Skip to content

Commit 6331f10

Browse files
authored
Merge pull request #184 from bbrowning/golang-paude-proxy
Replace squid with paude-proxy
2 parents a2baaea + 276c798 commit 6331f10

70 files changed

Lines changed: 2537 additions & 2146 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

CONTRIBUTING.md

Lines changed: 2 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -176,13 +176,10 @@ paude/
176176
│ │ ├── Dockerfile # Agent container image
177177
│ │ ├── entrypoint.sh # Container entrypoint
178178
│ │ ├── entrypoint-session.sh # Session entrypoint
179-
│ │ ├── credential-watchdog.sh # Credential refresh watchdog
180179
│ │ └── tmux.conf # Tmux configuration
181180
│ └── proxy/
182-
│ ├── Dockerfile # Squid proxy container image
183-
│ ├── entrypoint.sh # Proxy container entrypoint
184-
│ ├── squid.conf # Proxy allowlist configuration
185-
│ └── ERR_CUSTOM_ACCESS_DENIED # Custom error page
181+
│ ├── Dockerfile # Proxy container image (paude-proxy)
182+
│ └── entrypoint.sh # Proxy container entrypoint
186183
├── tests/ # Python tests (pytest)
187184
├── examples/ # Example configurations
188185
├── docs/ # Documentation

