Skip to content

feat(sandbox,gateway): route sandbox egress through corporate HTTP proxy#2245

Open
feloy wants to merge 1 commit into
NVIDIA:mainfrom
feloy:fix-1792-corporate-proxy-podman
Open

feat(sandbox,gateway): route sandbox egress through corporate HTTP proxy#2245
feloy wants to merge 1 commit into
NVIDIA:mainfrom
feloy:fix-1792-corporate-proxy-podman

Conversation

@feloy

@feloy feloy commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add corporate HTTP proxy chaining so sandbox egress traffic can traverse enterprise forward proxies (HTTPS_PROXY/HTTP_PROXY/NO_PROXY)
  • The supervisor's policy proxy evaluates SSRF/allowlist rules as before, then dials the corporate proxy with HTTP CONNECT instead of connecting directly
  • Forward proxy environment variables through Podman driver config into sandbox containers

Related Issue

Part of #1792

Changes

  • openshell-supervisor-network: new upstream_proxy module reads standard proxy env vars, implements CONNECT handshake with optional Basic auth, and respects NO_PROXY bypass rules. dial_upstream() replaces the direct TcpStream::connect at the single post-SSRF connect site.
  • openshell-driver-podman: PodmanComputeConfig gains https_proxy, http_proxy, no_proxy fields with validation (only http:// schemes accepted). Container creation injects these as environment variables.
  • docs/reference/gateway-config.mdx: documents the new proxy config fields.
  • architecture/sandbox.md: updated with corporate proxy data flow.

Testing

  • Unit tests for UpstreamProxyConfig parsing, NO_PROXY matching (wildcards, CIDR, ports, loopback bypass), and CONNECT handshake (success, auth, rejection, timeout)

  • Unit tests for Podman config validation (empty values, unsupported schemes)

  • Existing proxy and SSRF test suites pass — policy evaluation is unchanged

  • mise run pre-commit passes

  • Unit tests added/updated

  • E2E tests added/updated (if applicable)

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (if applicable)

- Chain sandbox egress through a corporate HTTP proxy so outbound
  traffic from within the sandbox respects the host proxy settings
- Forward sandbox proxy environment variables to the generated Podman
  config so the proxy is applied consistently to Podman-managed workloads

Signed-off-by: Philippe Martin <phmartin@redhat.com>
@feloy feloy requested review from a team, derekwaynecarr, maxamillion and mrunalp as code owners July 13, 2026 16:06
@copy-pr-bot

copy-pr-bot Bot commented Jul 13, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@johntmyers

Copy link
Copy Markdown
Collaborator

gator-agent

PR Review Status

Validation: This is project-valid work for the enterprise restricted-egress gap in #1792. Maintainer triage confirmed the need for corporate proxy chaining after OpenShell policy enforcement, and the PR includes the relevant Podman configuration plus Fern and architecture documentation.

Head SHA: ca5c041fca5547c2f659cf6d919db0ba8aaf39b7

Review findings:

  • Blocking — bind SSRF validation to the destination actually reached by the corporate proxy (crates/openshell-supervisor-network/src/proxy.rs:2818, upstream_proxy.rs:364). OpenShell validates locally resolved addresses but sends the hostname in CONNECT, allowing proxy-side DNS to resolve to a different private, metadata, or control-plane address. Use a selected validated IP for the CONNECT authority while retaining the hostname for HTTP Host/TLS SNI, or explicitly establish the corporate proxy as the SSRF enforcement boundary.
  • Blocking — keep proxy routing operator-owned (crates/openshell-driver-podman/src/container.rs:362, :394; upstream_proxy.rs:357). Sandbox/template environment currently wins over operator values, so a sandbox creator can choose an arbitrary proxy or set NO_PROXY=*. Use reserved supervisor-only variables written after user environment, and do not let ordinary HTTP_PROXY/HTTPS_PROXY/ALL_PROXY/NO_PROXY variants control this boundary.
  • Blocking — fail closed on malformed configured proxies (config.rs:211, upstream_proxy.rs:175, :229). Some invalid values pass Podman validation and are then ignored, silently restoring direct egress. Parse once into a typed configuration and reject startup when configured proxy data is invalid.
  • Blocking — preserve bytes read past the CONNECT response headers (upstream_proxy.rs:373-412). A coalesced 200 response and server-first payload currently drops the tunneled bytes. Consume exactly the header or return a buffered stream that replays over-read data.
  • Required follow-up — implement conventional plain-HTTP forwarding or narrow the advertised scope (proxy.rs:3159, :2818). The current HTTP_PROXY path still uses CONNECT and sends origin-form requests; many forward proxies expect absolute-form requests and deny CONNECT to port 80.
  • Required follow-up — reject control characters in decoded proxy credentials (upstream_proxy.rs:254, :365-369) to prevent HTTP header injection.
  • Required follow-up — apply the documented host-gateway bypass to HTTPS CONNECT paths too (proxy.rs:1102, :4396; architecture/sandbox.md:84).

Tests should cover the SSRF/DNS binding, CONNECT over-read, invalid-config fail-closed behavior, plain HTTP against a standard forward proxy, combined Podman environment precedence, and HTTPS host-gateway bypass. Runtime proxy behavior also requires test:e2e once these review findings are resolved; E2E has not been authorized on this head because author changes are needed first.

Docs: The existing Fern gateway reference is the correct page and no docs/index.yml navigation change is needed. The architecture claim about all host-gateway aliases bypassing the proxy must match the implementation. Kubernetes propagation remains outside this PR and should stay explicit.

@feloy, please push an updated commit addressing the items above. Gator will re-review the new head before starting the E2E gate.

Next state: gator:in-review

@johntmyers johntmyers added the gator:in-review Gator is reviewing or awaiting PR review feedback label Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gator:in-review Gator is reviewing or awaiting PR review feedback

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants