feat: Squid Forward-Proxy — vollständig (Renderer + Handler + UI)
Stub raus, vollständig implementiert: * internal/services/forwardproxy: CRUD-Repo gegen forward_proxy_acls (priority desc, action allow|deny). * internal/handlers/forwardproxy.go: REST /api/v1/forward-proxy/acls mit Validation (acl_type-Whitelist verhindert Squid-Reload-Crash bei Tippfehlern). Auto-Reload nach jeder Mutation. * internal/squid/squid.cfg.tpl + squid.go: Renderer schreibt /etc/edgeguard/squid/squid.conf, atomic + Symlink von /etc/squid/squid.conf (Squid liest Distro-Pfad — gleicher Pattern-Fix wie wg-quick). cache_dir 100MB, cache_mem 64MB, http_port 3128. Default-Policy: nur localnet (10/8, 172.16/12, 192.168/16) — verhindert Open-Relay, falls Operator keine ACLs anlegt. * main.go: forwardproxy-Repo + squid-Reloader instanziiert + Handler registriert. * render.go: squid.New() bekommt Pool (war () vorher, Stub-Signatur). * postinst sudoers: edgeguard darf systemctl reload squid.service. * Frontend /forward-proxy: PageHeader + DataTable + ACL-Modal mit acl_type-Dropdown (13 Squid-Vokabular-Typen), action-Select, Priority. Sidebar-Eintrag unter Security. * i18n DE/EN für fwd.* Block + nav.forwardProxy. Verified end-to-end: ACL-Insert via SQL, render → squid reload → curl -x http://127.0.0.1:3128 http://example.com/ → 200. Version 1.0.26. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Debian
62
internal/squid/squid.cfg.tpl
Normal file
62
internal/squid/squid.cfg.tpl
Normal file
@@ -0,0 +1,62 @@
|
||||
# Generated by edgeguard — do not edit by hand.
|
||||
# Source: internal/squid/squid.go (template: squid.cfg.tpl).
|
||||
# Re-generate via `edgeguard-ctl render-config --only=squid`.
|
||||
|
||||
http_port {{.ListenPort}}
|
||||
|
||||
# Standard cache directory + small in-memory cache. Forward proxy
|
||||
# isn't a CDN — we keep cache modest to avoid disk pressure.
|
||||
cache_dir ufs /var/spool/squid 100 16 256
|
||||
cache_mem 64 MB
|
||||
|
||||
# Logging — combined access log, rotated by logrotate.
|
||||
access_log /var/log/squid/access.log squid
|
||||
cache_log /var/log/squid/cache.log
|
||||
|
||||
# Standard safe defaults.
|
||||
acl localnet src 10.0.0.0/8
|
||||
acl localnet src 172.16.0.0/12
|
||||
acl localnet src 192.168.0.0/16
|
||||
acl localnet src fc00::/7
|
||||
acl localnet src fe80::/10
|
||||
|
||||
acl SSL_ports port 443
|
||||
acl Safe_ports port 80 # http
|
||||
acl Safe_ports port 21 # ftp
|
||||
acl Safe_ports port 443 # https
|
||||
acl Safe_ports port 70 # gopher
|
||||
acl Safe_ports port 210 # wais
|
||||
acl Safe_ports port 1025-65535 # unregistered
|
||||
acl Safe_ports port 280 # http-mgmt
|
||||
acl Safe_ports port 488 # gss-http
|
||||
acl Safe_ports port 591 # filemaker
|
||||
acl Safe_ports port 777 # multiling http
|
||||
acl CONNECT method CONNECT
|
||||
|
||||
# Operator-defined ACLs from /api/v1/forward-proxy-acls. Order is
|
||||
# priority desc — first http_access match wins.
|
||||
{{- range .ACLs}}
|
||||
{{- if .Active}}
|
||||
# {{if .Comment}}{{.Comment}}{{else}}{{.Name}} (priority {{.Priority}}){{end}}
|
||||
acl {{.Name}} {{.ACLType}} {{.Value}}
|
||||
http_access {{.Action}} {{.Name}}
|
||||
{{- end}}
|
||||
{{- end}}
|
||||
|
||||
# Built-in safety rules — same as squid's default; placed after
|
||||
# operator-rules so they act as fallbacks, not overrides.
|
||||
http_access deny !Safe_ports
|
||||
http_access deny CONNECT !SSL_ports
|
||||
http_access allow localhost manager
|
||||
http_access deny manager
|
||||
http_access allow localhost
|
||||
# Default-policy: only localnet may use the proxy if no operator-rule
|
||||
# explicitly allowed/denied. Stricter than squid's default to keep
|
||||
# the proxy from becoming an open relay.
|
||||
http_access allow localnet
|
||||
http_access deny all
|
||||
|
||||
# Hostnames + visible name — operator can override via squid.conf
|
||||
# drop-in if needed.
|
||||
visible_hostname edgeguard-proxy
|
||||
forwarded_for on
|
||||
@@ -1,20 +1,94 @@
|
||||
// Package squid will render /etc/edgeguard/squid/squid.conf in
|
||||
// Phase 3. v1 ships a stub returning configgen.ErrNotImplemented so
|
||||
// the orchestrator can list it without crashing.
