# 健康检查
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
CMD curl -s -o /dev/null -w '%{http_code}' http://localhost:3128/squid-internal-mgr/info || exit 1
EXPOSE 3128
VOLUME ["/var/spool/squid", "/var/log/squid"]
# 使用前台模式运行
CMD ["squid", "-N", "-d", "1"]
14.3.2 带 SSL Bump 的 Dockerfile
FROM ubuntu:22.04
RUN apt-get update && \
apt-get install -y \
squid \
squidclient \
openssl && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
# 创建 SSL 目录
RUN mkdir -p /etc/squid/ssl /var/lib/squid/ssl_db
# 生成 CA 证书(生产环境应挂载外部证书)
RUN openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \
-subj "/CN=Squid SSL Bump CA" \
-keyout /etc/squid/ssl/ca.key \
-out /etc/squid/ssl/ca.crt && \
cat /etc/squid/ssl/ca.crt /etc/squid/ssl/ca.key > /etc/squid/ssl/myCA.pem && \
chmod 600 /etc/squid/ssl/ca.key /etc/squid/ssl/myCA.pem
# 初始化 SSL 证书数据库
RUN /usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 20MB 2>/dev/null || true
COPY squid.conf /etc/squid/squid.conf
RUN squid -z -f /etc/squid/squid.conf 2>/dev/null || true
HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
CMD curl -s -o /dev/null -w '%{http_code}' http://localhost:3128/squid-internal-mgr/info || exit 1
EXPOSE 3128 3129
VOLUME ["/var/spool/squid", "/var/log/squid", "/etc/squid/ssl"]
CMD ["squid", "-N", "-d", "1"]
14.4 Docker Compose
14.4.1 基础 Compose 文件
# docker-compose.yml
version: '3.8'
services:
squid:
image: ubuntu/squid:latest
container_name: squid
restart: unless-stopped
ports:
- "3128:3128"
volumes:
- ./config/squid.conf:/etc/squid/squid.conf:ro
- squid-cache:/var/spool/squid
- squid-logs:/var/log/squid
networks:
- proxy-net
healthcheck:
test: ["CMD", "curl", "-s", "-o", "/dev/null", "-w", "%{http_code}", "http://localhost:3128/squid-internal-mgr/info"]
interval: 30s
timeout: 5s
retries: 3
deploy:
resources:
limits:
memory: 2G
cpus: '2.0'
reservations:
memory: 512M
volumes:
squid-cache:
driver: local
squid-logs:
driver: local
networks:
proxy-net:
driver: bridge
14.4.2 生产环境 Compose
# docker-compose.prod.yml
version: '3.8'
services:
squid:
build:
context: .
dockerfile: Dockerfile
container_name: squid-proxy
restart: always
ports:
- "192.168.1.1:3128:3128"
volumes:
- ./config/squid.conf:/etc/squid/squid.conf:ro
- ./config/passwd:/etc/squid/passwd:ro
- squid-cache:/var/spool/squid
- squid-logs:/var/log/squid
environment:
- TZ=Asia/Shanghai
sysctls:
- net.core.somaxconn=65535
ulimits:
nofile:
soft: 65536
hard: 65536
logging:
driver: json-file
options:
max-size: "100m"
max-file: "5"
healthcheck:
test: ["CMD", "curl", "-s", "-o", "/dev/null", "-w", "%{http_code}", "http://localhost:3128/squid-internal-mgr/info"]
interval: 30s
timeout: 10s
retries: 3
start_period: 30s
deploy:
resources:
limits:
memory: 4G
cpus: '4.0'
reservations:
memory: 1G
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
networks:
- proxy-net
# 可选:Prometheus 监控
squid-exporter:
image: boynux/squid-exporter:latest
container_name: squid-exporter
restart: unless-stopped
ports:
- "9301:9301"
command:
- "-squid-host=squid"
- "-squid-port=3128"
- "-listen=:9301"
depends_on:
squid:
condition: service_healthy
networks:
- proxy-net
volumes:
squid-cache:
driver: local
squid-logs:
driver: local
networks:
proxy-net:
driver: bridge
14.5 Kubernetes 部署
14.5.1 Deployment
