Monitoring private networks

To monitor HTTP endpoints on private networks, you can use an HTTP proxy like Squid with basic authentication. This allows Better Stack Uptime to securely access your internal services without exposing them directly to the internet.

Squid + Basic auth (htpasswd) in one container

This setup runs Squid and its authentication mechanism within a single Docker container for simplicity.

1) Create files on the host

Create a folder, for example squid/, with the following files:

# Listen
http_port 3128

# Basic auth using an htpasswd file
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm Squid Proxy
acl authenticated proxy_auth REQUIRED

# Only allow authenticated users
http_access allow authenticated
http_access deny all

# (Optional) allow common safe ports
acl SSL_ports port 443
acl Safe_ports port 80 443 1025-65535
http_access deny !Safe_ports

# Logging
access_log stdio:/var/log/squid/access.log

# Recommended in containers
pid_filename /var/run/squid.pid
coredump_dir /var/spool/squid

Create an htpasswd-style file. The easiest way to generate a password entry is using a temporary Docker container:

docker run --rm -it --entrypoint sh httpd:2.4-alpine -lc \
  'apk add --no-cache apache2-utils >/dev/null; htpasswd -nbB user1 "pass1"'

user1:$2y$10$...................................................

Take the output (it will look similar to user1:$2y$...) and put it into the squid/passwords file. Each user should be on a new line.

2) Run Squid with Docker Compose

Create a docker-compose.yml file in the same directory as your squid/ folder:

services:
  squid:
    image: ubuntu/squid:latest
    container_name: squid
    ports:
      - "3128:3128"
    volumes:
      - ./squid/squid.conf:/etc/squid/squid.conf:ro
      - ./squid/passwords:/etc/squid/passwords:ro
      - squid_cache:/var/spool/squid
      - squid_logs:/var/log/squid
    restart: unless-stopped

volumes:
  squid_cache:
  squid_logs:

Start the Squid proxy:

docker compose up -d

3) Test the proxy

You can test the proxy functionality using curl:

curl -v -x http://user1:pass1@localhost:3128 http://example.com/

*   Trying 127.0.0.1:3128...
* Connected to localhost (127.0.0.1) port 3128 (#0)
* Proxy auth using Basic with user 'user1'
> GET http://example.com/ HTTP/1.1
> Host: example.com
> Proxy-Authorization: Basic dXNlcjE6cGFzczE=
> User-Agent: curl/7.81.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=UTF-8
< Content-Length: 1256
... (response from example.com)
[/output]

For browsers or other clients, configure the proxy settings:

• Proxy host: your-host (the IP address or hostname where your Docker container is running)
• Proxy port: 3128
• Username/password: The user1/pass1 credentials you set up.

Configure Better Stack Uptime checks

Once your Squid proxy is running and accessible, you can configure your HTTP keyword checks in Better Stack Uptime to use it.

When creating or editing an HTTP keyword monitor:

1. Scroll down to Advanced settings.
2. In the Proxy Host and Proxy Port fields, enter the host for your proxy without the URL schema, optionally including authentication: user1:pass1@proxyhost and 3128. Replace user1 and pass1 with your proxy credentials, and proxyhost with the IP address or hostname of your Squid proxy server.
3. In the URL to monitor field, enter the internal HTTP endpoint you wish to monitor, for example: http://internal-ip:80/

This setup routes your Uptime checks through the authenticated Squid proxy, allowing you to monitor internal HTTP endpoints securely.