A containerized secure proxy with advanced filtering capabilities, real-time monitoring, and a modern web UI.
- Getting Started - Get up and running in 5 minutes
- API Documentation - Complete API reference
- FAQ - Common questions answered
- Contributing - How to contribute to the project
- Changelog - Version history and updates
- Screenshots
- Features
- Architecture
- Prerequisites
- Quick Start
- Configuration Options
- Advanced Configuration
- Monitoring and Analytics
- Database Export and Backup
- Testing and Validation
- FAQ
- Troubleshooting
- API Documentation
- Security Best Practices
- Future Roadmap
- Contributing
- License
- Acknowledgements
- Support
- High-Performance Proxy Engine: Built on Squid with optimized caching capabilities
- Advanced Filtering:
- IP Blacklisting with CIDR support
- Domain Blacklisting with wildcard support
- Content Type Filtering
- Direct IP Access Control
- Time-based Access Restrictions
- Comprehensive Security:
- HTTPS Filtering with proper certificate management
- Rate Limiting protection against brute force attacks
- Security scoring and recommendations
- Configurable content policies
- Modern Dashboard:
- Real-time traffic monitoring
- Resource usage statistics
- Cache performance metrics
- Security status visualization
- Detailed Analytics:
- Full request logging and analysis
- Traffic pattern visualization
- Blocked request reporting
- Exportable reports
- Enterprise Management:
- Configuration backup and restore
- Role-based access control
- API for automation and integration
- Health monitoring endpoints
The application consists of three main containerized components:
- Proxy Service: Squid-based proxy with customized configurations for enhanced security
- Backend API: RESTful API built with Flask providing management capabilities
- Web UI: Modern Bootstrap 5 interface for administration and monitoring
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ │ │ │ │ │
│ Web UI │◄────►│ Backend │◄────►│ Proxy │
│ (Flask) │ │ API │ │ (Squid) │
│ │ │ (Flask) │ │ │
└─────────────┘ └─────────────┘ └─────────────┘
│ │ │
│ │ │
▼ ▼ ▼
┌─────────────────────────────────────────────────────┐
│ │
│ Shared Volumes │
│ (Configuration, Logs, Database, Certificates) │
│ │
└─────────────────────────────────────────────────────┘
secure-proxy-manager/
├── backend/ # Backend API service
│ ├── app/
│ │ ├── app.py # Main Flask application with REST API
│ │ └── tests/ # Backend unit tests
│ ├── Dockerfile # Backend container configuration
│ └── requirements.txt # Python dependencies
├── ui/ # Web UI service
│ ├── static/ # CSS, JS, and static assets
│ ├── templates/ # HTML templates
│ ├── app.py # Flask UI application
│ ├── Dockerfile # UI container configuration
│ └── requirements.txt # Python dependencies
├── proxy/ # Squid proxy service
│ ├── squid.conf # Squid configuration template
│ ├── startup.sh # Container startup script
│ └── Dockerfile # Proxy container configuration
├── config/ # Shared configuration files
│ ├── ip_blacklist.txt
│ ├── domain_blacklist.txt
│ └── ssl_cert.pem # SSL certificates
├── data/ # Database and persistent data
│ └── secure_proxy.db # SQLite database
├── tests/ # End-to-end tests
│ └── e2e_test.py # Comprehensive test suite
├── examples/ # Usage examples and scripts
│ └── import_blacklists.md
├── docker-compose.yml # Service orchestration
├── CONTRIBUTING.md # Contribution guidelines
├── LICENSE # MIT License
├── CHANGELOG.md # Version history
└── README.md # This file
- Docker (v20.10.0+)
- Docker Compose (v2.0.0+)
- Minimum System Requirements:
- 1 CPU core
- 1GB RAM
- 5GB disk space
- Network Requirements:
- Port 8011: Web UI (HTTP)
- Port 3128: Proxy service
- Port 5001: Backend API (optional, for direct API access)
-
Clone the repository:
git clone https://github.com/fabriziosalmi/secure-proxy-manager.git cd secure-proxy-manager -
Start the application:
docker-compose up -d
-
Access the web interface:
