December 29, 2025

Squid Game: Proxy Edition

Article URL →HN comments →

Kubernetes egress control with squid proxy

Old-school Squid sparks proxy wars: keep it simple or go “magic” with Caddy

TLDR: A dev shows how to force all outgoing app traffic in Kubernetes through a classic Squid proxy for visibility and control. Comments split between fans of simple Squid and boosters of Caddy’s “magic” HTTPS, plus a spat over using sidecars versus printing logs to the console—practical, contentious, and useful.

Forget fancy gateways—this post routes all outgoing app traffic through the venerable Squid proxy and blocks direct exits, so you can actually see what your cluster is talking to. In plain English: every app call leaving your “cloud city” goes through one checkpoint with logs. The crowd loved the pragmatic vibe, with a demo app, Horizons, clicking planets and hitting NASA for data—perfect proof this works beyond theory.

Then the drama: sidecars vs simplicity. One fan eyed a “sidecar” (a helper container) to wrangle traffic, while another slammed it as “an anti‑pattern” and said just print logs to the console. Cue the proxy wars: a popular voice argued any HTTP proxy could do the job and hyped Caddy for its “magic” HTTPS interception, warning you can “go nuts” configuring that cleanly in Squid. Translation: retro squid vs modern caddy, and everyone’s got receipts. AI folks chimed in too, saying this is perfect for keeping chatty agents on a leash.

Bonus community spice: someone flagged the text charts not rendering on Firefox mobile, because of course the internet must complain about phones. Memes and quips flew—“Squid Game” jokes and “proxy wars” puns—while the thread stayed surprisingly helpful, mixing hot takes with copy‑pasteable fixes.

Key Points

  • The article proposes controlling Kubernetes egress with a Squid HTTP/HTTPS proxy and a NetworkPolicy.
  • Workloads set HTTP_PROXY/HTTPS_PROXY to point at Squid; NetworkPolicy blocks direct egress and allows only proxy access.
  • Squid provides explicit egress control, logging, and policy enforcement, offering visibility into outbound traffic.
  • The approach is demonstrated using the Horizons app (Common Lisp + Datastar) calling NASA’s JPL Horizons API over HTTPS.
  • A multi-stage build produces a compact horizons-server binary (~16MB), validating practical deployment of the demo.

Hottest takes

“My next approach is going to involve using a sidecar” — btreecat
“You don’t need a sidecar to stream logs of squid, that’s anti-pattern” — merpkz
“You can go nuts trying to configure that cleanly in squid” — baobun

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.