feat(cli): --proxy-user to inject a caller-chosen SOCKS5 username#87
Merged
Conversation
Before, greywall auto-set the outbound proxy credentials to `<cmdName>:proxy`
(or `proxy:proxy` when no command name was available). That is handy for
single-tenant setups but makes it impossible for a caller that orchestrates
many sandboxed runs on the same machine to give each run a stable, distinct
identity that the upstream proxy (greyproxy) can key per-rule on.
Typical use-case: an orchestrator runs several independent agents in parallel
sandboxes and wants greyproxy rules like "agent-alpha may reach api.openai.com,
agent-beta may not". Today both agents share whatever `cmdName` auto-injection
produces (or fall back to `proxy:proxy`), making per-agent policy impossible.
Add `--proxy-user <name>` to the root command. When set, its value becomes
the proxy username for both `cfg.Network.ProxyURL` and `cfg.Network.HTTPProxyURL`,
taking precedence over the auto-detected command name. Because the URL rewrite
is done once in `runCommand` before the proxy bridge / tun2socks / config-JSON
consumers read the config, the new identity flows uniformly to every
downstream path — no additional plumbing required.
No behavioural change when the flag is unset: the existing cmdName-based
auto-injection still runs.
The debug log now also names the source of the chosen username ("--proxy-user",
"command name", or "default") to make it easier to see which layer set it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Today greywall auto-assigns the outbound proxy username based on the wrapped command name (
cmdName:proxy), falling back toproxy:proxy. That works well for single-tenant use.It does not work for orchestrators that run several independent sandboxed agents in parallel on the same machine and want per-agent rules on the upstream proxy (greyproxy). Both agents end up looking identical to the proxy, so a policy like "agent-alpha may reach
api.openai.com, agent-beta may not" is impossible to express.Change
Adds a
--proxy-user <name>flag on the root command. When set,<name>is used as the SOCKS5/HTTP proxy username for bothcfg.Network.ProxyURLandcfg.Network.HTTPProxyURL, overriding the auto-detected command name.Precedence (highest wins):
--proxy-user <name>— explicit caller overridecmdName— auto-detected from the wrapped command (existing behaviour)"proxy"— fallback (gost requires a non-empty user)The URL rewrite is done once in
runCommandbefore any downstream consumer (proxy bridge, tun2socks, landlock wrapper config) reads the config, so the identity flows through every code path uniformly with no additional plumbing.Debug logs now also name the source of the chosen username (
--proxy-user/command name/default) to make it obvious where the identity came from.Backwards compatibility
No behavioural change when the flag is unset — the existing `cmdName`-based auto-injection still runs.
Testing
Manual smoke test on Linux + macOS:
```
$ greywall --help | grep proxy-user
--proxy-user string SOCKS5/HTTP proxy username to inject into the configured proxy URL ...
$ greywall --debug --proxy-user myagent -- echo hello
[greywall] Auto-set proxy credentials to "myagent":proxy (source: --proxy-user)
$ greywall --debug -- echo hello
[greywall] Auto-set proxy credentials to "echo":proxy (source: command name)
```
Build: `go build ./...` on both `darwin/arm64` and `linux/arm64` — clean.
Test plan