# ThreeGate Squid proxy configuration (template)
#
# Security goals:
# - HTTPS only
# - CONNECT only to port 443
# - Allowlisted domains only
# - No uploads / no POST enforcement at proxy layer (HTTPS hides method),
#   but we reduce risk by domain allowlisting + topology constraints.
#
# This config is intentionally minimal. Extend carefully.

http_port 3128

# Do not expose proxy identity
via off
forwarded_for delete
request_header_access X-Forwarded-For deny all
request_header_access Via deny all

# Logging (keep for audit)
access_log stdio:/var/log/squid/access.log
cache_log /var/log/squid/cache.log

# Safe ports
acl SSL_ports port 443
acl CONNECT method CONNECT

# ------------------------------------------------------------
# Domain allowlist
#
# Use dstdomain for TLS SNI / CONNECT hostname checks as available.
# Keep this list narrow and auditable.
# ------------------------------------------------------------
acl allowed_domains dstdomain .arxiv.org
acl allowed_domains dstdomain .ncbi.nlm.nih.gov
acl allowed_domains dstdomain .pubmed.ncbi.nlm.nih.gov
acl allowed_domains dstdomain .europepmc.org
acl allowed_domains dstdomain .crossref.org
acl allowed_domains dstdomain .doi.org

# Optional: add publishers you actually use (be cautious)
# acl allowed_domains dstdomain .journals.uchicago.edu

# ------------------------------------------------------------
# Rules
# ------------------------------------------------------------

# Deny anything not using CONNECT to 443
http_access deny !CONNECT
http_access deny CONNECT !SSL_ports

# Allow only allowlisted domains
http_access allow CONNECT allowed_domains

# Default deny
http_access deny all

# Cache settings (minimal)
cache deny all