feat(docker): add isolated Claude Code environment with proxy sidecar
Two-container setup: claude (UID 1000, internal-only network) and proxy (Squid, UID 13). The internal Docker network uses internal: true so the claude container has no direct internet route. All egress is tunnelled through the Squid sidecar which enforces a domain allowlist. Both containers drop all capabilities and set no-new-privileges. claude.sh provides start/stop/run/update/logs/status/shell lifecycle management.
This commit is contained in:
docker-claude
commit
e0e5e03e58
10 changed files with 554 additions and 0 deletions
25
Dockerfile.proxy
Normal file
25
Dockerfile.proxy
Normal file
|
|
@ -0,0 +1,25 @@
|
|||
FROM ubuntu:22.04
|
||||
|
||||
ENV DEBIAN_FRONTEND=noninteractive
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
squid \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Give the proxy system user (UID 13) ownership of all Squid paths
|
||||
RUN mkdir -p /var/spool/squid /var/log/squid \
|
||||
&& chown -R proxy:proxy /var/spool/squid /var/log/squid /etc/squid
|
||||
|
||||
COPY --chown=proxy:proxy proxy/squid.conf /etc/squid/squid.conf
|
||||
|
||||
USER proxy
|
||||
|
||||
# Initialise cache directories as the proxy user
|
||||
RUN squid -N -f /etc/squid/squid.conf -z 2>/dev/null || true
|
||||
|
||||
EXPOSE 3128
|
||||
|
||||
HEALTHCHECK --interval=10s --timeout=5s --retries=3 \
|
||||
CMD /bin/bash -c 'echo >/dev/tcp/127.0.0.1/3128'
|
||||
|
||||
CMD ["squid", "-N", "-f", "/etc/squid/squid.conf"]
|
||||
Loading…
Add table
Add a link
Reference in a new issue