Network mode support for docker environment#1799
Conversation
|
@xiaoxiangmoe is attempting to deploy a commit to the Harbor Framework Team on Vercel. A member of the Team first needs to authorize it. |
|
Enjoy a better diff viewing experience by clicking one of these URLs: |
17e3529 to
d12f926
Compare
4772042 to
17fcc87
Compare
|
This PR has some design limitations. In allowlist mode, it only enables support for HTTP/1/2 for IPv4 and IPv6, but not for HTTP/3, FTP, etc. More complex support might require more complex and difficult-to-read implementations, so I think it's okay to leave it like this for now. This PR also added test cases for several scenarios:
Here is a PoC which helps maintainers to review this PR. https://github.com/xiaoxiangmoe/gost-sidecar-egress-control-demo |
li-boxuan
left a comment
There was a problem hiding this comment.
Thank you very much! I think this approach looks very promising. I'll try to test this with TB2 oracle solutions this week.
17fcc87 to
6ec46b0
Compare
|
@li-boxuan were you able to test it? |
4ad169a to
70c9aa9
Compare
c1b7eae to
7ba79ef
Compare
7ba79ef to
577fbf7
Compare
Yep I ran into some issues testing this against TB2 on my mac. I'll connect with @xiaoxiangmoe offline. |
1c150de to
a4d8a9f
Compare
li-boxuan
left a comment
There was a problem hiding this comment.
Non-blocking comment:
Is there any chance we could make it easier for developers/users to understand what domain access is attempted but blocked?
Currently, if we miss a domain, the agent log probably shows sth like ssl.SSLEOFError which is not very informative.
a4d8a9f to
600e6da
Compare
li-boxuan
left a comment
There was a problem hiding this comment.
I tested this achieves 100% on TB2.1 with allowlists.
aab15c7 to
228b6c8
Compare
A transparent proxy for a Docker environment has been implemented to handle HTTP/HTTPS allowlisting.