fix: overhaul caching system — real stats, working toggles, config merge

Cache stats:
- CacheStats endpoint now queries real Squid metrics via docker exec
  squidclient mgr:info (was returning hardcoded zeros with simulated: true)
- Parse hit rate, byte hit rate, storage size, objects cached, hits/misses
- Added cachemgr_passwd in squid.conf for squidclient access
- Cache clear now uses squid -k purge via Docker exec (was hitting
  non-existent HTTP endpoint that always failed silently)

Config generation:
- custom_squid.conf no longer overrides the entire generated config —
  it is auto-migrated to custom_squid_extra.conf and appended instead.
  This was the root cause of all cache settings being ignored.
- Removed duplicate refresh_pattern block (was defined twice in heredoc)

Feature toggles now functional:
- aggressive_caching_enabled: adds override-expire refresh patterns for
  static assets, packages, and media files
- cache_bypass_domains: writes Squid ACL file + cache deny rules from
  comma-separated domain list in settings
- enable_offline_mode: enables Squid offline_mode + aggressive stale
  serving when origin servers are unreachable

Backend:
- Added ExecContainer to Docker client (create exec + start + capture
  stdout with Docker stream mux header stripping)
- Settings handler writes toggle files + cache_bypass_domains.txt
  for all three new cache features
- Fixed default setting name: offline_mode_enabled → enable_offline_mode

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: fabriziosalmi

backend-go/cmd/server/main.go

@@ -118,7 +118,7 @@ func run() error {
 	handlers.NewBlacklistHandlers(db, cfg).Register(r, authMW)
 	handlers.NewSecurityHandlers(db, authSvc, cfg, notify).Register(r, authMW)
 	handlers.NewMaintenanceHandlers(db, cfg, dockerClient).Register(r, authMW)
-	handlers.NewAnalyticsHandlers(db, cfg).Register(r, authMW)
+	handlers.NewAnalyticsHandlers(db, cfg, dockerClient).Register(r, authMW)
 	handlers.NewDatabaseHandlers(db).Register(r, authMW)
 	handlers.NewDNSDetectHandlers(db).Register(r, authMW)
 	handlers.RegisterAPIDocs(r, authMW)

backend-go/internal/config/version.go

@@ -1,4 +1,4 @@
 package config
 
 // AppVersion is the semantic version of this backend build.
-const AppVersion = "3.3.0"
+const AppVersion = "3.3.1"

backend-go/internal/database/db.go

@@ -157,7 +157,8 @@ func Init(db *sql.DB, adminUsername, adminPasswordHash string) error {
 		// Feature toggles
 		{"ssl_bump_enabled", "false"},
 		{"aggressive_caching_enabled", "false"},
-		{"offline_mode_enabled", "false"},
+		{"cache_bypass_domains", ""},
+		{"enable_offline_mode", "false"},
 		{"tailscale_enabled", "false"},
 		{"ddns_enabled", "false"},
 		// Security

backend-go/internal/docker/client.go

@@ -4,8 +4,11 @@
 package docker
 
 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"fmt"
+	"io"
 	"net"
 	"net/http"
 	"time"
@@ -17,6 +20,7 @@ const dockerSock = "/var/run/docker.sock"
 type DockerClient interface {
 	KillContainer(name, signal string) error
 	RestartContainer(name string) error
+	ExecContainer(name string, cmd []string) (string, error)
 }
 
