e7ba68790b
New deployments/squid/: an explicit forward proxy with SSL-bump TLS interception (local CA, generated on first deploy) and hostname-targeted static-content caching. Unlike the other stacks it is a forward proxy, not a Caddy/Let's-Encrypt inbound site. - Self-built minimal Alpine image (apk squid ships ssl-bump); entrypoint renders squid.conf and generates the cache policy from the domain lists. - Wildcard hostname caching (cache-domains.txt leading-dot + optional cache-domains.regex); boost vs strict-allowlist toggle (CACHE_ONLY_LISTED). - Storage gate never caches HTML or dynamic content; query strings exempt on boosted domains so versioned static assets still cache. - splice-domains.txt passthrough for pinned/banking domains. - Deny-by-default http_access (TRUSTED_CIDR) + BIND_ADDR pinning; CA key 0600 on host, never embedded, git-ignored. - Wired into automations.sh, README, .gitignore; cloud-init for fresh VMs.
42 lines
1.6 KiB
YAML
42 lines
1.6 KiB
YAML
#cloud-config
|
|
#
|
|
# Squid SSL-bump caching proxy — harden SSH, then deploy, on a fresh host.
|
|
#
|
|
# Fill in REPO_URL and the values in the runcmd block, then paste this as the
|
|
# instance user-data. Unlike the web stacks this is a FORWARD proxy: no public
|
|
# DNS record or Let's Encrypt cert is needed, but clients must be able to reach
|
|
# TRUSTED_CIDR and must trust the CA this generates on first boot.
|
|
#
|
|
# Only deploy this on networks/devices you own and are authorized to inspect.
|
|
|
|
packages:
|
|
- git
|
|
|
|
runcmd:
|
|
- hostnamectl set-hostname squid || true
|
|
- |
|
|
set -e
|
|
REPO_URL=https://git.anomalous.dev/57_Wolve/automations.git
|
|
REPO_BRANCH=main
|
|
HARDEN_SSH=1 # harden SSH on this fresh VM (set 0 to skip)
|
|
SSH_PORT=22
|
|
ALLOWED_IP= # optional: whitelist your client IP in sshguard
|
|
git clone --depth 1 --branch "$REPO_BRANCH" "$REPO_URL" /opt/automations
|
|
cd /opt/automations
|
|
|
|
# Harden SSH first (PQ KEX, key-only auth, sshguard + deny-by-default
|
|
# firewall). The firewall it installs is what deploy.sh registers the proxy
|
|
# port with.
|
|
if [ "$HARDEN_SSH" = 1 ]; then
|
|
SSH_PORT="$SSH_PORT" ALLOWED_IP="$ALLOWED_IP" SKIP_PROMPTS=1 FORCE=1 \
|
|
bash scripts/harden-ssh.sh
|
|
fi
|
|
|
|
# Deploy the proxy. Set TRUSTED_CIDR to the network allowed to use it, and
|
|
# BIND_ADDR to a trusted interface (a published Docker port bypasses the
|
|
# host firewall, so this is the real exposure control).
|
|
TRUSTED_CIDR=100.64.0.0/10 \
|
|
BIND_ADDR=0.0.0.0 \
|
|
SKIP_PROMPTS=1 \
|
|
bash deployments/squid/deploy.sh
|