Skip to content

feat(sandbox): inject DENO_CERT into sandbox child environment #1441

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
johntmyers merged 1 commit into from
May 19, 2026
Merged

feat(sandbox): inject DENO_CERT into sandbox child environment #1441

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions crates/openshell-sandbox/src/child_env.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,12 @@ pub fn proxy_env_vars(proxy_url: &str) -> [(&'static str, String); 9] {
pub fn tls_env_vars(
ca_cert_path: &Path,
combined_bundle_path: &Path,
) -> [(&'static str, String); 5] {
) -> [(&'static str, String); 6] {
let ca_cert_path = ca_cert_path.display().to_string();
let combined_bundle_path = combined_bundle_path.display().to_string();
[
("NODE_EXTRA_CA_CERTS", ca_cert_path),
("NODE_EXTRA_CA_CERTS", ca_cert_path.clone()),
("DENO_CERT", ca_cert_path),
("SSL_CERT_FILE", combined_bundle_path.clone()),
("REQUESTS_CA_BUNDLE", combined_bundle_path.clone()),
("CURL_CA_BUNDLE", combined_bundle_path.clone()),
Expand Down Expand Up @@ -81,6 +82,7 @@ mod tests {
let stdout = String::from_utf8(output.stdout).expect("utf8");

assert!(stdout.contains("NODE_EXTRA_CA_CERTS=/etc/openshell-tls/openshell-ca.pem"));
assert!(stdout.contains("DENO_CERT=/etc/openshell-tls/openshell-ca.pem"));
assert!(stdout.contains("SSL_CERT_FILE=/etc/openshell-tls/ca-bundle.pem"));
assert!(stdout.contains("REQUESTS_CA_BUNDLE=/etc/openshell-tls/ca-bundle.pem"));
assert!(stdout.contains("CURL_CA_BUNDLE=/etc/openshell-tls/ca-bundle.pem"));
Expand Down
2 changes: 1 addition & 1 deletion docs/security/best-practices.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ This enables credential injection and L7 inspection without explicit configurati

| Aspect | Detail |
|---|---|
| Default | Auto-detect and terminate. OpenShell generates the sandbox CA at startup and injects it into the process trust stores (`NODE_EXTRA_CA_CERTS`, `SSL_CERT_FILE`, `REQUESTS_CA_BUNDLE`, `CURL_CA_BUNDLE`, `GIT_SSL_CAINFO`). |
| Default | Auto-detect and terminate. OpenShell generates the sandbox CA at startup and injects it into the process trust stores (`NODE_EXTRA_CA_CERTS`, `DENO_CERT`, `SSL_CERT_FILE`, `REQUESTS_CA_BUNDLE`, `CURL_CA_BUNDLE`, `GIT_SSL_CAINFO`). |
| What you can change | Set `tls: skip` on an endpoint to disable TLS detection and termination for that endpoint. Use this for client-certificate mTLS to upstream or non-standard binary protocols. |
| Risk if relaxed | `tls: skip` disables credential injection and L7 inspection for that endpoint. The proxy relays encrypted traffic without seeing the contents. |
| Recommendation | Use auto-detect (the default) for most endpoints. Use `tls: skip` only when the upstream requires the client's own TLS certificate (mTLS) or uses a non-HTTP protocol. |
Expand Down
Loading