# Generated by edgeguard — do not edit by hand. # Source: internal/squid/squid.go (template: squid.cfg.tpl). # Re-generate via `edgeguard-ctl render-config --only=squid`. http_port {{.ListenPort}} # Standard cache directory + small in-memory cache. Forward proxy # isn't a CDN — we keep cache modest to avoid disk pressure. cache_dir ufs /var/spool/squid 100 16 256 cache_mem 64 MB # Logging — combined access log, rotated by logrotate. access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log # Standard safe defaults. acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl localnet src 192.168.0.0/16 acl localnet src fc00::/7 acl localnet src fe80::/10 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Operator-defined ACLs from /api/v1/forward-proxy-acls. Order is # priority desc — first http_access match wins. {{- range .ACLs}} {{- if .Active}} # {{if .Comment}}{{.Comment}}{{else}}{{.Name}} (priority {{.Priority}}){{end}} acl {{.Name}} {{.ACLType}} {{.Value}} http_access {{.Action}} {{.Name}} {{- end}} {{- end}} # Built-in safety rules — same as squid's default; placed after # operator-rules so they act as fallbacks, not overrides. http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localhost # Default-policy: only localnet may use the proxy if no operator-rule # explicitly allowed/denied. Stricter than squid's default to keep # the proxy from becoming an open relay. http_access allow localnet http_access deny all # Hostnames + visible name — operator can override via squid.conf # drop-in if needed. visible_hostname edgeguard-proxy forwarded_for on