45 lines
2.3 KiB
SquidConf
45 lines
2.3 KiB
SquidConf
|
# ─────────────────────────────────────────────────────────────────────────────
|
||
|
|
# Squid forward-proxy sidecar — allowlist-only egress for Claude Code
|
||
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
||
|
|
|
||
|
|
http_port 3128
|
||
|
|
|
||
|
|
# PID must be writable by the non-root proxy user
|
||
|
|
pid_filename /tmp/squid.pid
|
||
|
|
|
||
|
|
# ─── Logging (container-friendly: stdout/stderr) ──────────────────────────────
|
||
|
|
access_log stdio:/dev/stdout combined
|
||
|
|
cache_log stdio:/dev/stderr
|
||
|
|
cache_store_log none
|
||
|
|
|
||
|
|
# ─── No disk cache ────────────────────────────────────────────────────────────
|
||
|
|
cache deny all
|
||
|
|
coredump_dir /var/spool/squid
|
||
|
|
|
||
|
|
# ─── ACL Definitions ──────────────────────────────────────────────────────────
|
||
|
|
acl SSL_ports port 443
|
||
|
|
acl Safe_ports port 80
|
||
|
|
acl Safe_ports port 443
|
||
|
|
acl CONNECT method CONNECT
|
||
|
|
|
||
|
|
# ─── Egress allowlist ─────────────────────────────────────────────────────────
|
||
|
|
# Add domains here as needed. Leading dot matches all subdomains.
|
||
|
|
acl allowed_sites dstdomain api.anthropic.com
|
||
|
|
acl allowed_sites dstdomain statsig.anthropic.com
|
||
|
|
|
||
|
|
# ─── Access rules ─────────────────────────────────────────────────────────────
|
||
|
|
# Block requests to non-standard ports
|
||
|
|
http_access deny !Safe_ports
|
||
|
|
|
||
|
|
# Block CONNECT to non-SSL ports
|
||
|
|
http_access deny CONNECT !SSL_ports
|
||
|
|
|
||
|
|
# Allow HTTPS tunnels only to allowlisted destinations
|
||
|
|
http_access allow CONNECT allowed_sites
|
||
|
|
|
||
|
|
# Allow plain HTTP only to allowlisted destinations
|
||
|
|
http_access allow allowed_sites
|
||
|
|
|
||
|
|
# Deny everything else — default deny
|
||
|
|
http_access deny all
|