http://localhost:8011Default credentials: username:
admin, password:adminNote: The backend API is also accessible directly at
http://localhost:5001for advanced users or automation scripts. -
Configure your client devices:
- Set proxy server to your host's IP address, port 3128
- For transparent proxying, see the Transparent Proxy Setup section
| Variable | Description | Default | Used By |
|---|---|---|---|
FLASK_ENV |
Flask environment mode | production |
Backend, UI |
PROXY_HOST |
Proxy service hostname | proxy |
Backend |
PROXY_PORT |
Proxy service port | 3128 |
Backend |
BASIC_AUTH_USERNAME |
Basic auth username | admin |
Backend, UI |
BASIC_AUTH_PASSWORD |
Basic auth password | admin |
Backend, UI |
SECRET_KEY |
Flask secret key for sessions | Auto-generated | Backend, UI |
PROXY_CONTAINER_NAME |
Docker container name for proxy | secure-proxy-proxy-1 |
Backend |
| Variable | Description | Default | Notes |
|---|---|---|---|
BACKEND_URL |
Backend API URL | http://backend:5000 |
Internal Docker network |
REQUEST_TIMEOUT |
API request timeout (seconds) | 30 |
Increase for slow networks |
MAX_RETRIES |
Maximum API retry attempts | 5 |
For backend connection |
BACKOFF_FACTOR |
Retry backoff multiplier | 1.0 |
Exponential backoff |
RETRY_WAIT_AFTER_STARTUP |
Wait time after startup (seconds) | 10 |
Initial backend wait |
Note: To customize these values, modify them in docker-compose.yml before starting the services.
Important Security Considerations:
-
Change Default Credentials: The default username and password (
admin/admin) should be changed immediately in production:# In docker-compose.yml, update both backend and web services: - BASIC_AUTH_USERNAME=your_secure_username - BASIC_AUTH_PASSWORD=your_secure_password
-
HTTPS for Web UI: For production deployments, use a reverse proxy (e.g., nginx, Traefik) with SSL/TLS to secure the web interface.
-
Network Isolation: Consider running the proxy in an isolated network segment with strict firewall rules.
-
Regular Updates: Keep the system and Docker images updated with security patches.
-
Audit Logs: Regularly review access logs and security events for suspicious activity.
| Feature | Description | Configuration |
|---|---|---|
| IP Blacklisting | Block specific IP addresses or ranges | Web UI > Blacklists > IP |
| Domain Blacklisting | Block specific domains (wildcard support) | Web UI > Blacklists > Domains |
| Content Filtering | Block specific file types | Web UI > Settings > Filtering |
| HTTPS Filtering | Inspect and filter HTTPS traffic | Web UI > Settings > Security |
| Rate Limiting | Prevent brute force attacks | Auto-configured |
| Setting | Description | Default | Recommended |
|---|---|---|---|
| Cache Size | Disk space allocated for caching | 1GB | 5-10GB for production |
| Max Object Size | Maximum size of cached objects | 50MB | 100MB for media-heavy usage |
| Connection Timeout | Timeout for stalled connections | 30s | 15-60s based on network |
| DNS Timeout | Timeout for DNS lookups | 5s | 3-10s based on DNS infrastructure |
| Max Connections | Maximum concurrent connections | 100 | 100-500 based on hardware |
For HTTPS filtering with your own certificate:
-
Place your certificate and key in the
config/directory:ssl_cert.pem: Your SSL certificatessl_key.pem: Your private key
-
Enable HTTPS filtering in the web interface:
- Settings > Security > Enable HTTPS Filtering
-
Important: Install the certificate on all client devices to avoid browser security warnings
- Windows: Import to Trusted Root Certification Authorities
- macOS: Add to Keychain and trust for SSL
- Linux: Copy to
/usr/local/share/ca-certificates/and runupdate-ca-certificates - Mobile: Email the certificate and install via device settings
Note: HTTPS filtering performs man-in-the-middle inspection. Only use this feature in environments where you have authorization to inspect traffic (e.g., corporate networks, your own devices).
