playground/docker-claude
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
docker-claude/proxy/squid.conf

59 lines
2.9 KiB
SquidConf
Raw Blame History

# ─────────────────────────────────────────────────────────────────────────────
# Squid forward-proxy sidecar — allowlist-only egress for Claude Code
# ─────────────────────────────────────────────────────────────────────────────
http_port 3128
# PID must be writable by the non-root proxy user
pid_filename /tmp/squid.pid
# ─── Logging (container-friendly: stdout/stderr) ──────────────────────────────
access_log stdio:/dev/stdout combined
cache_log stdio:/dev/stderr
cache_store_log none
# ─── No disk cache ────────────────────────────────────────────────────────────
cache deny all
coredump_dir /var/cache/squid
# ─── ACL Definitions ──────────────────────────────────────────────────────────
acl SSL_ports port 443
acl SSL_ports port 6443 # Kubernetes API server
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 6443 # Kubernetes API server
acl CONNECT method CONNECT
# Kubernetes API server — allow CONNECT tunnels to any cluster endpoint on :6443
acl kubectl_api port 6443
# ─── Egress allowlist ─────────────────────────────────────────────────────────
# Add domains here as needed. Leading dot matches all subdomains.
acl allowed_sites dstdomain api.anthropic.com
acl allowed_sites dstdomain statsig.anthropic.com
acl allowed_sites dstdomain platform.claude.com
acl allowed_sites dstdomain localhost
acl allowed_sites dstdomain .local
# MCP servers
acl allowed_sites dstdomain api.github.com
acl allowed_sites dstdomain .gitlab.com
acl allowed_sites dstdomain .atlassian.net
# ─── Access rules ─────────────────────────────────────────────────────────────
# Block requests to non-standard ports
http_access deny !Safe_ports
# Block CONNECT to non-SSL ports
http_access deny CONNECT !SSL_ports
# Allow HTTPS tunnels only to allowlisted destinations
http_access allow CONNECT allowed_sites
# Allow kubectl to reach any Kubernetes API server on the standard port
http_access allow CONNECT kubectl_api
# Allow plain HTTP only to allowlisted destinations
http_access allow allowed_sites
# Deny everything else — default deny
http_access deny all
Reference in a new issue View git blame Copy permalink