Skip to content

container: Implement setEgressHttp for containers #5985

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
gabivlj wants to merge 8 commits into
base: main
Choose a base branch
from
Open

container: Implement setEgressHttp for containers #5985

gabivlj wants to merge 8 commits into from
+730 −20

Conversation

@gabivlj
Copy link
Contributor

@gabivlj gabivlj commented Jan 28, 2026
edited
Loading

Continuation of: #5939
The main implementation of container-client.c++ has been mostly navigated through Claude Opus 4.5.

We are implementing a HTTP CONNECT service in Workerd that intercepts all TCP traffic off the container thanks to https://hub.docker.com/r/cloudflare/proxy-everything.

We then check configured mappings of the container, if the targetted host exists in the mappings, we redirect to that subrequest channel. If not, we check if enabledInternet is set to true, which then we just connect directly to the internet. If set to false, we just close the connection.

@gabivlj
container: add setEgressTcp and setEgressHttp RPC methods to Containe…
63feff3 
…r interface

Add new Cap'n Proto schema definitions for container egress routing:
- setEgressTcp: configures TCP egress routing to Workers runtime
- setEgressHttp: configures HTTP egress routing to Workers runtime

Also add Docker API schema additions to support the networking features
we will need to introduce proxy-everything.
@gabivlj
extract channel-token into separate library
6226a7f 
Refactor BUILD.bazel to split channel-token.c++ and channel-token.h.
This allows container-client to depend on channel-token.
@gabivlj
container: add setEgressHttp method to Container class
a6a0bfb 
Expose setEgressHttp() to JavaScript, allowing Workers to register
WorkerEntrypoint bindings for container egress routing.

The method is gated behind the workerdExperimental flag.
@gabivlj
container: implement egress HTTP routing with sidecar container
c933aaa 
Implement the workerd handling for container egress HTTP routing:

- EgressHttpService: HTTP service that handles CONNECT requests from
  proxy-everything (https://hub.docker.com/r/cloudflare/proxy-everything),
  it parses tunneled HTTP requests, and forwards them to the appropriate SubrequestChannel based on registered mappings

- We need to do proxy-everything container management: we create and monitor a sidecar
  container (proxy-everything) that shares network namespace with the
  main container and intercepts outbound traffic via iptables/TPROXY.

- Egress listener: HTTP server listening on the Docker bridge gateway
  that receives proxied requests from proxy-everything.

- setEgressHttp RPC implementation that registers address
  to SubrequestChannel mappings.

WebSocket is currently unimplemented. It's a TODO.
@gabivlj
container: wire up containerEgressInterceptorImage configuration
fa8a706 
Add containerEgressInterceptorImage field to DockerConfiguration in
 workerd.capnp with default value 'cloudflare/proxy-everything:main'

Pass ChannelTokenHandler and containerEgressInterceptorImage through
 WorkerService -> ActorNamespace -> ContainerClient chain

Update ContainerClient instantiation to include the new parameters
@gabivlj
container: add /intercept endpoint to test container image
c2f5e5e 
Add a new /intercept HTTP endpoint to the test container that makes an
outbound fetch request to a configurable host (via x-host header, defaults
to 11.0.0.1). This enables testing of egress HTTP routing where container
traffic is intercepted and routed back to Workers bindings.
@gabivlj
container: add tests and TypeScript types for setEgressHttp
72fd6a7 
Add test coverage for the setEgressHttp functionality.

Also adds enable_ctx_exports compatibility flag to test config and
updates TypeScript type definitions with setEgressHttp signature.
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 28, 2026
View reviewed changes
@gabivlj gabivlj mentioned this pull request Jan 28, 2026
Closed
gabivlj
gabivlj commented Jan 28, 2026
View reviewed changes
@gabivlj
Copy link
Contributor Author

gabivlj commented Jan 28, 2026

builds are failing because proxy-everything is not being pulled by default, I will check if we can pull it when we try to start it

@codspeed-hq
Copy link

codspeed-hq bot commented Jan 28, 2026
edited
Loading

Merging this PR will improve performance by 22.5%

⚡ 1 improved benchmark
✅ 69 untouched benchmarks
⏩ 129 skipped benchmarks1

Performance Changes

Benchmark BASE HEAD Efficiency
jsonResponse[Response] 42.8 µs 35 µs +22.5%

Comparing gv/set-egress-binding-pr (aae56c4) with main (23c0d98)

Open in CodSpeed

Footnotes

  1. 129 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

@codecov-commenter
Copy link

codecov-commenter commented Jan 28, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 2.98507% with 260 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.98%. Comparing base (637f37f) to head (aae56c4).
⚠️ Report is 6 commits behind head on main.

Files with missing lines Patch % Lines
src/workerd/server/container-client.c++ 0.00% 242 Missing ⚠️
src/workerd/api/container.c++ 0.00% 9 Missing ⚠️
src/workerd/server/server.c++ 47.05% 8 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5985      +/-   ##
==========================================
- Coverage   70.14%   69.98%   -0.17%     
==========================================
  Files         407      407              
  Lines      107225   107561     +336     
  Branches    17972    18016      +44     
==========================================
+ Hits        75214    75276      +62     
- Misses      21228    21495     +267     
- Partials    10783    10790       +7

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gabivlj gabivlj force-pushed the gv/set-egress-binding-pr branch from 2cf6f25 to 28029df Compare January 28, 2026 20:50
@gabivlj gabivlj marked this pull request as ready for review January 28, 2026 21:08
@gabivlj gabivlj requested review from a team as code owners January 28, 2026 21:08
gpanders
gpanders reviewed Jan 28, 2026
View reviewed changes
@gabivlj gabivlj force-pushed the gv/set-egress-binding-pr branch 2 times, most recently from d3b9fa8 to 3cff408 Compare January 28, 2026 22:51
@gabivlj gabivlj force-pushed the gv/set-egress-binding-pr branch from 3cff408 to aae56c4 Compare January 28, 2026 22:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gpanders gpanders gpanders left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gabivlj @codecov-commenter @gpanders