projekte/edgeguard-native
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Squid Forward-Proxy — vollständig (Renderer + Handler + UI)

Browse Source 
Stub raus, vollständig implementiert:

* internal/services/forwardproxy: CRUD-Repo gegen forward_proxy_acls
  (priority desc, action allow|deny).
* internal/handlers/forwardproxy.go: REST /api/v1/forward-proxy/acls
  mit Validation (acl_type-Whitelist verhindert Squid-Reload-Crash
  bei Tippfehlern). Auto-Reload nach jeder Mutation.
* internal/squid/squid.cfg.tpl + squid.go: Renderer schreibt
  /etc/edgeguard/squid/squid.conf, atomic + Symlink von
  /etc/squid/squid.conf (Squid liest Distro-Pfad — gleicher
  Pattern-Fix wie wg-quick). cache_dir 100MB, cache_mem 64MB,
  http_port 3128. Default-Policy: nur localnet (10/8, 172.16/12,
  192.168/16) — verhindert Open-Relay, falls Operator keine ACLs
  anlegt.
* main.go: forwardproxy-Repo + squid-Reloader instanziiert + Handler
  registriert.
* render.go: squid.New() bekommt Pool (war () vorher, Stub-Signatur).
* postinst sudoers: edgeguard darf systemctl reload squid.service.
* Frontend /forward-proxy: PageHeader + DataTable + ACL-Modal mit
  acl_type-Dropdown (13 Squid-Vokabular-Typen), action-Select,
  Priority. Sidebar-Eintrag unter Security.
* i18n DE/EN für fwd.* Block + nav.forwardProxy.

Verified end-to-end: ACL-Insert via SQL, render → squid reload →
curl -x http://127.0.0.1:3128 http://example.com/ → 200.

Version 1.0.26.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Debian
2026-05-11 00:27:05 +02:00
parent e379162a7f
commit 72269f5b7c
16 changed files with 677 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
cmd/edgeguard-api/main.go
View File

@@ -22,6 +22,7 @@ import (
firewallrender "git.netcell-it.de/projekte/edgeguard-native/internal/firewall"
"git.netcell-it.de/projekte/edgeguard-native/internal/haproxy"
"git.netcell-it.de/projekte/edgeguard-native/internal/handlers"
squidrender "git.netcell-it.de/projekte/edgeguard-native/internal/squid"
wgrender "git.netcell-it.de/projekte/edgeguard-native/internal/wireguard"
"git.netcell-it.de/projekte/edgeguard-native/internal/handlers/response"
"git.netcell-it.de/projekte/edgeguard-native/internal/services/acme"
@@ -29,6 +30,7 @@ import (
"git.netcell-it.de/projekte/edgeguard-native/internal/services/backends"
"git.netcell-it.de/projekte/edgeguard-native/internal/services/domains"
"git.netcell-it.de/projekte/edgeguard-native/internal/services/firewall"
"git.netcell-it.de/projekte/edgeguard-native/internal/services/forwardproxy"
"git.netcell-it.de/projekte/edgeguard-native/internal/services/ipaddresses"
"git.netcell-it.de/projekte/edgeguard-native/internal/services/networkifs"
"git.netcell-it.de/projekte/edgeguard-native/internal/services/routingrules"
@@ -39,7 +41,7 @@ import (
wgsvc "git.netcell-it.de/projekte/edgeguard-native/internal/services/wireguard"
)
var version = "1.0.25"
var version = "1.0.26"
func main() {
addr := os.Getenv("EDGEGUARD_API_ADDR")
@@ -141,6 +143,7 @@ func main() {
secretsBox := secrets.New("")
wgIfaces := wgsvc.NewInterfacesRepo(pool)
wgPeers := wgsvc.NewPeersRepo(pool)
fwdProxyRepo := forwardproxy.New(pool)
// ACME (Let's Encrypt). Email comes from setup.json — the
// wizard collects acme_email and the issuer registers an
@@ -182,6 +185,13 @@ func main() {
return wgrender.New(pool, secretsBox).Render(ctx)
}
handlers.NewWireguardHandler(wgIfaces, wgPeers, secretsBox, auditRepo, nodeID, wgReloader).Register(authed)
// Squid forward-proxy reload — re-render squid.conf + reload
// squid.service. sudoers im postinst whitelistet das.
squidReloader := func(ctx context.Context) error {
return squidrender.New(pool).Render(ctx)
}
handlers.NewForwardProxyHandler(fwdProxyRepo, auditRepo, nodeID, squidReloader).Register(authed)
}
mountUI(r)

2
cmd/edgeguard-ctl/main.go
View File

@@ -9,7 +9,7 @@ import (
"os"
)
var version = "1.0.25"
var version = "1.0.26"
const usage = `edgeguard-ctl — EdgeGuard CLI

2
cmd/edgeguard-ctl/render.go
View File

@@ -54,7 +54,7 @@ func cmdRenderConfig(args []string) int {
hap := haproxy.New(pool)
fw := firewall.New(pool)
sq := squid.New()
sq := squid.New(pool)
wg := wireguard.New(pool, secrets.New(""))
ub := unbound.New()
if skipReload {

2
cmd/edgeguard-scheduler/main.go
View File

@@ -21,7 +21,7 @@ import (
"git.netcell-it.de/projekte/edgeguard-native/internal/services/tlscerts"
)
var version = "1.0.25"
var version = "1.0.26"
const (
// renewTickInterval — how often we re-evaluate expiring certs.