projekte/edgeguard-native
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1324a34f11168edb08e1453b215a7bfcbffae33b
edgeguard-native/internal/squid/squid.cfg.tpl
Debian 72269f5b7c feat: Squid Forward-Proxy — vollständig (Renderer + Handler + UI) 
Stub raus, vollständig implementiert:

* internal/services/forwardproxy: CRUD-Repo gegen forward_proxy_acls
  (priority desc, action allow|deny).
* internal/handlers/forwardproxy.go: REST /api/v1/forward-proxy/acls
  mit Validation (acl_type-Whitelist verhindert Squid-Reload-Crash
  bei Tippfehlern). Auto-Reload nach jeder Mutation.
* internal/squid/squid.cfg.tpl + squid.go: Renderer schreibt
  /etc/edgeguard/squid/squid.conf, atomic + Symlink von
  /etc/squid/squid.conf (Squid liest Distro-Pfad — gleicher
  Pattern-Fix wie wg-quick). cache_dir 100MB, cache_mem 64MB,
  http_port 3128. Default-Policy: nur localnet (10/8, 172.16/12,
  192.168/16) — verhindert Open-Relay, falls Operator keine ACLs
  anlegt.
* main.go: forwardproxy-Repo + squid-Reloader instanziiert + Handler
  registriert.
* render.go: squid.New() bekommt Pool (war () vorher, Stub-Signatur).
* postinst sudoers: edgeguard darf systemctl reload squid.service.
* Frontend /forward-proxy: PageHeader + DataTable + ACL-Modal mit
  acl_type-Dropdown (13 Squid-Vokabular-Typen), action-Select,
  Priority. Sidebar-Eintrag unter Security.
* i18n DE/EN für fwd.* Block + nav.forwardProxy.

Verified end-to-end: ACL-Insert via SQL, render → squid reload →
curl -x http://127.0.0.1:3128 http://example.com/ → 200.

Version 1.0.26.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 00:27:05 +02:00

63 lines
2.1 KiB
Smarty
Raw Blame History

# Generated by edgeguard — do not edit by hand.
# Source: internal/squid/squid.go (template: squid.cfg.tpl).
# Re-generate via `edgeguard-ctl render-config --only=squid`.
http_port {{.ListenPort}}
# Standard cache directory + small in-memory cache. Forward proxy
# isn't a CDN — we keep cache modest to avoid disk pressure.
cache_dir ufs /var/spool/squid 100 16 256
cache_mem 64 MB
# Logging — combined access log, rotated by logrotate.
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
# Standard safe defaults.
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Operator-defined ACLs from /api/v1/forward-proxy-acls. Order is
# priority desc — first http_access match wins.
{{- range .ACLs}}
{{- if .Active}}
# {{if .Comment}}{{.Comment}}{{else}}{{.Name}} (priority {{.Priority}}){{end}}
acl {{.Name}} {{.ACLType}} {{.Value}}
http_access {{.Action}} {{.Name}}
{{- end}}
{{- end}}
# Built-in safety rules — same as squid's default; placed after
# operator-rules so they act as fallbacks, not overrides.
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
# Default-policy: only localnet may use the proxy if no operator-rule
# explicitly allowed/denied. Stricter than squid's default to keep
# the proxy from becoming an open relay.
http_access allow localnet
http_access deny all
# Hostnames + visible name — operator can override via squid.conf
# drop-in if needed.
visible_hostname edgeguard-proxy
forwarded_for on
Reference in New Issue View Git Blame Copy Permalink