Checkpoint

styx.hcl

@@ -1,8 +1,27 @@
 
 proxy {
     # TCP listen address
-    listen = ":3128"
+    port ":3128" {}
+    port ":3129" {
+        tls {
+            ca = "testdata/ca.crt"
+            cert = "testdata/ca.crt"
+            key = "testdata/ca.key"
+        }
 
+        # Transparent proxy for targets on port 80
+        transparent = 80
+    }
+    port ":3130" {
+        tls {
+            cert = "testdata/ca.crt"
+            key = "testdata/ca.key"
+        }
+
+        # Transparent proxy for targets on port 443
+        transparent = 443
+    }
+    
     # TCP bind address for outgoing connections
     #bind = "10.42.42.215"
     # Interface for outgoign connections
@@ -12,86 +31,29 @@ proxy {
     upstream = []   
 
 
-    policy {
-        on intercept {
-            domain = ["sensitive"]
-            permit = false
-        }
-
-        on request {
-            source = ["kids"]
-            domain = ["nsfw"]
-            permit = false
-        }
-
-        on request {
-            source = ["kids"]
-            domain = ["nsfw"]
-            permit = false
-        }
-
-        on days {
-            days = "mon-thu,sun"
-            on time {
-                time = ["22:00", "06:00"]
-                on request {
-                    source = ["kids"]
-                    domain = ["social"]
-                    permit = false
-                }
-            }
-        }
+    on {
+        intercept = ["intercept"]
+        request   = ["bogons", "childsafe"]
     }
 }
 
-dns {
-    # Set the cache size
-    #size = 1024
-
-    # Set the time to live for positive responses (in seconds)
-    #ttl = 300
-
-    # Set the resolve timeout (in seconds)
-    #timeout = 10
-
-    # Set the DNS servers
-    #servers = ["1.1.1.1", "8.8.8.8"]
-
-    # Disable IPv6
-    noipv6 = true
+policy "intercept" {
+    path = "testdata/policy/intercept.rego"
+    package = "styx.intercept"
+}
+ 
+policy "bogons" {
+    path = "testdata/policy/bogons.rego"
 }
 
-mitm {
-    ca {
-        cert     = "testdata/ca.crt"
-        key      = "testdata/ca.key"
-        key_type = "ecc"
-        days     = 1825
-        organization = "maze.io"
-    }
-
-    key {
-        type = "rsa"
-        bits = 2048
-    }
-
-    cache {
-        #type = "memory" 
-        type = "disk"
-        path = "testdata/mitm"
-        expire = 10
-    }
+policy "childsafe" {
+    path = "testdata/policy/childsafe.rego"
 }
 
-cache {
-    type = "memory"
-    size = 10485760
-}
-
-match {
+data {
     path = "testdata/match"
 
-    network "internal" {
+    network "reserved" {
         type = "list"
         list = [
             "0.0.0.0/32",
@@ -129,8 +91,25 @@ match {
     domain "social" {
         type = "list"
         list = [
+            "facebook.com",
+            "facebook.net",
+            "fbsbx.com",
             "pinterest.com",
             "reddit.com",
+            # TikTok
+            "isnssdk.com",
+            "musical.ly",
+            "musically.app.link",
+            "musically-alternate.app.link",
+            "musemuse.cn",
+            "sgsnssdk.com",
+            "tiktok.com",
+            "tiktok.org",
+            "tiktokcdn.com",
+            "tiktokcdn-eu.com",
+            "tiktokv.com",
+            # X
+            "twitter.com",
             "x.com",
             # YouTube
             "googlevideo.com",
@@ -140,15 +119,20 @@ match {
         ]
     }
 
-    domain "nsfw" {
-        type = "domains"
-        from = "https://energized.pro/nsfw/domains.txt"
-        refresh = 43200 # 12h
+    domain "toxic" {
+        type = "list"
+        list = []
     }
 
-    domain "ads" {
-        type = "detect"
-        from = "https://small.oisd.nl/dnsmasq"
-        refresh = 12
-    }
+    #domain "nsfw" {
+    #    type = "domains"
+    #    from = "https://energized.pro/nsfw/domains.txt"
+    #    refresh = 43200 # 12h
+    #}
+    #
+    #domain "ads" {
+    #    type = "detect"
+    #    from = "https://small.oisd.nl/dnsmasq"
+    #    refresh = 12
+    #}
 }