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -134,7 +134,7 @@ Export agent telemetry (metrics, logs, traces) to any OTLP-compatible collector:
134134
paude create --otel-endpoint http://collector:4318 my-project
135135
```
136136

137-
The endpoint hostname is automatically added to the proxy allowlist and non-standard ports (like 4318) are opened in the squid proxy. Supported agents: Claude Code, Gemini CLI, OpenClaw. Set `otel-endpoint` in `~/.config/paude/defaults.json` to apply globally.
137+
The endpoint hostname is automatically added to the proxy allowlist and non-standard ports (like 4318) are opened in the proxy. Supported agents: Claude Code, Gemini CLI, OpenClaw. Set `otel-endpoint` in `~/.config/paude/defaults.json` to apply globally.
138138

139139
### Passing a Task
140140

containers/paude/Dockerfile

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -81,15 +81,14 @@ RUN useradd -M -d /home/paude -s /bin/bash -g 0 paude && \
8181
# It gets installed at user-side build time via a runtime layer.
8282
# See src/paude/config/claude_layer.py for the installation logic.
8383

84-
# Copy entrypoints and watchdog script
84+
# Copy entrypoints
8585
USER root
8686
COPY --chmod=755 entrypoint.sh /usr/local/bin/entrypoint.sh
8787
COPY --chmod=755 entrypoint-session.sh /usr/local/bin/entrypoint-session.sh
8888
COPY --chmod=755 entrypoint-lib-credentials.sh /usr/local/bin/entrypoint-lib-credentials.sh
8989
COPY --chmod=755 entrypoint-lib-config.sh /usr/local/bin/entrypoint-lib-config.sh
9090
COPY --chmod=755 entrypoint-lib-install.sh /usr/local/bin/entrypoint-lib-install.sh
9191
COPY --chmod=755 entrypoint-lib-openclaw.sh /usr/local/bin/entrypoint-lib-openclaw.sh
92-
COPY --chmod=755 credential-watchdog.sh /usr/local/bin/credential-watchdog.sh
9392
COPY --chmod=755 patch-proxy-fetch.sh /usr/local/bin/patch-proxy-fetch.sh
9493
COPY --chmod=755 patch-gemini-otel-proxy.sh /usr/local/bin/patch-gemini-otel-proxy.sh
9594
COPY --chmod=755 patch-openclaw-otel-proxy.sh /usr/local/bin/patch-openclaw-otel-proxy.sh

containers/paude/credential-watchdog.sh

Lines changed: 0 additions & 131 deletions
This file was deleted.

containers/paude/entrypoint-lib-credentials.sh

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,39 @@ wait_for_git() {
4949
wait_for_path "/pvc/workspace/.git" "git repository" 120 "continue"
5050
}
5151

52+
# Detect the system CA bundle path across distros.
53+
_find_sys_ca_bundle() {
54+
local path
55+
for path in \
56+
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
57+
/etc/ssl/certs/ca-certificates.crt \
58+
/etc/ssl/ca-bundle.pem \
59+
/etc/ssl/cert.pem; do
60+
if [[ -f "$path" ]]; then
61+
echo "$path"
62+
return 0
63+
fi
64+
done
65+
return 1
66+
}
67+
68+
# Build custom CA bundle with paude-proxy CA cert if injected.
69+
# Concatenates the system CA bundle with the proxy CA cert into a
70+
# writable /tmp path — no root or update-ca-trust needed (works with
71+
# OpenShift arbitrary UIDs and non-CentOS base images like Debian).
72+
setup_ca_trust() {
73+
local ca_cert="/etc/pki/ca-trust/source/anchors/paude-proxy-ca.crt"
74+
local custom_bundle="/tmp/paude-ca-bundle.pem"
75+
local sys_bundle
76+
sys_bundle=$(_find_sys_ca_bundle) || return 0
77+
78+
if [[ -f "$ca_cert" ]]; then
79+
cat "$sys_bundle" "$ca_cert" > "$custom_bundle" 2>/dev/null || true
80+
else
81+
cp "$sys_bundle" "$custom_bundle" 2>/dev/null || true
82+
fi
83+
}
84+
5285
# Set up credentials from tmpfs-based storage (/credentials)
5386
setup_credentials() {
5487
local config_path="/credentials"

containers/paude/entrypoint-session.sh

Lines changed: 4 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,10 @@ fi
5656
# git config --global creates .gitconfig if it doesn't exist
5757
git config --global --add safe.directory '*' 2>/dev/null || true
5858

59+
# Update CA trust early (before any HTTPS calls like agent install)
60+
# The CA cert is injected by the host after the container starts.
61+
setup_ca_trust
62+
5963
# Wait for and set up tmpfs-based credentials
6064
# Order matters: setup_credentials copies host config into ~/.claude (real dir),
6165
# then persist_agent_config merges it into /pvc/.claude (preserving existing
@@ -65,16 +69,6 @@ setup_credentials
6569
persist_agent_config
6670
wait_for_git
6771

68-
# Start credential watchdog in background (OpenShift only)
69-
# The watchdog removes credentials after inactivity when no tmux clients are attached
70-
# Only start if not already running (avoid duplicates on reconnect)
71-
if [[ -d /credentials ]] && [[ "${PAUDE_CREDENTIAL_WATCHDOG:-1}" == "1" ]]; then
72-
if ! pgrep -f "credential-watchdog.sh" >/dev/null 2>&1; then
73-
nohup /usr/local/bin/credential-watchdog.sh >> /tmp/credential-watchdog.log 2>&1 &
74-
echo "Credential watchdog started (timeout: ${PAUDE_CREDENTIAL_TIMEOUT:-60}m)"
75-
fi
76-
fi
77-
7872
# Add PVC local bin to PATH (for agent and other tools installed to PVC)
7973
# Also keep home .local/bin for tools installed during image build
8074
export PATH="/pvc/.local/bin:$HOME/.local/bin:$PATH"

containers/paude/patch-gemini-otel-proxy.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
# which does NOT respect HTTP_PROXY / HTTPS_PROXY env vars. This script
66
# patches the compiled sdk.js to pass an httpAgentOptions factory that
77
# returns an HttpsProxyAgent (already a gemini-cli dependency) so OTEL
8-
# exports go through the squid proxy.
8+
# exports go through the proxy.
99
#
1010
# The OTEL SDK v0.211.0 (used by gemini-cli v0.35.3) supports
1111
# httpAgentOptions as either AgentOptions or an HttpAgentFactory function.

containers/paude/patch-openclaw-otel-proxy.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
# The @opentelemetry/otlp-exporter-base package creates http/https Agents
55
# that do NOT respect HTTP_PROXY / HTTPS_PROXY env vars. This script
66
# patches the compiled transport layer to return proxy-aware agents so
7-
# OTEL exports go through the squid proxy.
7+
# OTEL exports go through the proxy.
88
#
99
# OpenClaw bundles its diagnostics-otel plugin into
1010
# /app/dist/extensions/diagnostics-otel/index.js, so the primary patch

containers/proxy/Dockerfile

Lines changed: 20 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,18 @@
1+
# Build stage — compile paude-proxy from source
2+
FROM golang:1.23 AS builder
3+
WORKDIR /app
4+
ARG PAUDE_PROXY_VERSION=2b868f8740185df6912a009030a9d60c9ccc1f83
5+
RUN git init . && \
6+
git fetch --depth 1 https://github.com/bbrowning/paude-proxy.git ${PAUDE_PROXY_VERSION} && \
7+
git checkout FETCH_HEAD && \
8+
CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /paude-proxy ./cmd/paude-proxy/
9+
10+
# Runtime stage
111
FROM quay.io/centos/centos:stream10
212

3-
# Enable CRB and EPEL repository, install Squid + dnsmasq + debugging tools
4-
RUN dnf install -y dnf-plugins-core && \
5-
dnf config-manager --set-enabled crb && \
6-
dnf install -y epel-release && \
7-
dnf install -y --allowerasing squid dnsmasq curl wget bind-utils iputils && \
8-
dnf clean all && \
9-
# Ensure squid runtime directories are writable (needed for OpenShift random UIDs)
10-
chmod -R 777 /var/spool/squid /var/log/squid /run/squid 2>/dev/null || true
13+
# dnsmasq for DNS forwarding (needed by tools like Rust reqwest on internal networks)
14+
# curl for health checks and debugging
15+
RUN dnf install -y dnsmasq curl && dnf clean all
1116

1217
# Install tini init process for multi-process signal handling
1318
ARG TINI_VERSION=v0.19.0
@@ -22,13 +27,14 @@ RUN ARCH=$(uname -m) && \
2227
chmod +x /usr/local/bin/tini && \
2328
tini --version
2429

25-
# Copy allowlist configuration, custom error page, and entrypoint
26-
COPY squid.conf /etc/squid/squid.conf
27-
COPY ERR_CUSTOM_ACCESS_DENIED /usr/share/squid/errors/en/ERR_CUSTOM_ACCESS_DENIED
30+
COPY --from=builder /paude-proxy /usr/local/bin/paude-proxy
2831
COPY --chmod=755 entrypoint.sh /usr/local/bin/paude-entrypoint.sh
2932

30-
# Squid runs on port 3128
33+
# Writable directories for OpenShift arbitrary UIDs
34+
RUN mkdir -p /data/ca /tmp && chmod 777 /data/ca /tmp
35+
# dnsmasq needs writable pid directory
36+
RUN mkdir -p /run/dnsmasq && chmod 777 /run/dnsmasq
37+
3138
EXPOSE 3128
3239

33-
ENTRYPOINT ["/usr/local/bin/paude-entrypoint.sh"]
34-
CMD ["-NYC"]
40+
ENTRYPOINT ["/usr/local/bin/tini", "--", "/usr/local/bin/paude-entrypoint.sh"]

containers/proxy/ERR_CUSTOM_ACCESS_DENIED

Lines changed: 0 additions & 1 deletion
This file was deleted.

0 commit comments

Comments
 (0)