e7ba68790b
New deployments/squid/: an explicit forward proxy with SSL-bump TLS interception (local CA, generated on first deploy) and hostname-targeted static-content caching. Unlike the other stacks it is a forward proxy, not a Caddy/Let's-Encrypt inbound site. - Self-built minimal Alpine image (apk squid ships ssl-bump); entrypoint renders squid.conf and generates the cache policy from the domain lists. - Wildcard hostname caching (cache-domains.txt leading-dot + optional cache-domains.regex); boost vs strict-allowlist toggle (CACHE_ONLY_LISTED). - Storage gate never caches HTML or dynamic content; query strings exempt on boosted domains so versioned static assets still cache. - splice-domains.txt passthrough for pinned/banking domains. - Deny-by-default http_access (TRUSTED_CIDR) + BIND_ADDR pinning; CA key 0600 on host, never embedded, git-ignored. - Wired into automations.sh, README, .gitignore; cloud-init for fresh VMs.
15 lines
568 B
Plaintext
15 lines
568 B
Plaintext
# cache-domains.regex
|
|
#
|
|
# OPTIONAL. dstdom_regex patterns for glob-style hostnames that the leading-dot
|
|
# matching in cache-domains.txt can't express (e.g. a wildcard INSIDE a label).
|
|
# One POSIX extended regex per line, matched case-insensitively against the
|
|
# request hostname. Full-line "#" comments only.
|
|
#
|
|
# Leave this file with comments only to disable it -- the entrypoint skips it
|
|
# when there are no active entries (an empty ACL would otherwise error).
|
|
#
|
|
# Examples (uncomment / adapt):
|
|
# ^mirror[0-9]+\.example\.com$
|
|
# ^cdn-.*\.fastly\.net$
|
|
# ^.*\.pkg\.dev$
|