|
||||
// Package squid renders /etc/edgeguard/squid/squid.conf from
|
||||
// forward_proxy_acls and reloads squid.service. Cache directory
|
||||
// + in-memory cache are hard-coded sensible defaults; the operator
|
||||
// scope is just "what can pass through the proxy".
|
||||
package squid
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
_ "embed"
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"text/template"
|
||||
|
||||
"github.com/jackc/pgx/v5/pgxpool"
|
||||
|
||||
"git.netcell-it.de/projekte/edgeguard-native/internal/configgen"
|
||||
"git.netcell-it.de/projekte/edgeguard-native/internal/models"
|
||||
"git.netcell-it.de/projekte/edgeguard-native/internal/services/forwardproxy"
|
||||
)
|
||||
|
||||
type Generator struct{}
|
||||
const (
|
||||
confPath = "/etc/edgeguard/squid/squid.conf"
|
||||
listenPort = 3128
|
||||
)
|
||||
|
||||
func New() *Generator { return &Generator{} }
|
||||
//go:embed squid.cfg.tpl
|
||||
var cfgTpl string
|
||||
|
||||
var tpl = template.Must(template.New("squid").Parse(cfgTpl))
|
||||
|
||||
type View struct {
|
||||
ListenPort int
|
||||
ACLs []models.ForwardProxyACL
|
||||
}
|
||||
|
||||
type Generator struct {
|
||||
Pool *pgxpool.Pool
|
||||
Repo *forwardproxy.Repo
|
||||
SkipReload bool
|
||||
}
|
||||
|
||||
func New(pool *pgxpool.Pool) *Generator {
|
||||
return &Generator{Pool: pool, Repo: forwardproxy.New(pool)}
|
||||
}
|
||||
|
||||
func (g *Generator) Name() string { return "squid" }
|
||||
|
||||
func (g *Generator) Render(ctx context.Context) error {
|
||||
return configgen.ErrNotImplemented
|
||||
acls, err := g.Repo.List(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("list acls: %w", err)
|
||||
}
|
||||
view := View{ListenPort: listenPort, ACLs: acls}
|
||||
var body bytes.Buffer
|
||||
if err := tpl.Execute(&body, view); err != nil {
|
||||
return fmt.Errorf("template: %w", err)
|
||||
}
|
||||
if err := os.MkdirAll(filepath.Dir(confPath), 0o755); err != nil {
|
||||
return fmt.Errorf("mkdir: %w", err)
|
||||
}
|
||||
tmp := confPath + ".tmp"
|
||||
if err := os.WriteFile(tmp, body.Bytes(), 0o644); err != nil {
|
||||
return fmt.Errorf("write %s: %w", tmp, err)
|
||||
}
|
||||
if err := os.Rename(tmp, confPath); err != nil {
|
||||
return fmt.Errorf("rename: %w", err)
|
||||
}
|
||||
if err := ensureDistroSymlink(); err != nil {
|
||||
return fmt.Errorf("symlink: %w", err)
|
||||
}
|
||||
if g.SkipReload {
|
||||
return nil
|
||||
}
|
||||
return configgen.ReloadService("squid")
|
||||
}
|
||||
|
||||
// ensureDistroSymlink legt /etc/squid/squid.conf als Symlink auf
|
||||
// unsere managed conf an. Squid systemd-Unit liest die Distro-Datei;
|
||||
// ohne Symlink driftet der edgeguard-Renderer und der laufende
|
||||
// Daemon auseinander (gleicher Bug-Pattern wie wg-quick).
|
||||
// Existing real file (Distro-Default) wird nach .distro-bak verschoben,
|
||||
// nicht gelöscht.
|
||||
func ensureDistroSymlink() error {
|
||||
const link = "/etc/squid/squid.conf"
|
||||
if cur, err := os.Readlink(link); err == nil && cur == confPath {
|
||||
return nil
|
||||
}
|
||||
if _, err := os.Stat(link); err == nil {
|
||||
_ = os.Rename(link, link+".distro-bak")
|
||||
}
|
||||
return os.Symlink(confPath, link)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user