# Squid configuration for TSK proxy
# Listen on port 3128
http_port 3128
# Disable caching
cache deny all
# Access control lists for allowed domains
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
# Define allowed domains
# API domains
acl allowed_domains dstdomain api.anthropic.com
acl allowed_domains dstdomain platform.claude.com
acl allowed_domains dstdomain sentry.io
acl allowed_domains dstdomain statsig.com
acl allowed_domains dstdomain api.openai.com
# Python (pip/PyPI/uv)
acl allowed_domains dstdomain pypi.org
acl allowed_domains dstdomain pypi.python.org
acl allowed_domains dstdomain files.pythonhosted.org
acl allowed_domains dstdomain astral.sh
# Rust (cargo)
acl allowed_domains dstdomain crates.io
acl allowed_domains dstdomain index.crates.io
acl allowed_domains dstdomain static.crates.io
# Go
acl allowed_domains dstdomain proxy.golang.org
acl allowed_domains dstdomain sum.golang.org
acl allowed_domains dstdomain pkg.go.dev
acl allowed_domains dstdomain golang.org
acl allowed_domains dstdomain google.golang.org
# Java (Maven/Gradle)
acl allowed_domains dstdomain repo.maven.apache.org
acl allowed_domains dstdomain repo1.maven.org
acl allowed_domains dstdomain central.sonatype.com
acl allowed_domains dstdomain plugins.gradle.org
acl allowed_domains dstdomain services.gradle.org
acl allowed_domains dstdomain downloads.gradle.org
acl allowed_domains dstdomain downloads.gradle-dn.com
acl allowed_domains dstdomain jcenter.bintray.com
# npm (Node.js)
acl allowed_domains dstdomain registry.npmjs.org
acl allowed_domains dstdomain nodejs.org
acl allowed_domains dstdomain npmjs.com
# OS package repositories (needed for Podman image builds inside TSK containers)
acl allowed_domains dstdomain ports.ubuntu.com
acl allowed_domains dstdomain archive.ubuntu.com
acl allowed_domains dstdomain security.ubuntu.com
# Docker Hub (container registry)
acl allowed_domains dstdomain registry-1.docker.io
acl allowed_domains dstdomain auth.docker.io
acl allowed_domains dstdomain production.cloudflare.docker.com
acl allowed_domains dstdomain .r2.cloudflarestorage.com
# Stack installer domains (needed for Docker image builds during integration tests)
# Rust: rustup installer and binary downloads
acl allowed_domains dstdomain sh.rustup.rs
acl allowed_domains dstdomain static.rust-lang.org
# Go: binary tarball download (go.dev/dl redirects to dl.google.com)
acl allowed_domains dstdomain go.dev
acl allowed_domains dstdomain dl.google.com
# Node.js: NodeSource apt repository
acl allowed_domains dstdomain deb.nodesource.com
# Lua: Neovim PPA, Launchpad API, GPG key server, and LuaRocks
acl allowed_domains dstdomain ppa.launchpad.net
acl allowed_domains dstdomain ppa.launchpadcontent.net
acl allowed_domains dstdomain api.launchpad.net
acl allowed_domains dstdomain keyserver.ubuntu.com
acl allowed_domains dstdomain luarocks.org
# GitHub (uv installer redirect from astral.sh, archive downloads)
acl allowed_domains dstdomain github.com
acl allowed_domains dstdomain codeload.github.com
acl allowed_domains dstdomain objects.githubusercontent.com
acl allowed_domains dstdomain release-assets.githubusercontent.com
# Deny access to non-safe ports
http_access deny !Safe_ports
# Deny CONNECT to non-SSL ports
http_access deny CONNECT !SSL_ports
# Allow access only to whitelisted domains
http_access allow allowed_domains
# Deny all other access
http_access deny all
# Don't show Squid version
httpd_suppress_version_string on
# Logging
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
# Error pages
error_directory /usr/share/squid/errors/en
# PID file location (writable by squid user)
pid_filename /var/run/squid/squid.pid
# Performance tuning
forwarded_for off
# Note: via off triggers a warning, but we keep it for privacy