mirror of
https://github.com/wirenboard/agent-vm.git
synced 2026-07-09 16:00:54 +00:00
proxy: honour host HTTP proxy for guest egress + log it at startup
Behind a corporate/host HTTP proxy, agent-vm could pull its image (the
host-side reqwest clients auto-detect HTTPS_PROXY/HTTP_PROXY) but the
agent *inside* the VM could not reach the internet: the microsandbox
network stack re-originated guest connections directly, bypassing the
proxy. This made agent-vm unusable in proxy-only networks.
Bump the vendor/microsandbox gitlink to the network-crate change that
tunnels guest egress through the host proxy via HTTP CONNECT (preserving
the TLS-intercept MITM and egress policy — see the submodule commit).
On the host side, also surface the detected proxy verbosely at launch:
==> Proxy: routing guest egress + image pulls through http://proxy:3128 (HTTP CONNECT)
==> Proxy: bypassing (no_proxy) localhost,127.0.0.1,.internal
so the operator can see at a glance that all traffic is routed through
their proxy. The banner reads the same HTTPS_PROXY/HTTP_PROXY/ALL_PROXY/
NO_PROXY the network stack consumes, via the re-exported
microsandbox_network::http_proxy::ProxyConfig::from_env().
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
687ebcc6ed
commit
e06516e82b
2 changed files with 25 additions and 1 deletions
|
|
@ -721,6 +721,30 @@ pub async fn launch(agent: Agent, args: Args) -> Result<i32> {
|
|||
);
|
||||
}
|
||||
|
||||
// Surface the host HTTP proxy when one is set. Host-side image pulls
|
||||
// already honour it (reqwest auto-detects the env), and guest egress now
|
||||
// tunnels through it via HTTP CONNECT — the microsandbox network stack
|
||||
// reads the same `HTTPS_PROXY`/`HTTP_PROXY`/`ALL_PROXY`/`NO_PROXY` at boot.
|
||||
// Be loud about it so the operator knows all traffic is routed there.
|
||||
if let Some(proxy) = microsandbox::microsandbox_network::http_proxy::ProxyConfig::from_env() {
|
||||
match (proxy.https_display(), proxy.http_display()) {
|
||||
(Some(s), Some(h)) if s == h => {
|
||||
eprintln!("==> Proxy: routing guest egress + image pulls through {s} (HTTP CONNECT)");
|
||||
}
|
||||
(https, http) => {
|
||||
if let Some(s) = https {
|
||||
eprintln!("==> Proxy: HTTPS/TLS egress + image pulls via {s} (HTTP CONNECT)");
|
||||
}
|
||||
if let Some(h) = http {
|
||||
eprintln!("==> Proxy: plain-HTTP egress via {h} (HTTP CONNECT)");
|
||||
}
|
||||
}
|
||||
}
|
||||
if let Some(no_proxy) = proxy.no_proxy_display() {
|
||||
eprintln!("==> Proxy: bypassing (no_proxy) {no_proxy}");
|
||||
}
|
||||
}
|
||||
|
||||
// For each provider with a host credential file, register a
|
||||
// SecretValue::File secret keyed on the placeholder string the
|
||||
// guest will send, then register the OAuth refresh endpoint as a
|
||||
|
|
|
|||
2
vendor/microsandbox
vendored
2
vendor/microsandbox
vendored
|
|
@ -1 +1 @@
|
|||
Subproject commit 702f52ade6a3e9f4d2ac3f55b0bd46f027f01178
|
||||
Subproject commit a60f9f463ca28ce0501b11063adeb611ff65f762
|
||||
Loading…
Add table
Add a link
Reference in a new issue