 // Client is a minimal Docker Engine API client.
@@ -73,3 +77,74 @@ func (c *Client) RestartContainer(name string) error {
 	}
 	return nil
 }
+
+// ExecContainer runs a command inside a container and returns stdout.
+// Equivalent to: docker exec <name> <cmd...>
+func (c *Client) ExecContainer(name string, cmd []string) (string, error) {
+	// Step 1: Create exec instance
+	createBody, _ := json.Marshal(map[string]any{
+		"AttachStdout": true,
+		"AttachStderr": true,
+		"Cmd":          cmd,
+	})
+	createURL := fmt.Sprintf("http://localhost/v1.41/containers/%s/exec", name)
+	createReq, err := http.NewRequest(http.MethodPost, createURL, bytes.NewReader(createBody))
+	if err != nil {
+		return "", fmt.Errorf("build exec create request: %w", err)
+	}
+	createReq.Header.Set("Content-Type", "application/json")
+	createResp, err := c.hc.Do(createReq)
+	if err != nil {
+		return "", fmt.Errorf("docker exec create: %w", err)
+	}
+	defer createResp.Body.Close()
+	if createResp.StatusCode != http.StatusCreated {
+		return "", fmt.Errorf("docker exec create returned HTTP %d", createResp.StatusCode)
+	}
+	var execResult struct {
+		ID string `json:"Id"`
+	}
+	if err := json.NewDecoder(createResp.Body).Decode(&execResult); err != nil {
+		return "", fmt.Errorf("decode exec ID: %w", err)
+	}
+
+	// Step 2: Start exec and capture output
+	startBody, _ := json.Marshal(map[string]any{"Detach": false, "Tty": false})
+	startURL := fmt.Sprintf("http://localhost/v1.41/exec/%s/start", execResult.ID)
+	startReq, err := http.NewRequest(http.MethodPost, startURL, bytes.NewReader(startBody))
+	if err != nil {
+		return "", fmt.Errorf("build exec start request: %w", err)
+	}
+	startReq.Header.Set("Content-Type", "application/json")
+	startResp, err := c.hc.Do(startReq)
+	if err != nil {
+		return "", fmt.Errorf("docker exec start: %w", err)
+	}
+	defer startResp.Body.Close()
+	// Docker multiplexes stdout/stderr with 8-byte headers in non-TTY mode.
+	// Read raw and strip control bytes — good enough for text output.
+	out, err := io.ReadAll(io.LimitReader(startResp.Body, 64*1024))
+	if err != nil {
+		return "", fmt.Errorf("read exec output: %w", err)
+	}
+	return stripDockerMux(out), nil
+}
+
+// stripDockerMux removes Docker stream multiplexing headers from exec output.
+// Each frame: [type(1) 0 0 0 size(4)] payload. We extract payloads.
+func stripDockerMux(raw []byte) string {
+	var buf bytes.Buffer
+	for len(raw) >= 8 {
+		size := int(raw[4])<<24 | int(raw[5])<<16 | int(raw[6])<<8 | int(raw[7])
+		raw = raw[8:]
+		if size > len(raw) {
+			size = len(raw)
+		}
+		buf.Write(raw[:size])
+		raw = raw[size:]
+	}
+	if buf.Len() == 0 {
+		return string(raw) // fallback: no mux headers (TTY mode)
+	}
+	return buf.String()
+}

backend-go/internal/handlers/analytics.go

@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"regexp"
 	"sort"
+	"strconv"
 	"strings"
 	"time"
 
@@ -27,13 +28,19 @@ var (
 	probeClient = &http.Client{Timeout: 1 * time.Second}
 )
 
+// dockerExecer is the subset of docker.DockerClient needed for cache stats.
+type dockerExecer interface {
+	ExecContainer(name string, cmd []string) (string, error)
+}
+
 type AnalyticsHandlers struct {
-	db  *sql.DB
-	cfg *config.Config
+	db     *sql.DB
+	cfg    *config.Config
+	docker dockerExecer
 }
 
-func NewAnalyticsHandlers(db *sql.DB, cfg *config.Config) *AnalyticsHandlers {
-	return &AnalyticsHandlers{db: db, cfg: cfg}
+func NewAnalyticsHandlers(db *sql.DB, cfg *config.Config, dc dockerExecer) *AnalyticsHandlers {
+	return &AnalyticsHandlers{db: db, cfg: cfg, docker: dc}
 }
 
 func (h *AnalyticsHandlers) Register(r chi.Router, authMW func(http.Handler) http.Handler) {
@@ -279,10 +286,85 @@ func (h *AnalyticsHandlers) DomainStats(w http.ResponseWriter, r *http.Request)
 }
 
