disclaimer: I have not tried this yet to see the actual behavior so let me know if I am wrong

In checkIfRequestShouldBeProxied() we can see safeResolve is called on every allow. So if the host resolves to an internal IP it is going to get denied. It would be great if global_allow_list was honored even if the ip resolves to an internal address (either as default or by passing some flag)

My current workaround would be to just use --unsafe-allow-private-ranges when I only want to allow some dynamic ip for a known internal hostname

In our use, we have global allow entries like, say, api.some-partner.com. Those domains and their DNS is externally controlled, and we do not want them to be able to resolve to an internal IP address. So the behaviour as-is today is required for our model.

We could plausibly add an option to have domains that are allowed, even if they resolve to an internal IP. I can see how that would be useful in some circumstances. I admit to being a bit worried about ballooning complexity, especially around what I view as one of our most important security guarantees of not allowing traffic to private IPs.

That totally makes sense. Our use case is that we have an internal login sever which is used to simulate user logins during a load test. Today the only way to allow the proxy to connect to this server would be by using --unsafe-allow-private-ranges which allows access to the entire internal network.

I think implementing a flag like --unsafe-allow-private-global-list would be better so that instead of allowing all the private ranges we only allow it for a specific enter like api.internal.app.com.