acl openqa src 10.3.174.21-10.3.174.64
acl batcave src 10.3.163.35
acl proxies src 10.128.4.1

acl SSL_ports port 443
acl Safe_ports port 80 443
acl CONNECT method CONNECT

acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from openqa
http_access allow openqa
http_access allow batcave

# Only cache flathub
acl cacheDomain dstdomain dl.flathub.org
cache deny !cacheDomain

# And finally deny all other access to this proxy
http_access deny all

# Trust proxies to have correct X-Forwarded-For
follow_x_forwarded_for allow proxies

http_port 3128 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/pki/squid/ca/ca.crt tls-key=/etc/pki/squid/key/ca.key tls-dh=prime256v1:/etc/pki/squid/dhparam/dh.pem

sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB
sslcrtd_children 5
ssl_bump server-first all
ssl_bump stare all
sslproxy_cert_error deny all

# Uncomment and adjust the following to add a disk cache directory.
maximum_object_size 6 GB
cache_dir ufs /var/spool/squid 20000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern -i dl.flathub.org\/.*   1440    20%     10080 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern .  0 20% 4320

pid_filename none

# <Client IP> <Username> [<Local Time>] "<Request Method> <Request URL> HTTP/<Protocol Version> <Response Status Code> \
# <Sent reply size (with hdrs)> <Referer> <User Agent> <Squid Request Status>:<Squid Hierarchy Status>
# logformat combined %>a %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/squid.log squid
access_log /var/log/squid/access.log combined