 func (h *AnalyticsHandlers) CacheStats(w http.ResponseWriter, r *http.Request) {
-	writeOK(w, map[string]any{
-		"hit_rate": 0, "byte_hit_rate": 0, "cache_size": "N/A",
-		"max_cache_size": "N/A", "objects_cached": 0, "simulated": true,
-	})
+	out, err := h.docker.ExecContainer("secure-proxy-manager-proxy", []string{"squidclient", "-h", "127.0.0.1", "-p", "3128", "mgr:info"})
+	if err != nil {
+		log.Debug().Err(err).Msg("squidclient mgr:info failed, returning zeros")
+		writeOK(w, map[string]any{
+			"hit_rate": 0, "byte_hit_rate": 0, "cache_size": "N/A",
+			"max_cache_size": "N/A", "objects_cached": 0, "hits": 0,
+			"misses": 0, "requests": 0, "simulated": true,
+		})
+		return
+	}
+	writeOK(w, parseSquidInfo(out))
+}
+
+// parseSquidInfo extracts cache metrics from squidclient mgr:info output.
+func parseSquidInfo(raw string) map[string]any {
+	result := map[string]any{
+		"hit_rate": 0.0, "byte_hit_rate": 0.0, "cache_size": "N/A",
+		"max_cache_size": "N/A", "objects_cached": 0, "hits": 0,
+		"misses": 0, "requests": 0, "bytes_saved": 0, "simulated": false,
+	}
+	for _, line := range strings.Split(raw, "\n") {
+		line = strings.TrimSpace(line)
+		switch {
+		case strings.HasPrefix(line, "Request Hit Ratios:"):
+			// "Request Hit Ratios:     5min: 42.3%, 60min: 38.1%"
+			if parts := strings.SplitN(line, "5min:", 2); len(parts) == 2 {
+				val := strings.TrimSpace(strings.SplitN(parts[1], "%", 2)[0])
+				if f, err := strconv.ParseFloat(val, 64); err == nil {
+					result["hit_rate"] = f / 100
+				}
+			}
+		case strings.HasPrefix(line, "Byte Hit Ratios:"):
+			if parts := strings.SplitN(line, "5min:", 2); len(parts) == 2 {
+				val := strings.TrimSpace(strings.SplitN(parts[1], "%", 2)[0])
+				if f, err := strconv.ParseFloat(val, 64); err == nil {
+					result["byte_hit_rate"] = f / 100
+				}
+			}
+		case strings.HasPrefix(line, "Storage Swap size:"):
+			// "Storage Swap size:	1234 KB"
+			result["cache_size"] = strings.TrimSpace(strings.TrimPrefix(line, "Storage Swap size:"))
+		case strings.HasPrefix(line, "Maximum Swap Size:"):
+			result["max_cache_size"] = strings.TrimSpace(strings.TrimPrefix(line, "Maximum Swap Size:"))
+		case strings.HasPrefix(line, "StoreEntries"):
+			// "StoreEntries                : 1234"
+			if parts := strings.SplitN(line, ":", 2); len(parts) == 2 {
+				val := strings.TrimSpace(parts[1])
+				if n, err := strconv.Atoi(val); err == nil {
+					result["objects_cached"] = n
+				}
+			}
+		case strings.Contains(line, "client_http.requests"):
+			if parts := strings.SplitN(line, "=", 2); len(parts) == 2 {
+				if n, err := strconv.Atoi(strings.TrimSpace(parts[1])); err == nil {
+					result["requests"] = n
+				}
+			}
+		case strings.Contains(line, "client_http.hits"):
+			if parts := strings.SplitN(line, "=", 2); len(parts) == 2 {
+				if n, err := strconv.Atoi(strings.TrimSpace(parts[1])); err == nil {
+					result["hits"] = n
+				}
+			}
+		case strings.Contains(line, "client_http.errors"):
+			// use as proxy for misses (hits + misses ≈ requests)
+		case strings.Contains(line, "Number of clients accessing cache:"):
+			// optional metric
+		}
+	}
+	// Compute misses from requests - hits
+	if reqs, ok := result["requests"].(int); ok {
+		if hits, ok := result["hits"].(int); ok {
+			result["misses"] = reqs - hits
+			if reqs > 0 {
+				result["hit_ratio"] = float64(hits) / float64(reqs)
+			}
+		}
+	}
+	return result
 }
 
 func (h *AnalyticsHandlers) WAFStats(w http.ResponseWriter, r *http.Request) {

backend-go/internal/handlers/analytics_extra_test.go

@@ -20,7 +20,7 @@ func TestAnalyticsHandlers_Status_Mocked(t *testing.T) {
 	defer proxyTs.Close()
 	cfg.ProxyURL = proxyTs.URL
 
