---

sudo tee /etc/squid/squid.conf << 'EOF'
# ========================================
# SQUID DMZ - ВАРИАНТ 12
# Порт: 3144 | Подсеть: 192.168.12.0/24 | Сертификат: 2972 дня
# ========================================

# Порт 3144 с SSL-Bump
http_port 3144 ssl-bump cert=/etc/squid/ssl/bump.pem generate-host-certificates=on

# ACL для нашей подсети
acl our_network src 192.168.12.0/24

# SSL-Bump настройки
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

# Для работы SSL-Bump (обязательно!)
acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching

# БЛОКИРОВКА КАРТИНОК (вариант 12)
acl block_images url_regex -i \.jpg$ \.jpeg$ \.gif$ \.png$ \.bmp$
http_access deny block_images

# Безопасные порты
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443

# Правила доступа
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow our_network
http_access deny all

# Кэш
cache_dir ufs /var/spool/squid 100 16 256
cache_effective_user proxy

# Логи
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log

# SSL настройки
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB
sslproxy_cert_error allow all

# Refresh
refresh_pattern . 0 20% 4320
EOF