To use Secure Proxy as a transparent proxy:
-
Configure iptables on your router/gateway:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3129
-
Enable transparent proxy mode in the web interface:
- Settings > Advanced > Transparent Mode
Integrate with external threat intelligence sources. The system supports importing plain text files (one entry per line) and JSON formats.
# Import from URL - supports plain text files with one domain per line
curl -X POST http://localhost:8011/api/domain-blacklist/import \
-H "Content-Type: application/json" \
-H "Authorization: Basic $(echo -n admin:admin | base64)" \
-d '{"url": "https://example.com/domain-blacklist.txt"}'
# Import direct content
curl -X POST http://localhost:8011/api/domain-blacklist/import \
-H "Content-Type: application/json" \
-H "Authorization: Basic $(echo -n admin:admin | base64)" \
-d '{"content": "example.com\n*.badsite.org\nmalicious.net"}'# Import from URL - supports plain text files with one IP per line
curl -X POST http://localhost:8011/api/ip-blacklist/import \
-H "Content-Type: application/json" \
-H "Authorization: Basic $(echo -n admin:admin | base64)" \
-d '{"url": "https://example.com/ip-blacklist.txt"}'
# Import direct content with CIDR notation support
curl -X POST http://localhost:8011/api/ip-blacklist/import \
-H "Content-Type: application/json" \
-H "Authorization: Basic $(echo -n admin:admin | base64)" \
-d '{"content": "192.168.1.100\n10.0.0.5\n172.16.0.0/24"}'- Plain Text: One entry per line (recommended for most blacklists)
- JSON Array:
["example.com", "malicious.net"] - JSON Objects:
[{"domain": "example.com", "description": "Blocked site"}] - Comments: Lines starting with
#are ignored
Note: For scheduled automatic blacklist updates, consider setting up a cron job or scheduled task that calls the import endpoints with your preferred blacklist sources.
- Proxy Status: Real-time operational status
- Traffic Statistics: Request volume over time
- Resource Usage: Memory and CPU consumption
- Cache Performance: Hit ratio and response time
- Security Score: Overall security assessment
All proxy traffic is logged and can be analyzed in the web interface:
- Access Logs: All requests with filtering and search
- Security Events: Authentication attempts and blocked requests
- System Logs: Application and service events
Health status endpoints are available for monitoring:
curl -I http://localhost:8011/healthExport database contents including blacklists, settings, and logs (limited to 10,000 most recent entries):
-
Via API:
curl -X GET http://localhost:8011/api/database/export \ -H "Authorization: Basic $(echo -n admin:admin | base64)" \ > secure-proxy-export.json
-
Via Direct Backend Access:
curl -X GET http://localhost:5001/api/database/export \ -H "Authorization: Basic $(echo -n admin:admin | base64)" \ > secure-proxy-export.json
For complete database backup including all logs:
# Stop the services
docker-compose down
# Backup the database file
cp data/secure_proxy.db data/secure_proxy.db.backup
# Backup configuration files
tar -czf config-backup.tar.gz config/
# Restart services
docker-compose up -dTo restore from a manual backup:
# Stop the services
docker-compose down
# Restore the database file
cp data/secure_proxy.db.backup data/secure_proxy.db
# Restore configuration files
tar -xzf config-backup.tar.gz
# Restart services
docker-compose up -dOptimize database performance:
curl -X POST http://localhost:8011/api/database/optimize \
-H "Authorization: Basic $(echo -n admin:admin | base64)"Get database size and statistics:
curl -X GET http://localhost:8011/api/database/stats \
-H "Authorization: Basic $(echo -n admin:admin | base64)"curl -x http://localhost:3128 http://example.comcurl -x http://localhost:3128 https://example.com --insecureTo test if blacklisting works:
- Add an IP or domain to the blacklist
- Attempt to access a resource from that IP or domain
- Verify the request is blocked (check logs)
Execute the comprehensive end-to-end test suite:
# Make sure services are running
docker-compose up -d
# Run tests
cd tests
python3 e2e_test.py
# Run with verbose output
python3 e2e_test.py -vQ: What is Secure Proxy Manager?