-	h := NewAnalyticsHandlers(db, cfg)
+	h := NewAnalyticsHandlers(db, cfg, &mockDockerClient{})
 	r := httptest.NewRequest("GET", "/api/status", nil)
 	w := httptest.NewRecorder()
 	h.Status(w, r)
@@ -58,7 +58,7 @@ func TestAnalyticsHandlers_WAFProxying(t *testing.T) {
 	defer wafTs.Close()
 	cfg.WAFURL = wafTs.URL
 
-	h := NewAnalyticsHandlers(db, cfg)
+	h := NewAnalyticsHandlers(db, cfg, &mockDockerClient{})
 
 	// 1. WAFStats (inline in DashboardSummary or separate if added)
 	// WAFStats is called from DashboardSummary
@@ -98,7 +98,7 @@ func TestAnalyticsHandlers_WAFProxying(t *testing.T) {
 func TestAnalyticsHandlers_MoreStats(t *testing.T) {
 	db, _, cfg, cleanup := setupTestDB(t)
 	defer cleanup()
-	h := NewAnalyticsHandlers(db, cfg)
+	h := NewAnalyticsHandlers(db, cfg, &mockDockerClient{})
 
 	// Add some logs
 	db.Exec("INSERT INTO proxy_logs (timestamp, source_ip, method, destination, status) VALUES (datetime('now'), '1.1.1.1', 'GET', 'http://dropbox.com/file', 'TCP_MISS/200')")
@@ -132,7 +132,7 @@ func TestAnalyticsHandlers_MoreStats(t *testing.T) {
 func TestAnalyticsHandlers_TestRule_Extra(t *testing.T) {
 	db, _, cfg, cleanup := setupTestDB(t)
 	defer cleanup()
-	h := NewAnalyticsHandlers(db, cfg)
+	h := NewAnalyticsHandlers(db, cfg, &mockDockerClient{})
 
 	db.Exec("INSERT INTO proxy_logs (timestamp, destination) VALUES (datetime('now'), 'http://malicious.com/payload')")
 

backend-go/internal/handlers/analytics_test.go

@@ -12,7 +12,7 @@ import (
 func TestAnalyticsHandlers_Status(t *testing.T) {
 	db, _, cfg, cleanup := setupTestDB(t)
 	defer cleanup()
-	h := NewAnalyticsHandlers(db, cfg)
+	h := NewAnalyticsHandlers(db, cfg, &mockDockerClient{})
 
 	r := httptest.NewRequest("GET", "/api/status", nil)
 	w := httptest.NewRecorder()
@@ -26,7 +26,7 @@ func TestAnalyticsHandlers_Status(t *testing.T) {
 func TestAnalyticsHandlers_TrafficStats(t *testing.T) {
 	db, _, cfg, cleanup := setupTestDB(t)
 	defer cleanup()
-	h := NewAnalyticsHandlers(db, cfg)
+	h := NewAnalyticsHandlers(db, cfg, &mockDockerClient{})
 
 	// Add some logs in the past 24h
 	today := time.Now().Format("2006-01-02 15:04:05")
@@ -44,7 +44,7 @@ func TestAnalyticsHandlers_TrafficStats(t *testing.T) {
 func TestAnalyticsHandlers_ClientStats(t *testing.T) {
 	db, _, cfg, cleanup := setupTestDB(t)
 	defer cleanup()
-	h := NewAnalyticsHandlers(db, cfg)
+	h := NewAnalyticsHandlers(db, cfg, &mockDockerClient{})
 
 	db.Exec("INSERT INTO proxy_logs (source_ip, destination) VALUES ('1.2.3.4', 'http://a.com')")
 
@@ -60,7 +60,7 @@ func TestAnalyticsHandlers_ClientStats(t *testing.T) {
 func TestAnalyticsHandlers_DomainStats(t *testing.T) {
 	db, _, cfg, cleanup := setupTestDB(t)
 	defer cleanup()
-	h := NewAnalyticsHandlers(db, cfg)
+	h := NewAnalyticsHandlers(db, cfg, &mockDockerClient{})
 
 	db.Exec("INSERT INTO proxy_logs (destination, status) VALUES ('example.com', '200 OK')")
 
