fix: enable Squid intercept mode for NAT-redirected traffic#520
fix: enable Squid intercept mode for NAT-redirected traffic#520
Conversation
When traffic is NAT'd (DNAT) to Squid proxy, clients send relative URLs (GET /path) because they don't know they're talking to a proxy. Squid's normal proxy mode requires absolute URLs (GET http://example.com/path), causing "Invalid URL - Missing hostname" errors. This fix: - Adds interceptPort to SquidConfig for transparent proxy traffic - Configures Squid with `http_port 3129 intercept` for NAT'd traffic - Updates iptables rules to redirect to intercept port (3129) not regular port (3128) - Keeps regular port (3128) for explicit proxy usage via HTTP_PROXY This fixes Codex/rmcp OAuth discovery timeouts - requests now reach the MCP gateway instead of being blocked by Squid. Fixes #519 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
Chroot tests failed Smoke Chroot failed - See logs for details. |
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
C++ Build Test Results
Overall: PASS ✅ All C++ projects configured and built successfully.
|
Deno Build Test Results
Overall: ✅ PASS All Deno tests passed successfully.
|
Node.js Build Test Results
Overall: PASS ✅ All Node.js projects built and tested successfully.
|
Go Build Test Results
Overall: PASS ✅ All Go projects successfully downloaded dependencies and passed their tests.
|
Smoke Test Results✅ GitHub MCP: #515 feat: add AWF agent skill for Claude Code agents, #514 fix: add auth and error handling to build-test workflows Status: PASS cc: @Mossaka
|
Build Test: Bun - FAILED ❌
Overall: FAIL Error DetailsBoth projects encountered critical runtime failures: elysia:
hono:
Root Cause: Bun runtime is crashing with core dumps on this environment (GitHub Actions runner). This appears to be an environment compatibility issue with Bun v1.3.8. Action Required: This test cannot pass until the Bun runtime stability issue is resolved.
|
|
Smoke Test Results - Claude Engine ✅ GitHub MCP - Last 2 merged PRs:
✅ Playwright - GitHub homepage title verified ✅ File Writing - Created ✅ Bash Tool - File read successful Status: PASS
|
There was a problem hiding this comment.
Pull request overview
This PR fixes a critical bug where HTTP traffic redirected via iptables NAT (DNAT) to the Squid proxy fails with "Invalid URL - Missing hostname" errors. The root cause is that NAT-redirected clients send relative URLs (e.g., GET /path) because they don't know they're talking to a proxy, but Squid's normal proxy mode requires absolute URLs (e.g., GET http://example.com/path).
Changes:
- Added
interceptPortfield toSquidConfiginterface for transparent proxy traffic handling - Configured Squid with separate intercept port (3129) using
http_port 3129 interceptdirective - Updated iptables rules to redirect NAT traffic to the intercept port instead of the regular proxy port
- Added test coverage for the new intercept port configuration
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/types.ts | Added interceptPort optional field to SquidConfig interface with comprehensive documentation |
| src/squid-config.ts | Added intercept port configuration to Squid config generation with explanatory comments |
| src/squid-config.test.ts | Added tests verifying intercept port is included when specified and excluded when not |
| src/docker-manager.ts | Passed SQUID_INTERCEPT_PORT constant to Squid config generation |
| containers/agent/setup-iptables.sh | Updated NAT redirection rules to use intercept port for transparent proxy traffic |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (interceptPort) { | ||
| portConfig += `\nhttp_port ${interceptPort} intercept`; | ||
| } |
There was a problem hiding this comment.
When SSL Bump is enabled, the intercept port configuration added here will be ignored. On line 436 (visible in surrounding context), portConfig is set to empty string when sslBump is enabled, and the SSL Bump section uses a hardcoded port configuration.
The generateSslBumpSection function (called on line 428-434) hardcodes "http_port 3128 ssl-bump" and doesn't receive the port or interceptPort parameters. This means NAT-redirected traffic will fail with "Invalid URL - Missing hostname" errors when SSL Bump is enabled, which is the exact issue this PR is trying to fix.
To fix this, generateSslBumpSection needs to be updated to:
- Accept port and interceptPort parameters
- Generate both "http_port [port] ssl-bump" and "http_port [interceptPort] ssl-bump intercept" configurations when interceptPort is provided
Without this fix, SSL Bump mode will continue to experience the NAT redirect failures described in issue #519.
| it('should add intercept port when specified', () => { | ||
| const config: SquidConfig = { | ||
| domains: ['github.com'], | ||
| port: 3128, | ||
| interceptPort: 3129, | ||
| }; | ||
| const result = generateSquidConfig(config); | ||
| expect(result).toContain('http_port 3128'); | ||
| expect(result).toContain('http_port 3129 intercept'); | ||
| }); | ||
|
|
||
| it('should not add intercept port when not specified', () => { | ||
| const config: SquidConfig = { | ||
| domains: ['github.com'], | ||
| port: 3128, | ||
| }; | ||
| const result = generateSquidConfig(config); | ||
| expect(result).toContain('http_port 3128'); | ||
| expect(result).not.toContain('intercept'); | ||
| }); |
There was a problem hiding this comment.
The new tests for intercept port are placed inside the "SSL Bump Mode" describe block, but they don't actually test the combination of SSL Bump with intercept port. This misses the critical bug where SSL Bump ignores the intercept port configuration.
Add a test that verifies intercept port works with SSL Bump enabled:
- Config with sslBump: true, interceptPort: 3129
- Expected: both "http_port 3128 ssl-bump" and "http_port 3129 ssl-bump intercept" in output
This test would catch the bug where generateSslBumpSection doesn't support intercept port.
❌ Build Test: Java - FAILEDStatus: ENVIRONMENT FAILURE ErrorCannot execute Java tests due to corrupted GitHub Actions runner environment. All Java binaries (across multiple installations) are being executed as bash instead of Java. Details
Overall: FAIL Diagnostic OutputAll Java installations tested:
RecommendationThis workflow needs to be re-run on a fresh GitHub Actions runner with a functional Java environment.
|
Rust Build Test Results
Overall: PASS ✅ All Rust projects built successfully and all tests passed.
|
1 participant
Summary
When traffic is NAT'd (DNAT) to Squid proxy, clients send relative URLs (
GET /path) because they don't know they're talking to a proxy. Squid's normal proxy mode requires absolute URLs (GET http://example.com/path), causing "Invalid URL - Missing hostname" errors.This is the root cause of Codex smoke test failures - the rmcp client's OAuth discovery requests get NAT'd to Squid but fail because Squid can't process the relative URL.
Changes
interceptPorttoSquidConfiginterface for transparent proxy traffichttp_port 3129 interceptfor NAT'd trafficHTTP_PROXYHow it works
HTTP_PROXYenv var) - expects absolute URLsTest plan
Related
🤖 Generated with Claude Code