fix(api-proxy): use IP address for API base URLs to avoid DNS issues

In chroot mode, Docker container hostname resolution can fail because
the DNS resolver may not properly reach Docker's embedded DNS. Use the
api-proxy IP address directly (e.g., http://172.30.0.30:10001) instead
of the hostname (http://api-proxy:10001) to eliminate DNS resolution as
a failure point.

Also add test coverage for the host-iptables api-proxy ACCEPT rule.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Mossaka

containers/api-proxy/package-lock.json

@@ -8,7 +8,8 @@
   },
   "dependencies": {
     "express": "^4.18.2",
-    "http-proxy-middleware": "^2.0.6"
+    "http-proxy-middleware": "^2.0.6",
+    "https-proxy-agent": "^7.0.0"
   },
   "engines": {
     "node": ">=18.0.0"

containers/api-proxy/package.json

@@ -12,6 +12,7 @@
 
 const express = require('express');
 const { createProxyMiddleware } = require('http-proxy-middleware');
+const { HttpsProxyAgent } = require('https-proxy-agent');
 
 // Read API keys from environment (set by docker-compose)
 const OPENAI_API_KEY = process.env.OPENAI_API_KEY;
@@ -21,6 +22,16 @@ const ANTHROPIC_API_KEY = process.env.ANTHROPIC_API_KEY;
 const HTTP_PROXY = process.env.HTTP_PROXY;
 const HTTPS_PROXY = process.env.HTTPS_PROXY;
 
+// Create proxy agent to route outbound HTTPS through Squid
+// http-proxy-middleware doesn't use HTTP_PROXY env vars natively,
+// so we create an explicit agent that tunnels through Squid
+const proxyAgent = HTTPS_PROXY ? new HttpsProxyAgent(HTTPS_PROXY) : undefined;
+if (proxyAgent) {
+  console.log('[API Proxy] Using Squid proxy agent for outbound HTTPS connections');
+} else {
+  console.log('[API Proxy] WARNING: No HTTPS_PROXY configured, connections will be direct');
+}
+
 console.log('[API Proxy] Starting AWF API proxy sidecar...');
 console.log(`[API Proxy] HTTP_PROXY: ${HTTP_PROXY}`);
 console.log(`[API Proxy] HTTPS_PROXY: ${HTTPS_PROXY}`);
@@ -54,6 +65,7 @@ if (OPENAI_API_KEY) {
     target: 'https://api.openai.com',
     changeOrigin: true,
     secure: true,
+    agent: proxyAgent,
     onProxyReq: (proxyReq, req, res) => {
       // Inject Authorization header
       proxyReq.setHeader('Authorization', `Bearer ${OPENAI_API_KEY}`);
@@ -89,6 +101,7 @@ if (ANTHROPIC_API_KEY) {
     target: 'https://api.anthropic.com',
     changeOrigin: true,
     secure: true,
+    agent: proxyAgent,
     onProxyReq: (proxyReq, req, res) => {
       // Inject Anthropic authentication headers
       proxyReq.setHeader('x-api-key', ANTHROPIC_API_KEY);

containers/api-proxy/server.js

@@ -2,7 +2,7 @@ import { WrapperConfig } from './types';
 
 export interface WorkflowDependencies {
   ensureFirewallNetwork: () => Promise<{ squidIp: string; agentIp: string; proxyIp: string; subnet: string }>;
-  setupHostIptables: (squidIp: string, port: number, dnsServers: string[], apiProxyIp?: string) => Promise<void>;
+  setupHostIptables: (squidIp: string, port: number, dnsServers: string[]) => Promise<void>;
   writeConfigs: (config: WrapperConfig) => Promise<void>;
   startContainers: (workDir: string, allowedDomains: string[], proxyLogsDir?: string, skipPull?: boolean) => Promise<void>;
   runAgentCommand: (
@@ -43,9 +43,8 @@ export async function runMainWorkflow(
   logger.info('Setting up host-level firewall network and iptables rules...');
   const networkConfig = await dependencies.ensureFirewallNetwork();
   const dnsServers = config.dnsServers || ['8.8.8.8', '8.8.4.4'];
-  // Pass api-proxy IP so host iptables allows its outbound traffic to external APIs
-  const apiProxyIp = config.enableApiProxy ? networkConfig.proxyIp : undefined;
-  await dependencies.setupHostIptables(networkConfig.squidIp, 3128, dnsServers, apiProxyIp);
+  // API proxy routes through Squid via https-proxy-agent, no firewall exemption needed
+  await dependencies.setupHostIptables(networkConfig.squidIp, 3128, dnsServers);
   onHostIptablesSetup?.();
 