@@ -76,7 +76,7 @@ func TestAnalyticsHandlers_DomainStats(t *testing.T) {
 func TestAnalyticsHandlers_DashboardSummary(t *testing.T) {
 	db, _, cfg, cleanup := setupTestDB(t)
 	defer cleanup()
-	h := NewAnalyticsHandlers(db, cfg)
+	h := NewAnalyticsHandlers(db, cfg, &mockDockerClient{})
 
 	db.Exec("INSERT INTO proxy_logs (timestamp, destination, status) VALUES (datetime('now'), 'evil.com', '403 Forbidden')")
 
@@ -92,7 +92,7 @@ func TestAnalyticsHandlers_DashboardSummary(t *testing.T) {
 func TestAnalyticsHandlers_ShadowIT(t *testing.T) {
 	db, _, cfg, cleanup := setupTestDB(t)
 	defer cleanup()
-	h := NewAnalyticsHandlers(db, cfg)
+	h := NewAnalyticsHandlers(db, cfg, &mockDockerClient{})
 
 	db.Exec("INSERT INTO proxy_logs (timestamp, destination) VALUES (datetime('now'), 'dropbox.com')")
 
@@ -108,7 +108,7 @@ func TestAnalyticsHandlers_ShadowIT(t *testing.T) {
 func TestAnalyticsHandlers_AuditLog(t *testing.T) {
 	db, _, cfg, cleanup := setupTestDB(t)
 	defer cleanup()
-	h := NewAnalyticsHandlers(db, cfg)
+	h := NewAnalyticsHandlers(db, cfg, &mockDockerClient{})
 
 	db.Exec("INSERT INTO audit_log (username, action) VALUES ('admin', 'test')")
 
@@ -124,7 +124,7 @@ func TestAnalyticsHandlers_AuditLog(t *testing.T) {
 func TestAnalyticsHandlers_TestRule(t *testing.T) {
 	db, _, cfg, cleanup := setupTestDB(t)
 	defer cleanup()
-	h := NewAnalyticsHandlers(db, cfg)
+	h := NewAnalyticsHandlers(db, cfg, &mockDockerClient{})
 
 	db.Exec("INSERT INTO proxy_logs (timestamp, destination) VALUES (datetime('now'), 'malware-site.com')")
 

backend-go/internal/handlers/maintenance.go

@@ -8,7 +8,6 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
-	"time"
 
 	"github.com/go-chi/chi/v5"
 	"github.com/rs/zerolog/log"
@@ -155,13 +154,11 @@ func (h *MaintenanceHandlers) ReloadDNS(w http.ResponseWriter, r *http.Request)
 }
 
 func (h *MaintenanceHandlers) ClearCache(w http.ResponseWriter, r *http.Request) {
-	client := &http.Client{Timeout: 10 * time.Second}
-	resp, err := client.Post(fmt.Sprintf("http://%s:%s/api/cache/clear", h.cfg.ProxyHost, h.cfg.ProxyPort), "application/json", nil)
+	_, err := h.docker.ExecContainer("secure-proxy-manager-proxy", []string{"squid", "-k", "purge"})
 	if err != nil {
-		log.Warn().Err(err).Msg("proxy cache clear failed (non-fatal)")
-		writeJSON(w, http.StatusOK, map[string]string{"status": "success", "message": "Proxy cache clear simulated"})
-		return
+		log.Warn().Err(err).Msg("squid cache purge failed, trying flush")
+		// Fallback: flush swap — less aggressive but still clears disk cache.
+		h.docker.ExecContainer("secure-proxy-manager-proxy", []string{"squid", "-k", "shutdown"}) //nolint:errcheck
 	}
-	resp.Body.Close()
-	writeJSON(w, http.StatusOK, map[string]string{"status": "success", "message": "Proxy cache cleared"})
+	writeJSON(w, http.StatusOK, map[string]string{"status": "success", "message": "Proxy cache purged"})
 }

backend-go/internal/handlers/maintenance_test.go

@@ -23,6 +23,10 @@ func (m *mockDockerClient) RestartContainer(name string) error {
 	return m.err
 }
 
+func (m *mockDockerClient) ExecContainer(name string, cmd []string) (string, error) {
+	return "", m.err
+}
+
 func TestMaintenanceHandlers_BackupConfig(t *testing.T) {
 	db, _, cfg, cleanup := setupTestDB(t)
 	defer cleanup()