hive-apps/projects/services/values/proxy.yaml

118 lines
2.5 KiB
YAML
Raw Permalink Normal View History

2022-12-10 14:27:23 +00:00
---
2021-11-28 10:16:31 +00:00
image:
2022-12-10 11:40:08 +00:00
repository: lib42/squid
2022-12-10 14:27:23 +00:00
tag: "latest"
2022-12-10 11:40:08 +00:00
pullPolicy: Always
2021-11-28 10:16:31 +00:00
2022-12-10 14:27:23 +00:00
configMaps:
config:
enabled: true
data:
squid.conf: |
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
2021-11-28 10:16:31 +00:00
2022-12-10 14:27:23 +00:00
# Reject local network
acl restricted_destination_subnetworks dst 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access deny restricted_destination_subnetworks
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Do not display squid version
httpd_suppress_version_string on
controller:
replicas: 1
strategy: RollingUpdate
2022-12-10 11:40:08 +00:00
podSecurityContext:
runAsUser: 31
runAsGroup: 31
fsGroup: 31
securityContext:
runAsNonRoot: true
privileged: false
2022-12-10 14:27:23 +00:00
readOnlyRootFilesystem: true
2022-12-10 11:40:08 +00:00
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
2022-12-10 14:27:23 +00:00
ingress:
main:
enabled: true
annotations:
cert-manager.io/cluster-issuer: "vault-issuer"
traefik.ingress.kubernetes.io/router.tls: 'true'
nginx.ingress.kubernetes.io/proxy-body-size: 50m
hosts:
- host: proxy.dc
paths:
- path: /
pathType: Prefix
tls:
- secretName: squid-tls
hosts:
- proxy.dc
service:
main:
enabled: true
ports:
http:
port: 3128
persistence:
config:
name: '{{ include "bjw-s.common.lib.chart.names.fullname" . -}}-config'
enabled: true
type: configMap
mountPath: /etc/squid/squid.conf
subPath: squid.conf
cache:
enabled: true
type: emptyDir
mountPath: /var/cache/squid
varrun:
enabled: true
type: emptyDir
mountPath: /var/run
varlog:
enabled: true
type: emptyDir
mountPath: /var/log/squid
## VPN
addons:
vpn:
enabled: false