60 lines
1.7 KiB
SquidConf
60 lines
1.7 KiB
SquidConf
# ThreeGate Squid proxy configuration (template)
|
|
#
|
|
# Security goals:
|
|
# - HTTPS only
|
|
# - CONNECT only to port 443
|
|
# - Allowlisted domains only
|
|
# - No uploads / no POST enforcement at proxy layer (HTTPS hides method),
|
|
# but we reduce risk by domain allowlisting + topology constraints.
|
|
#
|
|
# This config is intentionally minimal. Extend carefully.
|
|
|
|
http_port 3128
|
|
|
|
# Do not expose proxy identity
|
|
via off
|
|
forwarded_for delete
|
|
request_header_access X-Forwarded-For deny all
|
|
request_header_access Via deny all
|
|
|
|
# Logging (keep for audit)
|
|
access_log stdio:/var/log/squid/access.log
|
|
cache_log /var/log/squid/cache.log
|
|
|
|
# Safe ports
|
|
acl SSL_ports port 443
|
|
acl CONNECT method CONNECT
|
|
|
|
# ------------------------------------------------------------
|
|
# Domain allowlist
|
|
#
|
|
# Use dstdomain for TLS SNI / CONNECT hostname checks as available.
|
|
# Keep this list narrow and auditable.
|
|
# ------------------------------------------------------------
|
|
acl allowed_domains dstdomain .arxiv.org
|
|
acl allowed_domains dstdomain .ncbi.nlm.nih.gov
|
|
acl allowed_domains dstdomain .pubmed.ncbi.nlm.nih.gov
|
|
acl allowed_domains dstdomain .europepmc.org
|
|
acl allowed_domains dstdomain .crossref.org
|
|
acl allowed_domains dstdomain .doi.org
|
|
|
|
# Optional: add publishers you actually use (be cautious)
|
|
# acl allowed_domains dstdomain .journals.uchicago.edu
|
|
|
|
# ------------------------------------------------------------
|
|
# Rules
|
|
# ------------------------------------------------------------
|
|
|
|
# Deny anything not using CONNECT to 443
|
|
http_access deny !CONNECT
|
|
http_access deny CONNECT !SSL_ports
|
|
|
|
# Allow only allowlisted domains
|
|
http_access allow CONNECT allowed_domains
|
|
|
|
# Default deny
|
|
http_access deny all
|
|
|
|
# Cache settings (minimal)
|
|
cache deny all
|