Documentation
¶
Overview ¶
Package egress is the HTTP/HTTPS allowlist proxy that sandbox workers route their network traffic through (ADR-029 phase 4, task #209).
claude.ai's mimic: container → egress proxy → whitelist decision (allow → forward; deny → 403 with `x-deny-reason`). clawtool's parity: this package implements that proxy. The worker container's HTTP_PROXY / HTTPS_PROXY env points at the egress listener; every outbound HTTP call passes through here before reaching the host network.
Phase 4 scope:
- HTTP proxy: forwards GET/POST/etc to allowed hosts; 403 deny for hosts not on the allowlist.
- HTTPS CONNECT: tunnels TLS bytes for allowed hosts; 403 deny for the rest. We don't terminate TLS — that would require an MITM cert the operator has to install everywhere; staying as a CONNECT proxy keeps the trust model honest.
- Allowlist matching: exact host match OR suffix match (e.g. ".openai.com" allows api.openai.com + status.openai.com).
- Optional shared bearer token: clients authenticate via Proxy-Authorization: Bearer <token>. Off by default for local-only deployments.
Out of scope (future work):
- DNS pinning (allowlisted hostname → resolved IP at start; prevents DNS rebind shenanigans).
- Per-target rate limits.
- Audit log persistence (allows / denies pipe to clawtool dashboard's stream).
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Options ¶
type Options struct {
Listen string // ":3128" or "127.0.0.1:3128"
// Allow is the host allowlist. Each entry matches either
// the exact host (e.g. "api.openai.com") or as a suffix
// when prefixed with "." (e.g. ".openai.com" matches every
// subdomain). IPs are matched literally only.
Allow []string
// Token, when non-empty, requires every client to present
// `Proxy-Authorization: Bearer <token>`. Constant-time
// compare; mismatched tokens get 407.
Token string
}
Options configures the egress proxy listener.
Click to show internal directories.
Click to hide internal directories.