Comment 5 for bug 1379567

I agree with the concerns about documentation.

Currently, maas-proxy is an optional package which does not depend on the MAAS region server (or any other MAAS component). It's analogous to squid-deb-proxy.

The squid-deb-proxy approach to security is to ship (in an autogenerated/ directory, which you are not supposed to edit) an allowed-networks-src.acl file, which contains the RFC 1918 IPv4 addresses, and the link-local IPv6 addresses by default.

We could add an additional dependency on the MAAS region (or at least, a URL to the MAAS region which allows us to figure out which networks are attached to MAAS), and try to be smart about which networks to add. But I'm not sure a solution that complex is worth the cost. For now, perhaps it would be sufficient to take the same approach that squid-deb-proxy uses, and then document how to ensure it's both secure, and able to allow any additional desired networks.