# squid-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: squid-proxy
labels:
app: squid
spec:
replicas: 3
selector:
matchLabels:
app: squid
template:
metadata:
labels:
app: squid
spec:
containers:
- name: squid
image: squid:6.10
ports:
- containerPort: 3128
volumeMounts:
- name: config
mountPath: /etc/squid/squid.conf
subPath: squid.conf
- name: cache
mountPath: /var/spool/squid
- name: logs
mountPath: /var/log/squid
resources:
requests:
memory: "512Mi"
cpu: "500m"
limits:
memory: "2Gi"
cpu: "2000m"
livenessProbe:
httpGet:
path: /squid-internal-mgr/info
port: 3128
initialDelaySeconds: 30
periodSeconds: 30
readinessProbe:
httpGet:
path: /squid-internal-mgr/info
port: 3128
initialDelaySeconds: 10
periodSeconds: 10
volumes:
- name: config
configMap:
name: squid-config
- name: cache
persistentVolumeClaim:
claimName: squid-cache-pvc
- name: logs
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: squid-service
spec:
selector:
app: squid
ports:
- port: 3128
targetPort: 3128
type: ClusterIP
---
apiVersion: v1
kind: ConfigMap
metadata:
name: squid-config
data:
squid.conf: |
http_port 3128
acl localnet src 10.0.0.0/8
http_access allow localnet
http_access deny all
cache_dir ufs /var/spool/squid 1000 16 256
cache_mem 512 MB
visible_hostname squid-proxy
14.6 数据持久化
14.6.1 Volume 管理
# 创建命名卷
docker volume create squid-cache
docker volume create squid-logs
# 查看卷信息
docker volume inspect squid-cache
# 备份卷数据
docker run --rm \
-v squid-cache:/data \
-v $(pwd):/backup \
ubuntu tar czf /backup/squid-cache-backup.tar.gz -C /data .
# 恢复卷数据
docker run --rm \
-v squid-cache:/data \
-v $(pwd):/backup \
ubuntu tar xzf /backup/squid-cache-backup.tar.gz -C /data
# 清理卷(慎用)
docker volume rm squid-cache
14.6.2 缓存持久化
# 确保缓存目录正确初始化
docker exec squid squid -z
docker exec squid ls -la /var/spool/squid/
14.7 网络配置
14.7.1 端口映射
# 仅监听内网
docker run -d -p 192.168.1.1:3128:3128 squid
# 多端口
docker run -d -p 3128:3128 -p 3129:3129 squid
# 使用 host 网络(高性能,但失去网络隔离)
docker run -d --network host squid
14.7.2 代理链路
# docker-compose.yml — Squid 代理链路
version: '3.8'
services:
squid-frontend:
image: ubuntu/squid:latest
ports:
- "3128:3128"
volumes:
- ./config/frontend.conf:/etc/squid/squid.conf:ro
depends_on:
- squid-backend
squid-backend:
image: ubuntu/squid:latest
volumes:
- ./config/backend.conf:/etc/squid/squid.conf:ro
networks:
- internal
networks:
internal:
internal: true # 不暴露到宿主机
14.8 日志管理
14.8.1 日志驱动配置
# docker-compose.yml
services:
squid:
logging:
driver: json-file
options:
max-size: "100m"
max-file: "10"
14.8.2 集中日志收集
# 使用 fluentd 收集日志
services:
squid:
logging:
driver: fluentd
options:
fluentd-address: localhost:24224
tag: squid.access
14.9 性能优化
14.9.1 容器资源限制
services:
squid:
deploy:
resources:
limits:
memory: 4G
cpus: '4.0'
reservations:
memory: 1G
ulimits:
nofile:
soft: 65536
hard: 65536
sysctls:
- net.core.somaxconn=65535
14.9.2 存储优化
services:
squid:
volumes:
# 使用 SSD 挂载的缓存目录
- /mnt/ssd/squid-cache:/var/spool/squid
# 使用 tmpfs 存储临时文件
- type: tmpfs
target: /tmp
tmpfs:
size: 100M
14.10 本章小结
| 任务 | 命令/配置 |
|---|---|
| 快速启动 | docker run -p 3128:3128 ubuntu/squid |
| 自定义配置 | -v ./squid.conf:/etc/squid/squid.conf:ro |
| 缓存持久化 | -v squid-cache:/var/spool/squid |
| 健康检查 | HEALTHCHECK CMD curl ... |
| 资源限制 | deploy.resources.limits |
| 日志管理 | logging.driver + max-size |