playground/docker-claude
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
docker-claude/proxy/squid.conf
docker-claude 88805a3c24 refactor(docker): migrate both images to Alpine 
Replace node:20-slim/ubuntu:22.04 with node:20-alpine/alpine:3.21.
Switch package management from apt to apk (--no-cache, no cleanup layer).
Use Alpine addgroup/adduser in claude/Dockerfile. Update proxy to use
squid user (Alpine convention) and /var/cache/squid cache path.
Fix proxy/Dockerfile COPY path now that context is proxy/. Move
webui-entrypoint.sh into claude/ to match its build context. Fix
docker-compose.yml webui context to claude/, update proxy tmpfs path.
2026-04-14 22:40:57 +02:00

46 lines
2.4 KiB
SquidConf
Raw Blame History

# ─────────────────────────────────────────────────────────────────────────────
# Squid forward-proxy sidecar — allowlist-only egress for Claude Code
# ─────────────────────────────────────────────────────────────────────────────
http_port 3128
# PID must be writable by the non-root proxy user
pid_filename /tmp/squid.pid
# ─── Logging (container-friendly: stdout/stderr) ──────────────────────────────
access_log stdio:/dev/stdout combined
cache_log stdio:/dev/stderr
cache_store_log none
# ─── No disk cache ────────────────────────────────────────────────────────────
cache deny all
coredump_dir /var/cache/squid
# ─── ACL Definitions ──────────────────────────────────────────────────────────
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
# ─── Egress allowlist ─────────────────────────────────────────────────────────
# Add domains here as needed. Leading dot matches all subdomains.
acl allowed_sites dstdomain api.anthropic.com
acl allowed_sites dstdomain statsig.anthropic.com
acl allowed_sites dstdomain localhost
acl allowed_sites dstdomain .local
# ─── Access rules ─────────────────────────────────────────────────────────────
# Block requests to non-standard ports
http_access deny !Safe_ports
# Block CONNECT to non-SSL ports
http_access deny CONNECT !SSL_ports
# Allow HTTPS tunnels only to allowlisted destinations
http_access allow CONNECT allowed_sites
# Allow plain HTTP only to allowlisted destinations
http_access allow allowed_sites
# Deny everything else — default deny
http_access deny all
Reference in a new issue View git blame Copy permalink