fix(egress): add ssl_insecure opt-in and connection_strategy=lazy for mitmproxy (#860)

* fix(egress): set connection_strategy=lazy for egress mitmproxy

* fix(egress): resolve upstream by SNI hostname to fix TLS IP mismatch

Transparent mode redirects connections to IP addresses, but upstream
server certificates contain hostnames, causing "Certificate verify failed:
IP address mismatch". Instead of disabling TLS verification (ssl_insecure),
add a built-in mitmproxy addon that rewrites the upstream server address
from IP to SNI hostname, preserving full certificate verification.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(egress): improve resolve_by_sni addon with debug logging and upstream_cert=false

- Add load event to confirm the addon is loaded by mitmdump
- Add verbose server_connect logging to diagnose why the hook may not fire
- Set data.server.sni explicitly when rewriting address
- Add upstream_cert=false to prevent mitmproxy from eagerly connecting
  to the original IP before the addon can rewrite the server address

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(egress): use f-strings for ctx.log to avoid TypeError in mitmproxy 10.x

mitmproxy 10.x ctx.log() accepts only a single message string, not
printf-style format args. Switch all ctx.log calls to f-strings.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(egress): add ssl_insecure=true for transparent mitmproxy, remove SNI addon

Clients connecting to IP addresses do not send TLS SNI (RFC 6066), so
upstream certificate hostname verification is impossible in transparent
mode. Default to ssl_insecure=true to skip upstream TLS verification.

Also revert the resolve_by_sni addon and its integration since SNI is
not available — the addon cannot help when sni=None.

Set OPENSANDBOX_EGRESS_MITMPROXY_SSL_INSECURE=false to re-enable
upstream verification if all clients connect by hostname.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(egress): default ssl_insecure to false, only enable via env var

Do not skip upstream TLS verification by default. Users must explicitly
set OPENSANDBOX_EGRESS_MITMPROXY_SSL_INSECURE=true to disable it when
clients connect by IP (no SNI available).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

Author: Pangjiping

components/egress/pkg/constants/configuration.go

@@ -42,6 +42,7 @@ const (
 	EnvMitmproxyScript           = "OPENSANDBOX_EGRESS_MITMPROXY_SCRIPT"
 	EnvMitmproxyUpstreamTrustDir = "OPENSANDBOX_EGRESS_MITMPROXY_UPSTREAM_TRUST_DIR"
 	EnvMitmproxyIgnoreHosts      = "OPENSANDBOX_EGRESS_MITMPROXY_IGNORE_HOSTS"
+	EnvMitmproxySslInsecure      = "OPENSANDBOX_EGRESS_MITMPROXY_SSL_INSECURE"
 
 	// Comma-separated upstream resolvers: literal IP only (optional :port) — no hostnames (see dnsproxy REDIRECT note).
 	EnvDNSUpstream                 = "OPENSANDBOX_EGRESS_DNS_UPSTREAM"

components/egress/pkg/mitmproxy/launch.go

@@ -102,6 +102,18 @@ func Launch(cfg Config) (*Running, error) {
 	// Stream large bodies instead of buffering them in memory (OOM prevention).
 	args = append(args, "--set", "stream_large_bodies=1m")
 
+	// Lazy connection strategy: defer upstream connection until the request is fully received,
+	// which avoids unnecessary connections for blocked/filtered requests.
+	args = append(args, "--set", "connection_strategy=lazy")
+
+	// Transparent mode redirects TCP to IP addresses. Clients connecting to IPs
+	// do not send SNI, so upstream TLS cert hostname verification fails with
+	// "IP address mismatch". Set OPENSANDBOX_EGRESS_MITMPROXY_SSL_INSECURE=true
+	// to skip upstream verification when clients connect by IP.
+	if constants.IsTruthy(os.Getenv(constants.EnvMitmproxySslInsecure)) {
+		args = append(args, "--set", "ssl_insecure=true")
+	}
+
 	homeEnv := home
 	if strings.TrimSpace(cfg.ConfDir) != "" {
 		cd := strings.TrimSpace(cfg.ConfDir)