Squid service operations
The Squid service is an HTTP / HTTPS proxy for every private-network instance that has no public IP. It is the first service to deploy: SigNoz, Database, Voice, API, and Ops all route outbound traffic through Squid for ECR image pulls, provider API calls (OpenAI, Vonage), SMTP relay, GitHub access, and AWS APIs not behind VPC endpoints. TelPro and Web have public IPs and do not use the proxy.
- Overview
- Runbook
- Configuration
- Troubleshooting
Containers
| Container | Image | Port | Purpose |
|---|---|---|---|
voiceai-squid | ubuntu/squid:latest | 3128 | HTTP / HTTPS proxy |
voiceai-otel-collector | otel/opentelemetry-collector-contrib:0.150.1 | — | Telemetry collector (ingests Squid access logs) |
The Squid container is the only image in the stack pinned to :latest rather than a fixed tag. Behaviour can change on update.sh (which always pulls). If you need byte-for-byte reproducibility, pin to a specific Ubuntu Squid digest in .infrastructure/services/squid/docker-compose.yaml and roll the change through update.sh --config-ref.
The Squid container has no environment variables of its own — everything is configured via squid.conf.
squid.conf highlights
http_port 3128
acl localnet src 10.0.1.0/24
http_access allow localnet
http_access deny all
cache deny all
access_log stdio:/dev/stdout squid
Defaults:
- ACL: allows
10.0.1.0/24. - Ports: 80 (HTTP), 443 (HTTPS), 22 (SSH / GitHub), 587 (SMTP).
- CONNECT: HTTPS, SSH, SMTP.
- Cache: 100 MB on-disk for Docker images and packages.
To add more networks:
acl privatenet src 192.168.1.0/24
http_access allow privatenet
To restrict domains:
acl allowed_domains dstdomain .example.com
http_access deny !allowed_domains
Using the proxy
From other services
environment:
- HTTP_PROXY=http://<squid-ip>:3128
- HTTPS_PROXY=http://<squid-ip>:3128
- NO_PROXY=localhost,127.0.0.1,10.0.1.0/24
From the shell
export HTTP_PROXY=http://<squid-ip>:3128
export HTTPS_PROXY=http://<squid-ip>:3128
export NO_PROXY=localhost,127.0.0.1,10.0.1.0/24
From apt
# /etc/apt/apt.conf.d/proxy
Acquire::http::Proxy "http://<squid-ip>:3128";
Acquire::https::Proxy "http://<squid-ip>:3128";
From the Docker daemon
// /etc/docker/daemon.json
{
"proxies": {
"http-proxy": "http://<squid-ip>:3128",
"https-proxy": "http://<squid-ip>:3128",
"no-proxy": "localhost,127.0.0.1,10.0.1.0/24"
}
}
Then systemctl restart docker.
Deploy and update
cd /opt/services/squid
./init.sh
./update.sh --restart-only
Squid uses named Docker volumes only (squid-cache, squid-logs) — no attached block storage.
| Name | Source | Scope | Default | Description |
|---|---|---|---|---|
OTEL_BACKEND_HOST | SSM | all | 10.0.1.10 | SigNoz host IP for telemetry. |
HOSTNAME | env | all | — | Bootstrap host identifier. |
ENVIRONMENT | env | all | — | Environment tag (bootstrap). |
The Squid container itself is configured via squid.conf mounted at /etc/squid/squid.conf.
| Symptom | Likely cause | Check |
|---|---|---|
| Private servers can't pull Docker images | Squid down / unreachable | docker compose ps; curl -x http://<squid-ip>:3128 https://example.com. |
| TelPhi can't reach OpenAI | Port 443 not allowed for the destination | Access log denied requests; relax ACL. |
| SigNoz containers can't reach internet | Proxy injection failed | SigNoz init.sh output; extra_hosts entries in SigNoz compose. |
| Scaler can't reach provider API | Squid down or required port blocked | Verify CONNECT allowed for the destination port. |
| Cache disk full | Cache volume at capacity | docker exec voiceai-squid squidclient mgr:utilization. |
External
See also
- Ops operations — Scaler and Tasker rely on Squid for provider APIs and SMTP.
- SigNoz operations — uses a transparent proxy (redsocks + iptables) backed by Squid.
- Voice operations — TelPhi reaches OpenAI / Pythia / Vodafone TOBi through Squid.