A: It's a containerized web proxy solution built on Squid with a modern management interface for filtering, monitoring, and controlling web traffic.
Q: Is this suitable for production use?
A: Yes, but ensure you follow security best practices, change default credentials, and properly configure SSL certificates for HTTPS filtering.
Q: Can I use this in a corporate environment?
A: Yes, it's designed for enterprise use with features like blacklisting, authentication, and detailed logging. Ensure compliance with your organization's policies.
Q: Which ports need to be open?
A: Port 8011 (Web UI), 3128 (Proxy), and optionally 5001 (Backend API for direct access).
Q: Can I change the default credentials?
A: Yes! Modify BASIC_AUTH_USERNAME and BASIC_AUTH_PASSWORD in docker-compose.yml before starting the services.
Q: How do I update to the latest version?
A:
git pull
docker-compose down
docker-compose build --no-cache
docker-compose up -dQ: How do I import a large blacklist?
A: Use the import API endpoints with a URL pointing to your blacklist file:
curl -X POST http://localhost:8011/api/domain-blacklist/import \
-H "Content-Type: application/json" \
-H "Authorization: Basic $(echo -n admin:admin | base64)" \
-d '{"url": "https://example.com/blacklist.txt"}'Q: Does it support IPv6?
A: Yes, IPv6 addresses can be added to the IP blacklist, including CIDR notation.
Q: Can I filter HTTPS traffic?
A: Yes, by enabling HTTPS filtering and installing the SSL certificate on client devices. Note: This performs man-in-the-middle inspection.
Q: How do I view blocked requests?
A: Check the logs in the Web UI dashboard or query via API: http://localhost:8011/api/logs/stats
Q: What are the resource requirements?
A: Minimum 1 CPU core and 1GB RAM. For production with heavy traffic, 2+ CPU cores and 4GB+ RAM recommended.
Q: Can I run multiple instances?
A: Yes, you can deploy multiple instances behind a load balancer for high availability.
Q: How much disk space does caching use?
A: Default is 1GB. Adjust the cache size in performance tuning settings based on your needs (5-10GB recommended for production).
Q: Services won't start - what should I check?
A:
- Ensure Docker and Docker Compose are installed and running
- Check for port conflicts:
docker-compose logs - Verify volumes have correct permissions
- Wait for backend health check (may take 10-15 seconds)
Q: Why am I getting SSL certificate warnings?
A: The SSL certificate needs to be installed on each client device. See Custom SSL Certificate section.
Q: Import is failing - what's wrong?
A: Common causes:
- Invalid format (ensure one entry per line or valid JSON)
- Network issues (URL not accessible)
- Authentication failure (check credentials)
- Check logs:
docker-compose logs backend
| Issue | Possible Cause | Resolution |
|---|---|---|
| Cannot access web UI | Port conflict | Change port mapping in docker-compose.yml |
| Proxy not filtering | Incorrect network configuration | Verify client proxy settings |
| SSL warnings | Certificate not trusted | Install certificate on client devices |
| Performance issues | Insufficient resources | Increase container resource limits |
| Database errors | Permission issues | Check volume permissions |
-
Service Logs:
docker-compose logs -f backend docker-compose logs -f ui docker-compose logs -f proxy
-
Database Check:
docker-compose exec backend sqlite3 /data/secure_proxy.db .tables -
Network Validation:
docker-compose exec proxy ping -c 3 google.com -
Cache Analysis:
docker-compose exec proxy squidclient -h localhost mgr:info
Secure Proxy Manager provides a comprehensive RESTful API for integration and automation with support for plain text and JSON blacklist imports.
