From 0d23a204a187218f6f4f392ee82c63e3e7751f2c Mon Sep 17 00:00:00 2001 From: "anthropic-code-agent[bot]" <242468646+Claude@users.noreply.github.com> Date: Fri, 13 Feb 2026 14:00:45 +0000 Subject: [PATCH 1/2] Initial plan From 63c8f03f68ceeb4443acda9d8cc70a40ff3b5d78 Mon Sep 17 00:00:00 2001 From: "anthropic-code-agent[bot]" <242468646+Claude@users.noreply.github.com> Date: Fri, 13 Feb 2026 14:05:40 +0000 Subject: [PATCH 2/2] fix(squid): add api-proxy support (ports 10000/10001, IP 172.30.0.30) Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --- src/docker-manager.ts | 1 + src/squid-config.ts | 21 ++++++++++++++++++++- src/types.ts | 10 ++++++++++ 3 files changed, 31 insertions(+), 1 deletion(-) diff --git a/src/docker-manager.ts b/src/docker-manager.ts index 4e5bbe3e3..93d9700ea 100644 --- a/src/docker-manager.ts +++ b/src/docker-manager.ts @@ -1129,6 +1129,7 @@ export async function writeConfigs(config: WrapperConfig): Promise { urlPatterns, enableHostAccess: config.enableHostAccess, allowHostPorts: config.allowHostPorts, + enableApiProxy: config.enableApiProxy, }); const squidConfigPath = path.join(config.workDir, 'squid.conf'); fs.writeFileSync(squidConfigPath, squidConfig, { mode: 0o600 }); diff --git a/src/squid-config.ts b/src/squid-config.ts index 5e1478d6d..340421cd1 100644 --- a/src/squid-config.ts +++ b/src/squid-config.ts @@ -205,7 +205,7 @@ ${urlAclSection}${urlAccessRules}`; * // Blocked: internal.example.com -> acl blocked_domains dstdomain .internal.example.com */ export function generateSquidConfig(config: SquidConfig): string { - const { domains, blockedDomains, port, sslBump, caFiles, sslDbPath, urlPatterns, enableHostAccess, allowHostPorts } = config; + const { domains, blockedDomains, port, sslBump, caFiles, sslDbPath, urlPatterns, enableHostAccess, allowHostPorts, enableApiProxy } = config; // Parse domains into plain domains and wildcard patterns // Note: parseDomainList extracts and preserves protocol info from prefixes (http://, https://) @@ -293,9 +293,22 @@ export function generateSquidConfig(config: SquidConfig): string { } } + // === API PROXY IP ADDRESS === + // When api-proxy sidecar is enabled, allow direct IP access to 172.30.0.30 + if (enableApiProxy) { + aclLines.push(''); + aclLines.push('# ACL for API proxy sidecar IP address'); + aclLines.push('acl api_proxy_ip dst 172.30.0.30'); + } + // Build access rules // Order matters: allow rules come before deny rules + // Allow API proxy IP address for all HTTP/HTTPS traffic (when enabled) + if (enableApiProxy) { + accessRules.push('http_access allow api_proxy_ip'); + } + // Allow HTTP-only domains for non-CONNECT requests const hasHttpOnly = domainsByProto.http.length > 0 || patternsByProto.http.length > 0; if (hasHttpOnly) { @@ -437,6 +450,12 @@ acl SSL_ports port 443 acl Safe_ports port 80 # HTTP acl Safe_ports port 443 # HTTPS`; + // Add API proxy ports if enabled + if (enableApiProxy) { + portAclsSection += `\nacl Safe_ports port 10000 # OpenAI API proxy`; + portAclsSection += `\nacl Safe_ports port 10001 # Anthropic API proxy`; + } + // Add user-specified ports if --allow-host-ports was provided if (enableHostAccess && allowHostPorts) { // Parse comma-separated ports/ranges and add to ACL diff --git a/src/types.ts b/src/types.ts index bf73cbbc9..7bb7fb509 100644 --- a/src/types.ts +++ b/src/types.ts @@ -546,6 +546,16 @@ export interface SquidConfig { * @example "3000-3010,8000-8090" */ allowHostPorts?: string; + + /** + * Whether to enable API proxy sidecar + * + * When true, Squid will allow ports 10000 (OpenAI) and 10001 (Anthropic) + * in Safe_ports ACL, and add the api-proxy IP (172.30.0.30) to the allowlist. + * + * @default false + */ + enableApiProxy?: boolean; } /**