diff --git a/src/docker-manager.ts b/src/docker-manager.ts
index 4e5bbe3e3..93d9700ea 100644
--- a/src/docker-manager.ts
+++ b/src/docker-manager.ts
@@ -1129,6 +1129,7 @@ export async function writeConfigs(config: WrapperConfig): Promise<void> {
     urlPatterns,
     enableHostAccess: config.enableHostAccess,
     allowHostPorts: config.allowHostPorts,
+    enableApiProxy: config.enableApiProxy,
   });
   const squidConfigPath = path.join(config.workDir, 'squid.conf');
   fs.writeFileSync(squidConfigPath, squidConfig, { mode: 0o600 });
diff --git a/src/squid-config.ts b/src/squid-config.ts
index 5e1478d6d..340421cd1 100644
--- a/src/squid-config.ts
+++ b/src/squid-config.ts
@@ -205,7 +205,7 @@ ${urlAclSection}${urlAccessRules}`;
  * // Blocked: internal.example.com -> acl blocked_domains dstdomain .internal.example.com
  */
 export function generateSquidConfig(config: SquidConfig): string {
-  const { domains, blockedDomains, port, sslBump, caFiles, sslDbPath, urlPatterns, enableHostAccess, allowHostPorts } = config;
+  const { domains, blockedDomains, port, sslBump, caFiles, sslDbPath, urlPatterns, enableHostAccess, allowHostPorts, enableApiProxy } = config;
 
   // Parse domains into plain domains and wildcard patterns
   // Note: parseDomainList extracts and preserves protocol info from prefixes (http://, https://)
@@ -293,9 +293,22 @@ export function generateSquidConfig(config: SquidConfig): string {
     }
   }
 
+  // === API PROXY IP ADDRESS ===
+  // When api-proxy sidecar is enabled, allow direct IP access to 172.30.0.30
+  if (enableApiProxy) {
+    aclLines.push('');
+    aclLines.push('# ACL for API proxy sidecar IP address');
+    aclLines.push('acl api_proxy_ip dst 172.30.0.30');
+  }
+
   // Build access rules
   // Order matters: allow rules come before deny rules
 
+  // Allow API proxy IP address for all HTTP/HTTPS traffic (when enabled)
+  if (enableApiProxy) {
+    accessRules.push('http_access allow api_proxy_ip');
+  }
+
   // Allow HTTP-only domains for non-CONNECT requests
   const hasHttpOnly = domainsByProto.http.length > 0 || patternsByProto.http.length > 0;
   if (hasHttpOnly) {
@@ -437,6 +450,12 @@ acl SSL_ports port 443
 acl Safe_ports port 80          # HTTP
 acl Safe_ports port 443         # HTTPS`;
 
+  // Add API proxy ports if enabled
+  if (enableApiProxy) {
+    portAclsSection += `\nacl Safe_ports port 10000       # OpenAI API proxy`;
+    portAclsSection += `\nacl Safe_ports port 10001       # Anthropic API proxy`;
+  }
+
   // Add user-specified ports if --allow-host-ports was provided
   if (enableHostAccess && allowHostPorts) {
     // Parse comma-separated ports/ranges and add to ACL
diff --git a/src/types.ts b/src/types.ts
index bf73cbbc9..7bb7fb509 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -546,6 +546,16 @@ export interface SquidConfig {
    * @example "3000-3010,8000-8090"
    */
   allowHostPorts?: string;
+
+  /**
+   * Whether to enable API proxy sidecar
+   *
+   * When true, Squid will allow ports 10000 (OpenAI) and 10001 (Anthropic)
+   * in Safe_ports ACL, and add the api-proxy IP (172.30.0.30) to the allowlist.
+   *
+   * @default false
+   */
+  enableApiProxy?: boolean;
 }
 
 /**