API Base URLs:
- Via Web UI:
http://localhost:8011/api - Direct Backend Access:
http://localhost:5001/api
Note: When accessing the API directly through the backend (port 5001), you bypass the Web UI layer. This can be useful for automation scripts and monitoring tools.
All API endpoints require Basic Authentication:
# Login to get session (optional)
curl -X POST http://localhost:8011/api/login \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": "admin"}'
# Or use Basic Auth directly (recommended for scripts)
AUTH_HEADER="Authorization: Basic $(echo -n admin:admin | base64)"Perfect for importing standard text files with one domain per line:
# Import from URL (plain text file)
curl -X POST http://localhost:8011/api/domain-blacklist/import \
-H "Content-Type: application/json" \
-H "Authorization: Basic $(echo -n admin:admin | base64)" \
-d '{"url": "https://example.com/domain-blacklist.txt"}'
# Import direct content
curl -X POST http://localhost:8011/api/domain-blacklist/import \
-H "Content-Type: application/json" \
-H "Authorization: Basic $(echo -n admin:admin | base64)" \
-d '{"content": "malicious.com\n*.ads.example\nbadsite.org"}'Example domain-blacklist.txt:
malicious.com
badsite.org
*.ads.network
phishing-site.net
# Comments are ignored
unwanted.domain
# Import from URL (plain text file)
curl -X POST http://localhost:8011/api/ip-blacklist/import \
-H "Content-Type: application/json" \
-H "Authorization: Basic $(echo -n admin:admin | base64)" \
-d '{"url": "https://example.com/ip-blacklist.txt"}'
# Import with CIDR notation support
curl -X POST http://localhost:8011/api/ip-blacklist/import \
-H "Content-Type: application/json" \
-H "Authorization: Basic $(echo -n admin:admin | base64)" \
-d '{"content": "192.168.1.100\n10.0.0.0/8\n172.16.0.0/12"}'Example ip-blacklist.txt:
192.168.1.100
10.0.0.5
203.0.113.0/24
# Malicious IP range
198.51.100.0/24
- ✅ Plain Text: One entry per line (most common)
- ✅ JSON Array:
["entry1", "entry2"] - ✅ JSON Objects:
[{"domain": "example.com", "description": "Blocked"}] - ✅ Comments: Lines starting with
#are ignored - ✅ CIDR Notation: For IP ranges (
192.168.1.0/24) - ✅ Wildcards: For domains (
*.example.com)
| Endpoint | Method | Description |
|---|---|---|
/api/login |
POST | User login with credentials |
/api/logout |
POST | User logout |
/api/change-password |
POST | Change user password |
| Endpoint | Method | Description |
|---|---|---|
/api/status |
GET | Get proxy service status |
/api/settings |
GET | Get all proxy settings |
/api/settings/<setting_name> |
PUT | Update a specific setting |
/health |
GET | Health check endpoint |
| Endpoint | Method | Description |
|---|---|---|
/api/ip-blacklist |
GET | Get all IP blacklist entries |
/api/ip-blacklist |
POST | Add a single IP blacklist entry |
/api/ip-blacklist/<id> |
DELETE | Delete an IP blacklist entry |
/api/ip-blacklist/import |
POST | Import IP blacklist from URL/content |
/api/domain-blacklist |
GET | Get all domain blacklist entries |
/api/domain-blacklist |
POST | Add a single domain blacklist entry |
/api/domain-blacklist/<id> |
DELETE | Delete a domain blacklist entry |
/api/domain-blacklist/import |
POST | Import domain blacklist from URL/content |
/api/blacklists/import |
POST | Generic import (requires type parameter) |
| Endpoint | Method | Description |
|---|---|---|
/api/logs/stats |
GET | Get proxy access logs with filtering |
/api/logs/clear |
POST | Clear all proxy logs |
/api/logs/clear-old |
POST | Clear old proxy logs |
/api/traffic/statistics |
GET | Get traffic statistics |
/api/clients/statistics |
GET | Get client statistics |
/api/domains/statistics |
GET | Get domain statistics |
