-
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathsquid.conf
More file actions
162 lines (139 loc) · 6.05 KB
/
squid.conf
File metadata and controls
162 lines (139 loc) · 6.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# Squid configuration for VS Code development environment
# Provides precise domain-based filtering with wildcard support
# Basic Squid settings
http_port 3128
# Disable transparent proxy mode for HTTPS to avoid SSL issues
# http_port 3129 intercept
cache deny all
access_log /var/log/squid/access.log squid
# Standard ACL definitions
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 8080
acl Safe_ports port 1025-65535
acl CONNECT method CONNECT
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
# Container network access (allow proxy usage from container)
acl container_clients src 172.16.0.0/12
acl container_clients src 192.168.0.0/16
acl container_clients src 127.0.0.1/32
# GitHub domains
# ref: api.github.com/meta
acl github_domains dstdomain github.com
acl github_domains dstdomain api.github.com
acl github_domains dstdomain default.exp-tas.com
acl github_domains dstdomain .githubusercontent.com
acl github_domains dstdomain mavenregistryv2prod.blob.core.windows.net
acl github_domains dstdomain npmregistryv2prod.blob.core.windows.net
acl github_domains dstdomain nugetregistryv2prod.blob.core.windows.net
acl github_domains dstdomain rubygemsregistryv2prod.blob.core.windows.net
acl github_domains dstdomain .pkg.github.com
acl github_domains dstdomain .ghcr.io
acl github_domains dstdomain .githubassets.com
# VS Code and Microsoft services
# ref: https://code.visualstudio.com/docs/setup/network
acl vscode_domains dstdomain update.code.visualstudio.com
acl vscode_domains dstdomain code.visualstudio.com
acl vscode_domains dstdomain go.microsoft.com
acl vscode_domains dstdomain marketplace.visualstudio.com
acl vscode_domains dstdomain .gallery.vsassets.io
acl vscode_domains dstdomain .gallerycdn.vsassets.io
acl vscode_domains dstdomain rink.hockeyapp.net
acl vscode_domains dstdomain bingsettingssearch.trafficmanager.net
acl vscode_domains dstdomain vscode.search.windows.net
acl vscode_domains dstdomain raw.githubusercontent.com
acl vscode_domains dstdomain vsmarketplacebadges.dev
acl vscode_domains dstdomain .vscode-cdn.net
acl vscode_domains dstdomain vscode.download.prss.microsoft.com
acl vscode_domains dstdomain download.visualstudio.microsoft.com
acl vscode_domains dstdomain vscode-sync.trafficmanager.net
acl vscode_domains dstdomain vscode-sync-insiders.trafficmanager.net
acl vscode_domains dstdomain vscode.dev
acl vscode_domains dstdomain .vscode-unpkg.net
acl vscode_domains dstdomain default.exp-tas.com
# JetBrains services
# ref: https://youtrack.jetbrains.com/articles/SUPPORT-A-288/Whats-the-IP-whitelist-of-IntelliJ-IDE-in-case-of-firewall-policy-or-restricted-network
acl jetbrains_domains dstdomain www.jetbrains.com
acl jetbrains_domains dstdomain download.jetbrains.com
acl jetbrains_domains dstdomain download-cf.jetbrains.com
acl jetbrains_domains dstdomain download-cdn.jetbrains.com
acl jetbrains_domains dstdomain plugins.jetbrains.com
acl jetbrains_domains dstdomain account.jetbrains.com
acl jetbrains_domains dstdomain cloudconfig.jetbrains.com
acl jetbrains_domains dstdomain api.app.prod.grazie.aws.intellij.net
acl jetbrains_domains dstdomain api.jetbrains.ai
# Claude Code domains
# ref: https://github.com/anthropics/claude-code/blob/5faa082d6e4e5300485daafb94615fe133175055/.devcontainer/init-firewall.sh#L68-L72
acl claude_code_domains dstdomain registry.npmjs.org
acl claude_code_domains dstdomain console.anthropic.com
acl claude_code_domains dstdomain api.anthropic.com
acl claude_code_domains dstdomain sentry.io
acl claude_code_domains dstdomain statsig.anthropic.com
acl claude_code_domains dstdomain statsig.com
# CDN and infrastructure domains (wildcard)
acl cdn_domains dstdomain .akamai.net
acl cdn_domains dstdomain .akamaitechnologies.com
acl cdn_domains dstdomain .edgesuite.net
acl cdn_domains dstdomain .cloudfront.net
acl cdn_domains dstdomain .fastly.com
# DNS servers
acl dns_servers dst 8.8.8.8
acl dns_servers dst 8.8.4.4
acl dns_servers dst 1.1.1.1
acl dns_servers dst 1.0.0.1
# Access rules (order matters!)
# Deny unsafe ports and methods first
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Skip localhost rule - use container_clients only for better control
# Allow container clients to access specific allowed domains only
http_access allow container_clients vscode_domains
http_access allow container_clients github_domains
http_access allow container_clients claude_code_domains
http_access allow container_clients cdn_domains
http_access allow container_clients jetbrains_domains
http_access allow CONNECT container_clients SSL_ports vscode_domains
http_access allow CONNECT container_clients SSL_ports github_domains
http_access allow CONNECT container_clients SSL_ports claude_code_domains
http_access allow CONNECT container_clients SSL_ports cdn_domains
http_access allow CONNECT container_clients SSL_ports jetbrains_domains
# Allow DNS queries (only from container clients)
http_access allow container_clients dns_servers
# Deny all other CONNECT requests (for HTTPS)
http_access deny CONNECT
# Deny all other requests (must be last rule)
http_access deny all
# Disable caching to avoid issues with dynamic content
cache deny all
# Error page customization
error_directory /usr/share/squid/errors/English
# Logging configuration
logfile_rotate 10
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
netdb_filename stdio:/var/log/squid/netdb.state
# Performance tuning for development environment
workers 1
cpu_affinity_map process_numbers=1 cores=1
# Memory settings
cache_mem 64 MB
maximum_object_size_in_memory 1 MB
# DNS settings
dns_v4_first on
dns_nameservers 8.8.8.8 8.8.4.4 1.1.1.1
dns_timeout 10 seconds
connect_timeout 30 seconds
# Disable negative DNS caching to prevent 500 errors from failed initial connections
negative_dns_ttl 0 seconds
negative_ttl 0 seconds
# Disable unnecessary features
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320