monadical/greywall
Archived
13
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity

fix: set HTTP_PROXY for macOS daemon mode alongside ALL_PROXY

Browse Source 
ALL_PROXY=socks5h:// only works for SOCKS5-aware apps (curl, git).
Apps like opencode that only check HTTP_PROXY/HTTPS_PROXY were not
using the proxy at all, causing DNS resolution failures.

Now sets both:
- ALL_PROXY=socks5h://host:42052 (SOCKS5 with proxy-side DNS)
- HTTP_PROXY=http://host:42051 (HTTP CONNECT proxy)

The HTTP CONNECT proxy on port 42051 resolves DNS server-side,
so apps that don't speak SOCKS5 still get proper DNS resolution
through the proxy.
This commit is contained in:
Mathieu Virbel
2026-03-04 12:40:27 -06:00
parent 20ee23c1c3
commit 0e3dc23639
1 changed files with 21 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
internal/sandbox/macos.go
View File

@@ -748,8 +748,11 @@ func WrapCommandMacOS(cfg *config.Config, command string, exposedPorts []int, da
// ALL_PROXY=socks5h:// so proxy-aware apps (curl, git, etc.) resolve DNS // ALL_PROXY=socks5h:// so proxy-aware apps (curl, git, etc.) resolve DNS
// through the SOCKS5 proxy. The "h" suffix means "resolve hostname at proxy". // through the SOCKS5 proxy. The "h" suffix means "resolve hostname at proxy".
// //
// We only set ALL_PROXY (not HTTP_PROXY/HTTPS_PROXY) because apps like // Set ALL_PROXY and HTTP_PROXY/HTTPS_PROXY with socks5h:// so both
// Bun/Node.js read HTTP_PROXY but don't support SOCKS5 protocol. // SOCKS5-aware apps (curl, git) and HTTP-proxy-aware apps (opencode,
// Node.js tools) resolve DNS through the proxy. The "h" suffix means
// "resolve hostname at proxy side". Note: apps that read HTTP_PROXY
// but don't support SOCKS5 protocol (e.g., Bun) may fail to connect.
// //
// sudo resets the environment, so we use `env` after sudo to re-inject // sudo resets the environment, so we use `env` after sudo to re-inject
// terminal vars (TERM, COLORTERM, etc.) needed for TUI apps. // terminal vars (TERM, COLORTERM, etc.) needed for TUI apps.
@@ -758,7 +761,22 @@ func WrapCommandMacOS(cfg *config.Config, command string, exposedPorts []int, da
// Convert socks5:// → socks5h:// for hostname resolution through proxy. // Convert socks5:// → socks5h:// for hostname resolution through proxy.
socks5hURL := strings.Replace(cfg.Network.ProxyURL, "socks5://", "socks5h://", 1) socks5hURL := strings.Replace(cfg.Network.ProxyURL, "socks5://", "socks5h://", 1)
if socks5hURL != "" { if socks5hURL != "" {
sandboxEnvs = append(sandboxEnvs, "ALL_PROXY="+socks5hURL, "all_proxy="+socks5hURL) // ALL_PROXY uses socks5h:// (DNS resolved at proxy side) for
// SOCKS5-aware apps (curl, git).
// HTTP_PROXY/HTTPS_PROXY use http:// pointing to the GreyHaven
// HTTP CONNECT proxy (port 42051) for apps that only understand
// HTTP proxies (opencode, Node.js tools, etc.). The CONNECT
// proxy resolves DNS server-side.
proxyHost := "localhost"
if u, err := url.Parse(socks5hURL); err == nil && u.Hostname() != "" {
proxyHost = u.Hostname()
}
httpProxyURL := "http://" + proxyHost + ":42051"
sandboxEnvs = append(sandboxEnvs,
"ALL_PROXY="+socks5hURL, "all_proxy="+socks5hURL,
"HTTP_PROXY="+httpProxyURL, "http_proxy="+httpProxyURL,
"HTTPS_PROXY="+httpProxyURL, "https_proxy="+httpProxyURL,
)
} }
termEnvs := getTerminalEnvVars() termEnvs := getTerminalEnvVars()
parts = append(parts, "sudo", "-u", uid, "-g", daemonSession.SandboxGroup, "env") parts = append(parts, "sudo", "-u", uid, "-g", daemonSession.SandboxGroup, "env")