jcarr
/
gemini-cli
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fixes to proxy on macos: prevent curl from hanging during wait-for-proxy by adding ipv6 support and timeout (#947)

This commit is contained in:
Olcan 2025-06-11 11:31:38 -07:00 committed by GitHub
parent 03bc1f3141
commit f75c48323c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CONTRIBUTING.md
View File

@ -271,7 +271,7 @@ Container-based sandboxing mounts the project directory (and system temp directo
#### Proxied Networking #### Proxied Networking
All sandboxing methods, including MacOS Seatbelt using `*-proxied` profiles, support restricting outbound network traffic through a custom proxy server that can be specified as `GEMINI_SANDBOX_PROXY_COMMAND=<command>`, where `<command>` must start a proxy server that listens on `0.0.0.0:8877` for relevant requests. See `scripts/example-proxy.js` for a minimal proxy that only allows `HTTPS` connections to `example.com:443` (e.g. `curl https://example.com`) and declines all other requests. The proxy is started and stopped automatically alongside the sandbox. All sandboxing methods, including MacOS Seatbelt using `*-proxied` profiles, support restricting outbound network traffic through a custom proxy server that can be specified as `GEMINI_SANDBOX_PROXY_COMMAND=<command>`, where `<command>` must start a proxy server that listens on `:::8877` for relevant requests. See `scripts/example-proxy.js` for a minimal proxy that only allows `HTTPS` connections to `example.com:443` (e.g. `curl https://example.com`) and declines all other requests. The proxy is started and stopped automatically alongside the sandbox.
## Manual Publish ## Manual Publish

2
packages/cli/src/utils/sandbox-macos-permissive-proxied.sb
View File

@ -24,7 +24,7 @@
;; deny all outbound network traffic EXCEPT through proxy on localhost:8877 ;; deny all outbound network traffic EXCEPT through proxy on localhost:8877
;; set `GEMINI_SANDBOX_PROXY_COMMAND=<command>` to run proxy alongside sandbox ;; set `GEMINI_SANDBOX_PROXY_COMMAND=<command>` to run proxy alongside sandbox
;; proxy must listen on 0.0.0.0:8877 (see scripts/example-proxy.js) ;; proxy must listen on :::8877 (see scripts/example-proxy.js)
(deny network-outbound) (deny network-outbound)
(allow network-outbound (remote tcp "localhost:8877")) (allow network-outbound (remote tcp "localhost:8877"))

2
packages/cli/src/utils/sandbox-macos-restrictive-proxied.sb
View File

@ -88,5 +88,5 @@
;; allow outbound network traffic through proxy on localhost:8877 ;; allow outbound network traffic through proxy on localhost:8877
;; set `GEMINI_SANDBOX_PROXY_COMMAND=<command>` to run proxy alongside sandbox ;; set `GEMINI_SANDBOX_PROXY_COMMAND=<command>` to run proxy alongside sandbox
;; proxy must listen on 0.0.0.0:8877 (see scripts/example-proxy.js) ;; proxy must listen on :::8877 (see scripts/example-proxy.js)
(allow network-outbound (remote tcp "localhost:8877")) (allow network-outbound (remote tcp "localhost:8877"))

6
packages/cli/src/utils/sandbox.ts
View File

@ -339,7 +339,7 @@ export async function start_sandbox(sandbox: string) {
}); });
console.log('waiting for proxy to start ...'); console.log('waiting for proxy to start ...');
await execAsync( await execAsync(
`until curl -s http://localhost:8877; do sleep 0.25; done`, `until timeout 0.25 curl -s http://localhost:8877; do sleep 0.25; done`,
); );
} }
// spawn child and let it inherit stdio // spawn child and let it inherit stdio
@ -661,7 +661,9 @@ export async function start_sandbox(sandbox: string) {
process.exit(1); process.exit(1);
}); });
console.log('waiting for proxy to start ...'); console.log('waiting for proxy to start ...');
await execAsync(`until curl -s http://localhost:8877; do sleep 0.25; done`); await execAsync(
`until timeout 0.25 curl -s http://localhost:8877; do sleep 0.25; done`,
);
// connect proxy container to sandbox network // connect proxy container to sandbox network
// (workaround for older versions of docker that don't support multiple --network args) // (workaround for older versions of docker that don't support multiple --network args)
await execAsync( await execAsync(

7
scripts/example-proxy.js
View File

@ -6,7 +6,7 @@
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
*/ */
// Example proxy server that listens on 0.0.0.0:8877 and only allows HTTPS connections to example.com. // Example proxy server that listens on :::8877 and only allows HTTPS connections to example.com.
// Set `GEMINI_SANDBOX_PROXY_COMMAND=scripts/example-proxy.js` to run proxy alongside sandbox // Set `GEMINI_SANDBOX_PROXY_COMMAND=scripts/example-proxy.js` to run proxy alongside sandbox
// Test via `curl https://example.com` inside sandbox (in shell mode or via shell tool) // Test via `curl https://example.com` inside sandbox (in shell mode or via shell tool)
@ -66,8 +66,9 @@ server.on('connect', (req, clientSocket, head) => {
}); });
}); });
server.listen(PROXY_PORT, '0.0.0.0', () => { server.listen(PROXY_PORT, () => {
console.log(`[PROXY] Proxy listening on 0.0.0.0:${PROXY_PORT}`); const address = server.address();
console.log(`[PROXY] Proxy listening on ${address.address}:${address.port}`);
console.log( console.log(
`[PROXY] Allowing HTTPS connections to domains: ${ALLOWED_DOMAINS.join(', ')}`, `[PROXY] Allowing HTTPS connections to domains: ${ALLOWED_DOMAINS.join(', ')}`,
); );