zet.home.arpa: document all services and SSL/nginx setup

- Server overview (README.md) with services, storage, and network summary - Storage layout with disk/fstab/mount details (storage.md) - Service docs: Samba, NFS, Squid, Pi-hole (with DHCP/split-DNS notes) - Let's Encrypt cert via acme.sh + GoDaddy DNS-01 (ssl/) - nginx SSL reverse proxy config and virtual host guide (nginx/) - Pi-hole moved to port 8081; split DNS overrides documented for both Pi-hole and pfSense Unbound to avoid hairpin NAT issues Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-19 14:37:04 +00:00
parent 060219d161
commit 7c4c786e7b
10 changed files with 948 additions and 0 deletions
--- a/zet.home.arpa/squid/README.md
+++ b/zet.home.arpa/squid/README.md
@@ -0,0 +1,116 @@
+# Squid Web Proxy — zet.home.arpa
+
+Caching web proxy with content filtering for children's devices on the LAN.
+
+## Overview
+
+| Field | Value |
+|-------|-------|
+| **Package** | `squid` (Ubuntu) |
+| **Version** | Squid 6.14 |
+| **Config** | `/etc/squid/squid.conf` |
+| **Port** | 3128/tcp |
+| **Cache directory** | `/var/spool/squid` (2 GB, UFS) |
+| **Access log** | `/var/log/squid/access.log` |
+
+## How It Works
+
+Squid runs as a standard forward proxy. pfSense intercepts HTTP traffic from children's device IPs and redirects port 80 to `172.27.0.35:3128` via NAT port-forward (see [../PROXY-SETUP.md](../PROXY-SETUP.md) for pfSense setup).
+
+```
+Child device → pfSense NAT (port 80 → 172.27.0.35:3128) → Squid → Internet
+```
+
+## Configuration (`/etc/squid/squid.conf`)
+
+```
+http_port 3128
+
+# ACLs
+acl children src "/etc/squid/children.txt"
+acl blocked_sites dstdomain "/etc/squid/blocked_sites.txt"
+acl SSL_ports port 443
+acl Safe_ports port 80
+acl Safe_ports port 443
+acl CONNECT method CONNECT
+acl allowed_hosts src 172.27.0.0/24
+
+# Access rules
+http_access deny blocked_sites children
+http_access deny !Safe_ports
+http_access allow allowed_hosts
+
+# Cache
+cache_dir ufs /var/spool/squid 2048 16 256
+cache_mem 512 MB
+maximum_object_size_in_memory 1 MB
+maximum_object_size 128 MB
+minimum_object_size 0 KB
+
+# Refresh patterns
+refresh_pattern ^ftp:                   1440  20%  10080
+refresh_pattern ^gopher:                1440   0%   1440
+refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$  10080  90%  43200
+refresh_pattern -i \.(css|js)$          1440  90%  10080
+refresh_pattern .                          0  20%   4320
+
+pipeline_prefetch 1
+collapsed_forwarding on
+```
+
+## ACL Files
+
+### `/etc/squid/children.txt` — devices subject to content filtering
+
+Contains one IP per line for children's devices on the `172.27.0.0/24` network.
+
+### `/etc/squid/blocked_sites.txt` — blocked domains
+
+Domains blocked for children (partial list):
+
+```
+.facebook.com / .fb.com / .instagram.com / .snapchat.com / .tiktok.com
+.x.com / .twitter.com / .reddit.com / .redditmedia.com / .redditstatic.com
+.pinterest.com / .youtube.com / .youtu.be / .googlevideo.com
+.twitch.tv / .vimeo.com / .dailymotion.com
+.netflix.com / .hulu.com / .disneyplus.com
+```
+
+## Service Management
+
+```bash
+sudo systemctl status squid
+sudo systemctl restart squid
+sudo systemctl reload squid          # reload config without dropping connections
+sudo squid -k parse                  # validate squid.conf syntax
+
+# Watch live traffic
+sudo tail -f /var/log/squid/access.log
+
+# Check cache stats
+sudo squidclient -h 127.0.0.1 mgr:info
+```
+
+## Adding/Removing Children's IPs
+
+Edit `/etc/squid/children.txt` — one IP per line, then reload:
+
+```bash
+sudo nano /etc/squid/children.txt
+sudo systemctl reload squid
+```
+
+## Limitations
+
+- Only intercepts plain **HTTP (port 80)**. HTTPS (port 443) is not filtered.
+- To filter HTTPS would require SSL bump (TLS interception) with a custom CA installed on every client device — significantly more complex.
+- See [../PROXY-SETUP.md](../PROXY-SETUP.md) for pfSense NAT configuration.
+
+## Migration Notes
+
+To move Squid to a new server:
+1. Install: `sudo apt install squid`
+2. Copy `/etc/squid/squid.conf`, `children.txt`, `blocked_sites.txt`
+3. Initialize cache: `sudo squid -z`
+4. Start: `sudo systemctl enable --now squid`
+5. Update pfSense NAT rule redirect target to the new server IP