Proposal: Network permissions for MCP servers with Squid Proxy #80
Description
Context / Goal
We want to add a new egress-hostname allowlist for MCP servers that run with the container: syntax in the AW. The allowlist will be expressed in policy as:
permission:
network:
allowed: ["api.github.com", ...]This feature must sandbox/restrict egress traffic for MCP servers (L7 hostname controls). The chosen enforcement mechanism is a Squid proxy and the runtime plumbing will use Docker Compose: the compiler that converts a markdown manifest into a GitHub Actions YAML should be able to emit the necessary Docker Compose plus Squid config such that the MCP server container’s outbound traffic is forced through the proxy which enforces hostname allowlist.
Inputs and outputs
- the requirement text above (egress allowlist for MCP container: servers)
the compiler will produce GitHub Action YAML and must also be able to emit:
- a Squid proxy config that enforces L7 hostname allowlist
- a docker-compose setup that runs both the MCP server container and the proxy container
Sample squid configuration
# Squid configuration for egress traffic control
# This configuration implements a whitelist-based proxy
# Access log and cache configuration
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache deny all
# Port configuration
http_port 3128
# ACL definitions for allowed domains
acl allowed_domains dstdomain "/etc/squid/allowed_domains.txt"
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
# Access rules
# Deny requests to unknown domains (not in whitelist)
http_access deny !allowed_domains
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
# Disable caching
cache deny all
# DNS settings
dns_nameservers 8.8.8.8 8.8.4.4
# Forwarded headers
forwarded_for delete
via off
# Error page customization
error_directory /usr/share/squid/errors/English
# Logging
logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined
# Memory and file descriptor limits
cache_mem 64 MB
maximum_object_size 0 KB
allowed domains:
# Allowed domains for egress traffic
# Add one domain per line
api.github.com
httpbin.org
example.com
jsonplaceholder.typicode.comSample docker compose
services:
squid-proxy:
image: ubuntu/squid:latest
container_name: squid-proxy
ports:
- "3128:3128"
volumes:
- ./squid.conf:/etc/squid/squid.conf:ro
- ./allowed_domains.txt:/etc/squid/allowed_domains.txt:ro
- squid-logs:/var/log/squid
healthcheck:
test: ["CMD", "squid", "-k", "check"]
interval: 30s
timeout: 10s
retries: 3
restart: unless-stopped
demo-app:
build:
context: .
dockerfile: Dockerfile.app
container_name: demo-app
ports:
- "5000:5000"
environment:
- PROXY_HOST=squid-proxy
- PROXY_PORT=3128
- PORT=5000
depends_on:
squid-proxy:
condition: service_healthy
restart: unless-stopped
volumes:
squid-logs:To run this this: docker compose up --build