| Endpoint | Method | Description |
|---|---|---|
/api/cache/statistics |
GET | Get cache performance metrics |
/api/maintenance/optimize-cache |
POST | Optimize the proxy cache |
| Endpoint | Method | Description |
|---|---|---|
/api/security/score |
GET | Get security assessment score |
/api/security/scan |
POST | Perform security scan |
/api/security/rate-limits |
GET | Get rate limit information |
/api/security/rate-limits/<ip> |
DELETE | Remove rate limit for specific IP |
/api/maintenance/check-cert-security |
GET | Check SSL certificate security |
| Endpoint | Method | Description |
|---|---|---|
/api/database/size |
GET | Get database size |
/api/database/stats |
GET | Get database statistics |
/api/database/optimize |
POST | Optimize database |
/api/database/export |
GET | Export database |
/api/database/reset |
POST | Reset database |
/api/maintenance/reload-config |
POST | Reload proxy configuration |
| Endpoint | Method | Description |
|---|---|---|
/api/docs |
GET | Interactive API documentation |
Successful Import:
{
"status": "success",
"message": "Import completed: 150 entries imported",
"imported_count": 150,
"error_count": 0
}Import with Errors:
{
"status": "success",
"message": "Import completed: 145 entries imported, 5 errors",
"imported_count": 145,
"error_count": 5,
"errors": [
"Invalid domain format: not-a-domain",
"Invalid IP format: 999.999.999.999"
]
}Full interactive API documentation is available at /api/docs when the service is running.
- Change default credentials immediately after installation
- Enable HTTPS for the admin interface in production
- Restrict access to the admin interface to trusted IPs
- Regular backups of configuration and database
- Keep the system updated with security patches
- Monitor logs for suspicious activity
- Use strong certificates for HTTPS filtering
- Authentication Integration: LDAP/Active Directory support
- Advanced Analytics: ML-based traffic pattern analysis
- Threat Intelligence: Integration with external threat feeds
- Clustering: Multi-node deployment for high availability
- Content Inspection: DLP capabilities for data protection
- Mobile Support: Improved UI for mobile administration
- Notification System: Alerts via email, Slack, etc.
Contributions are welcome and appreciated! Please read our CONTRIBUTING.md for detailed guidelines on:
- Setting up your development environment
- Coding standards and best practices
- Testing requirements
- Pull request process
- Branch naming conventions
Quick contribution steps:
- Fork the repository
- Create a feature branch:
git checkout -b feature/your-feature-name - Make your changes following our coding standards
- Run tests to ensure everything works
- Commit your changes:
git commit -m 'feat: Add some feature' - Push to your fork:
git push origin feature/your-feature-name - Open a Pull Request with a clear description
For more details, see CONTRIBUTING.md.
This project is licensed under the MIT License - see the LICENSE file for details.
- Squid Proxy for the core proxy engine
- Flask for the web framework
- Bootstrap for the UI components
- Docker for containerization
- All our contributors who have helped shape this project
If you need help or have questions:
- Bug Reports: Create an issue with detailed information
- Feature Requests: Open an issue describing your idea
- Questions: Check existing issues or create a new one
- Documentation: Review this README and CONTRIBUTING.md
When reporting issues, please include:
- Your environment (OS, Docker version, etc.)
- Steps to reproduce the problem
- Expected vs actual behavior
- Relevant logs from
docker-compose logs
Made with ❤️ by the Secure Proxy Manager community