feat: Squid Forward-Proxy — vollständig (Renderer + Handler + UI)

Stub raus, vollständig implementiert: * internal/services/forwardproxy: CRUD-Repo gegen forward_proxy_acls (priority desc, action allow|deny). * internal/handlers/forwardproxy.go: REST /api/v1/forward-proxy/acls mit Validation (acl_type-Whitelist verhindert Squid-Reload-Crash bei Tippfehlern). Auto-Reload nach jeder Mutation. * internal/squid/squid.cfg.tpl + squid.go: Renderer schreibt /etc/edgeguard/squid/squid.conf, atomic + Symlink von /etc/squid/squid.conf (Squid liest Distro-Pfad — gleicher Pattern-Fix wie wg-quick). cache_dir 100MB, cache_mem 64MB, http_port 3128. Default-Policy: nur localnet (10/8, 172.16/12, 192.168/16) — verhindert Open-Relay, falls Operator keine ACLs anlegt. * main.go: forwardproxy-Repo + squid-Reloader instanziiert + Handler registriert. * render.go: squid.New() bekommt Pool (war () vorher, Stub-Signatur). * postinst sudoers: edgeguard darf systemctl reload squid.service. * Frontend /forward-proxy: PageHeader + DataTable + ACL-Modal mit acl_type-Dropdown (13 Squid-Vokabular-Typen), action-Select, Priority. Sidebar-Eintrag unter Security. * i18n DE/EN für fwd.* Block + nav.forwardProxy. Verified end-to-end: ACL-Insert via SQL, render → squid reload → curl -x http://127.0.0.1:3128 http://example.com/ → 200. Version 1.0.26. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 00:27:05 +02:00
parent e379162a7f
commit 72269f5b7c
16 changed files with 677 additions and 15 deletions
--- a/internal/squid/squid.cfg.tpl
+++ b/internal/squid/squid.cfg.tpl
@@ -0,0 +1,62 @@
+# Generated by edgeguard — do not edit by hand.
+# Source: internal/squid/squid.go (template: squid.cfg.tpl).
+# Re-generate via `edgeguard-ctl render-config --only=squid`.
+
+http_port {{.ListenPort}}
+
+# Standard cache directory + small in-memory cache. Forward proxy
+# isn't a CDN — we keep cache modest to avoid disk pressure.
+cache_dir ufs /var/spool/squid 100 16 256
+cache_mem 64 MB
+
+# Logging — combined access log, rotated by logrotate.
+access_log /var/log/squid/access.log squid
+cache_log  /var/log/squid/cache.log
+
+# Standard safe defaults.
+acl localnet src 10.0.0.0/8
+acl localnet src 172.16.0.0/12
+acl localnet src 192.168.0.0/16
+acl localnet src fc00::/7
+acl localnet src fe80::/10
+
+acl SSL_ports port 443
+acl Safe_ports port 80          # http
+acl Safe_ports port 21          # ftp
+acl Safe_ports port 443         # https
+acl Safe_ports port 70          # gopher
+acl Safe_ports port 210         # wais
+acl Safe_ports port 1025-65535  # unregistered
+acl Safe_ports port 280         # http-mgmt
+acl Safe_ports port 488         # gss-http
+acl Safe_ports port 591         # filemaker
+acl Safe_ports port 777         # multiling http
+acl CONNECT method CONNECT
+
+# Operator-defined ACLs from /api/v1/forward-proxy-acls. Order is
+# priority desc — first http_access match wins.
+{{- range .ACLs}}
+{{- if .Active}}
+# {{if .Comment}}{{.Comment}}{{else}}{{.Name}} (priority {{.Priority}}){{end}}
+acl {{.Name}} {{.ACLType}} {{.Value}}
+http_access {{.Action}} {{.Name}}
+{{- end}}
+{{- end}}
+
+# Built-in safety rules — same as squid's default; placed after
+# operator-rules so they act as fallbacks, not overrides.
+http_access deny !Safe_ports
+http_access deny CONNECT !SSL_ports
+http_access allow localhost manager
+http_access deny manager
+http_access allow localhost
+# Default-policy: only localnet may use the proxy if no operator-rule
+# explicitly allowed/denied. Stricter than squid's default to keep
+# the proxy from becoming an open relay.
+http_access allow localnet
+http_access deny all
+
+# Hostnames + visible name — operator can override via squid.conf
+# drop-in if needed.
+visible_hostname edgeguard-proxy
+forwarded_for on