Deny access to local subnets as well (not only 127.0.0.0/8)

[justabaka]

That would be great in terms of security if you're also hosting other VMs or projects your proxy users shouldn't be able to access directly.

[KostyaEsmukov]

Denying RFC1918 blocks is certainly a good start, but these are definitely not the only ones which are private.

I'd suggest to also deny the following ones:

• RFC5737 (192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24)
• RFC3171 Multicast (224.0.0.0/4)
• Broadcast (255.255.255.255/32)

RFC5735 (which is updated by RFC6598) has a more complete list of reserved address blocks at section 4.

[KostyaEsmukov]

BTW for IPv6 the FC00::/7 block is also considered local (see RFC4193).