feat(sandbox,gateway): route sandbox egress through corporate HTTP proxy#2245
feat(sandbox,gateway): route sandbox egress through corporate HTTP proxy#2245feloy wants to merge 1 commit into
Conversation
- Chain sandbox egress through a corporate HTTP proxy so outbound traffic from within the sandbox respects the host proxy settings - Forward sandbox proxy environment variables to the generated Podman config so the proxy is applied consistently to Podman-managed workloads Signed-off-by: Philippe Martin <phmartin@redhat.com>
PR Review StatusValidation: This is project-valid work for the enterprise restricted-egress gap in #1792. Maintainer triage confirmed the need for corporate proxy chaining after OpenShell policy enforcement, and the PR includes the relevant Podman configuration plus Fern and architecture documentation. Head SHA: Review findings:
Tests should cover the SSRF/DNS binding, CONNECT over-read, invalid-config fail-closed behavior, plain HTTP against a standard forward proxy, combined Podman environment precedence, and HTTPS host-gateway bypass. Runtime proxy behavior also requires Docs: The existing Fern gateway reference is the correct page and no @feloy, please push an updated commit addressing the items above. Gator will re-review the new head before starting the E2E gate. Next state: |
Summary
HTTPS_PROXY/HTTP_PROXY/NO_PROXY)Related Issue
Part of #1792
Changes
openshell-supervisor-network: newupstream_proxymodule reads standard proxy env vars, implements CONNECT handshake with optional Basic auth, and respectsNO_PROXYbypass rules.dial_upstream()replaces the directTcpStream::connectat the single post-SSRF connect site.openshell-driver-podman:PodmanComputeConfiggainshttps_proxy,http_proxy,no_proxyfields with validation (onlyhttp://schemes accepted). Container creation injects these as environment variables.docs/reference/gateway-config.mdx: documents the new proxy config fields.architecture/sandbox.md: updated with corporate proxy data flow.Testing
Unit tests for
UpstreamProxyConfigparsing,NO_PROXYmatching (wildcards, CIDR, ports, loopback bypass), and CONNECT handshake (success, auth, rejection, timeout)Unit tests for Podman config validation (empty values, unsupported schemes)
Existing proxy and SSRF test suites pass — policy evaluation is unchanged
mise run pre-commitpassesUnit tests added/updated
E2E tests added/updated (if applicable)
Checklist