# bind to port 3128 and require PROXY protocol
http_port 0.0.0.0:3128 require-proxy-header

# only proxy, don't cache
cache deny all

# redirect all logs to /dev/stdout
logfile_rotate 0
cache_log stdio:/dev/stdout
access_log stdio:/dev/stdout
cache_store_log stdio:/dev/stdout

pid_filename /var/run/squid/squid.pid

acl ssl_ports port 443
acl safe_ports port 80
acl safe_ports port 443
acl CONNECT method CONNECT
acl to_metadata dst 169.254.169.254
acl from_healthchecks src 130.211.0.0/22 35.191.0.0/16
acl psc src ${psc_cidr}

# read client CIDR ranges from clients.txt
acl clients src "/etc/squid/clients.txt"

# read allowed domains from allowlist.txt
acl allowlist dstdomain "/etc/squid/allowlist.txt"

# read denied domains from denylist.txt
acl denylist dstdomain "/etc/squid/denylist.txt"

# allow PROXY protocol from the PSC subnet
proxy_protocol_access allow psc

# allow PROXY protocol from the LB health checks
proxy_protocol_access allow from_healthchecks

# deny access to anything other than ports 80 and 443
http_access deny !safe_ports

# deny CONNECT if connection is not using ssl
http_access deny CONNECT !ssl_ports

# deny access to cachemgr
http_access deny manager

# deny access to localhost through the proxy
http_access deny to_localhost

# deny access to the local metadata server through the proxy
http_access deny to_metadata

# deny connection from allowed clients to any denied domains
http_access deny clients denylist

# allow connection from allowed clients only to the allowed domains
http_access allow clients allowlist

# deny everything else
http_access ${default_action} all