   // Step 1: Write configuration files

src/cli-workflow.ts

@@ -1584,7 +1584,7 @@ describe('docker-manager', () => {
         const result = generateDockerCompose(configWithProxy, mockNetworkConfigWithProxy);
         const agent = result.services.agent;
         const env = agent.environment as Record<string, string>;
-        expect(env.OPENAI_BASE_URL).toBe('http://api-proxy:10000');
+        expect(env.OPENAI_BASE_URL).toBe('http://172.30.0.30:10000');
       });
 
       it('should configure HTTP_PROXY and HTTPS_PROXY in api-proxy to route through Squid', () => {
@@ -1601,16 +1601,16 @@ describe('docker-manager', () => {
         const result = generateDockerCompose(configWithProxy, mockNetworkConfigWithProxy);
         const agent = result.services.agent;
         const env = agent.environment as Record<string, string>;
-        expect(env.ANTHROPIC_BASE_URL).toBe('http://api-proxy:10001');
+        expect(env.ANTHROPIC_BASE_URL).toBe('http://172.30.0.30:10001');
       });
 
       it('should set both BASE_URL variables when both keys are provided', () => {
         const configWithProxy = { ...mockConfig, enableApiProxy: true, openaiApiKey: 'sk-test-openai-key', anthropicApiKey: 'sk-ant-test-key' };
         const result = generateDockerCompose(configWithProxy, mockNetworkConfigWithProxy);
         const agent = result.services.agent;
         const env = agent.environment as Record<string, string>;
-        expect(env.OPENAI_BASE_URL).toBe('http://api-proxy:10000');
-        expect(env.ANTHROPIC_BASE_URL).toBe('http://api-proxy:10001');
+        expect(env.OPENAI_BASE_URL).toBe('http://172.30.0.30:10000');
+        expect(env.ANTHROPIC_BASE_URL).toBe('http://172.30.0.30:10001');
       });
 
       it('should not set OPENAI_BASE_URL in agent when only Anthropic key is provided', () => {
@@ -1619,7 +1619,7 @@ describe('docker-manager', () => {
         const agent = result.services.agent;
         const env = agent.environment as Record<string, string>;
         expect(env.OPENAI_BASE_URL).toBeUndefined();
-        expect(env.ANTHROPIC_BASE_URL).toBe('http://api-proxy:10001');
+        expect(env.ANTHROPIC_BASE_URL).toBe('http://172.30.0.30:10001');
       });
 
       it('should not set ANTHROPIC_BASE_URL in agent when only OpenAI key is provided', () => {
@@ -1628,7 +1628,7 @@ describe('docker-manager', () => {
         const agent = result.services.agent;
         const env = agent.environment as Record<string, string>;
         expect(env.ANTHROPIC_BASE_URL).toBeUndefined();
-        expect(env.OPENAI_BASE_URL).toBe('http://api-proxy:10000');
+        expect(env.OPENAI_BASE_URL).toBe('http://172.30.0.30:10000');
       });
     });
   });

src/docker-manager.test.ts

@@ -960,13 +960,14 @@ export function generateDockerCompose(
     environment.AWF_API_PROXY_IP = networkConfig.proxyIp;
 
     // Set environment variables in agent to use the proxy
+    // Use IP address instead of hostname to avoid DNS resolution issues in chroot mode
     if (config.openaiApiKey) {
-      environment.OPENAI_BASE_URL = `http://api-proxy:10000`;
-      logger.debug('OpenAI API will be proxied through sidecar at http://api-proxy:10000');
+      environment.OPENAI_BASE_URL = `http://${networkConfig.proxyIp}:10000`;
+      logger.debug(`OpenAI API will be proxied through sidecar at http://${networkConfig.proxyIp}:10000`);
     }
     if (config.anthropicApiKey) {
-      environment.ANTHROPIC_BASE_URL = `http://api-proxy:10001`;
-      logger.debug('Anthropic API will be proxied through sidecar at http://api-proxy:10001');
+      environment.ANTHROPIC_BASE_URL = `http://${networkConfig.proxyIp}:10001`;
+      logger.debug(`Anthropic API will be proxied through sidecar at http://${networkConfig.proxyIp}:10001`);
     }
 
     logger.info('API proxy sidecar enabled - API keys will be held securely in sidecar container');

src/docker-manager.ts

@@ -160,7 +160,7 @@ async function setupIpv6Chain(bridgeName: string): Promise<void> {
  * @param squidPort - Port number of the Squid proxy
  * @param dnsServers - Array of trusted DNS server IP addresses (DNS traffic is ONLY allowed to these servers)
  */
-export async function setupHostIptables(squidIp: string, squidPort: number, dnsServers: string[], apiProxyIp?: string): Promise<void> {
+export async function setupHostIptables(squidIp: string, squidPort: number, dnsServers: string[]): Promise<void> {
   logger.info('Setting up host-level iptables rules...');
 
   // Get the bridge interface name
@@ -247,18 +247,10 @@ export async function setupHostIptables(squidIp: string, squidPort: number, dnsS
     '-j', 'ACCEPT',
   ]);
 
-  // 1b. Allow all traffic FROM the API proxy sidecar (it needs to reach external APIs)
-  // The api-proxy holds API keys and forwards requests to api.openai.com/api.anthropic.com.
-  // http-proxy-middleware connects directly to targets (doesn't use HTTP_PROXY env vars),
-  // so the api-proxy needs unrestricted outbound access like Squid.
-  if (apiProxyIp) {
-    logger.debug(`Allowing outbound traffic from API proxy sidecar (${apiProxyIp})...`);
-    await execa('iptables', [
-      '-t', 'filter', '-A', CHAIN_NAME,
-      '-s', apiProxyIp,
-      '-j', 'ACCEPT',
-    ]);
-  }
+  // Note: API proxy sidecar does NOT get a firewall exemption.
+  // It routes through Squid via https-proxy-agent, ensuring domain whitelisting
+  // is enforced by Squid ACLs. The api-proxy only needs to reach Squid (allowed
+  // by the Squid proxy rule below) for its outbound HTTPS connections.
 
   // 2. Allow established and related connections (return traffic)
   await execa('iptables', [