Skip to content

Add upstream proxy feature#208

Open
eraow wants to merge 1 commit into
coder:mainfrom
eraow:feature/upstream-proxy
Open

Add upstream proxy feature#208
eraow wants to merge 1 commit into
coder:mainfrom
eraow:feature/upstream-proxy

Conversation

@eraow

@eraow eraow commented Jul 16, 2026

Copy link
Copy Markdown

Note: This PR was generated with AI assistance.

Summary

Adds an --upstream-proxy option so Boundary can forward its own outbound
requests through an HTTP(S) proxy. This makes Boundary usable in environments
that only allow internet access via a corporate proxy.

Motivation

I want to run Boundary behind a corporate proxy. Without this option, Boundary
connects directly to upstream hosts, which fails when direct egress is blocked
and only a proxy is permitted.

What this does

  • Adds --upstream-proxy <URL> (env BOUNDARY_UPSTREAM_PROXY, YAML
    upstream_proxy), e.g. http://proxy.corp:3128.
  • When set, Boundary routes its own upstream HTTP/HTTPS requests through the
    given proxy instead of connecting directly. Allow-rule evaluation and audit
    logging still happen first — the upstream proxy only receives already-allowed
    requests.
  • Behavior is unchanged when the flag is not provided.
  • The upstream proxy is a Boundary outbound-transport setting, not a child
    HTTP_PROXY setting. The confined child still sends traffic to Boundary first.

Usage

boundary --upstream-proxy http://proxy.corp:3128 \
  --allow "domain=github.com" -- curl https://github.com

Manual verification

PASS (allowed domain)

$ ./boundary --upstream-proxy http://${proxy}:3080 --log-level info --log-dir ./boundary-logs --allow "domain=github.com" -- curl -s -o /dev/null -w "%{http_code}" https://github.com
200
$ cat  boundary-logs/boundary-2026-07-17_00-08-01-4094015.log
time=2026-07-17T00:08:01.237+09:00 level=INFO msg="boundary session started" session_id=09d4a8ab-7ba4-42ae-a90f-9ff79e37c608
time=2026-07-17T00:08:01.237+09:00 level=WARN msg="Audit logs are disabled; workspace agent has not created log proxy socket" socket=/tmp/boundary-audit.sock
time=2026-07-17T00:08:01.237+09:00 level=INFO msg="Using upstream proxy" upstream_proxy=http://proxy:3080
time=2026-07-17T00:08:01.237+09:00 level=INFO msg="Start namespace-jail manager"
time=2026-07-17T00:08:01.246+09:00 level=INFO msg="Starting HTTP proxy with TLS termination" port=8080
time=2026-07-17T00:08:01.398+09:00 level=INFO msg=ALLOW method=GET url=https://github.com/ host=github.com rule="domain=github.com"
time=2026-07-17T00:08:01.473+09:00 level=INFO msg="Command completed, shutting down..."
time=2026-07-17T00:08:01.473+09:00 level=INFO msg="Stop namespace-jail manager"

BLOCK (disallowed domain — never reaches the upstream proxy)

$ ./boundary --upstream-proxy http://${proxy}:3080 --log-level info --log-dir ./boundary-logs --allow "domain=github.com" -- curl -s -o /dev/null -w "%{http_code}" https://example.com
403
$ cat  boundary-logs/boundary-2026-07-16_23-11-43-3997580.log
time=2026-07-16T23:11:43.132+09:00 level=INFO msg="boundary session started" session_id=f11a132f-ba27-43a6-a400-13d19da6f790
time=2026-07-16T23:11:43.132+09:00 level=WARN msg="Audit logs are disabled; workspace agent has not created log proxy socket" socket=/tmp/boundary-audit.sock
time=2026-07-16T23:11:43.132+09:00 level=INFO msg="Using upstream proxy" upstream_proxy=http://proxy:3080
time=2026-07-16T23:11:43.132+09:00 level=INFO msg="Start namespace-jail manager"
time=2026-07-16T23:11:43.143+09:00 level=INFO msg="Starting HTTP proxy with TLS termination" port=8080
time=2026-07-16T23:11:43.287+09:00 level=WARN msg=DENY method=GET url=https://example.com/ host=example.com
time=2026-07-16T23:11:43.288+09:00 level=INFO msg="Command completed, shutting down..."
time=2026-07-16T23:11:43.288+09:00 level=INFO msg="Stop namespace-jail manager"

@eraow
eraow marked this pull request as ready for review July 16, 2026 16:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant