feat: Squid Forward-Proxy — vollständig (Renderer + Handler + UI)
Stub raus, vollständig implementiert: * internal/services/forwardproxy: CRUD-Repo gegen forward_proxy_acls (priority desc, action allow|deny). * internal/handlers/forwardproxy.go: REST /api/v1/forward-proxy/acls mit Validation (acl_type-Whitelist verhindert Squid-Reload-Crash bei Tippfehlern). Auto-Reload nach jeder Mutation. * internal/squid/squid.cfg.tpl + squid.go: Renderer schreibt /etc/edgeguard/squid/squid.conf, atomic + Symlink von /etc/squid/squid.conf (Squid liest Distro-Pfad — gleicher Pattern-Fix wie wg-quick). cache_dir 100MB, cache_mem 64MB, http_port 3128. Default-Policy: nur localnet (10/8, 172.16/12, 192.168/16) — verhindert Open-Relay, falls Operator keine ACLs anlegt. * main.go: forwardproxy-Repo + squid-Reloader instanziiert + Handler registriert. * render.go: squid.New() bekommt Pool (war () vorher, Stub-Signatur). * postinst sudoers: edgeguard darf systemctl reload squid.service. * Frontend /forward-proxy: PageHeader + DataTable + ACL-Modal mit acl_type-Dropdown (13 Squid-Vokabular-Typen), action-Select, Priority. Sidebar-Eintrag unter Security. * i18n DE/EN für fwd.* Block + nav.forwardProxy. Verified end-to-end: ACL-Insert via SQL, render → squid reload → curl -x http://127.0.0.1:3128 http://example.com/ → 200. Version 1.0.26. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Debian
@@ -1,20 +1,94 @@
|
||||
// Package squid will render /etc/edgeguard/squid/squid.conf in
|
||||
// Phase 3. v1 ships a stub returning configgen.ErrNotImplemented so
|
||||
// the orchestrator can list it without crashing.
|
||||
// Package squid renders /etc/edgeguard/squid/squid.conf from
|
||||
// forward_proxy_acls and reloads squid.service. Cache directory
|
||||
// + in-memory cache are hard-coded sensible defaults; the operator
|
||||
// scope is just "what can pass through the proxy".
|
||||
package squid
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
_ "embed"
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"text/template"
|
||||
|
||||
"github.com/jackc/pgx/v5/pgxpool"
|
||||
|
||||
"git.netcell-it.de/projekte/edgeguard-native/internal/configgen"
|
||||
"git.netcell-it.de/projekte/edgeguard-native/internal/models"
|
||||
"git.netcell-it.de/projekte/edgeguard-native/internal/services/forwardproxy"
|
||||
)
|
||||
|
||||
type Generator struct{}
|
||||
const (
|
||||
confPath = "/etc/edgeguard/squid/squid.conf"
|
||||
listenPort = 3128
|
||||
)
|
||||
|
||||
func New() *Generator { return &Generator{} }
|
||||
//go:embed squid.cfg.tpl
|
||||
var cfgTpl string
|
||||
|
||||
var tpl = template.Must(template.New("squid").Parse(cfgTpl))
|
||||
|
||||
type View struct {
|
||||
ListenPort int
|
||||
ACLs []models.ForwardProxyACL
|
||||
}
|
||||
|
||||
type Generator struct {
|
||||
Pool *pgxpool.Pool
|
||||
Repo *forwardproxy.Repo
|
||||
SkipReload bool
|
||||
}
|
||||
|
||||
func New(pool *pgxpool.Pool) *Generator {
|
||||
return &Generator{Pool: pool, Repo: forwardproxy.New(pool)}
|
||||
}
|
||||
|
||||
func (g *Generator) Name() string { return "squid" }
|
||||
|
||||
func (g *Generator) Render(ctx context.Context) error {
|
||||
return configgen.ErrNotImplemented
|
||||
acls, err := g.Repo.List(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("list acls: %w", err)
|
||||
}
|
||||
view := View{ListenPort: listenPort, ACLs: acls}
|
||||
var body bytes.Buffer
|
||||
if err := tpl.Execute(&body, view); err != nil {
|
||||
return fmt.Errorf("template: %w", err)
|
||||
}
|
||||
if err := os.MkdirAll(filepath.Dir(confPath), 0o755); err != nil {
|
||||
return fmt.Errorf("mkdir: %w", err)
|
||||
}
|
||||
tmp := confPath + ".tmp"
|
||||
if err := os.WriteFile(tmp, body.Bytes(), 0o644); err != nil {
|
||||
return fmt.Errorf("write %s: %w", tmp, err)
|
||||
}
|
||||
if err := os.Rename(tmp, confPath); err != nil {
|
||||
return fmt.Errorf("rename: %w", err)
|
||||
}
|
||||
if err := ensureDistroSymlink(); err != nil {
|
||||
return fmt.Errorf("symlink: %w", err)
|
||||
}
|
||||
if g.SkipReload {
|
||||
return nil
|
||||
}
|
||||
return configgen.ReloadService("squid")
|
||||
}
|
||||
|
||||
// ensureDistroSymlink legt /etc/squid/squid.conf als Symlink auf
|
||||
// unsere managed conf an. Squid systemd-Unit liest die Distro-Datei;
|
||||
// ohne Symlink driftet der edgeguard-Renderer und der laufende
|
||||
// Daemon auseinander (gleicher Bug-Pattern wie wg-quick).
|
||||
// Existing real file (Distro-Default) wird nach .distro-bak verschoben,
|
||||
// nicht gelöscht.
|
||||
func ensureDistroSymlink() error {
|
||||
const link = "/etc/squid/squid.conf"
|
||||
if cur, err := os.Readlink(link); err == nil && cur == confPath {
|
||||
return nil
|
||||
}
|
||||
if _, err := os.Stat(link); err == nil {
|
||||
_ = os.Rename(link, link+".distro-bak")
|
||||
}
|
||||
return os.Symlink(confPath, link)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user