fix: address review feedback on JVM proxy config

Mossaka · claude · Mossaka · commit 2d8ac642b30f · 2026-02-24T02:07:33.000Z
- Use SQUID_PROXY_HOST/SQUID_PROXY_PORT directly instead of brittle HTTP_PROXY
  parsing; keep improved fallback that handles https://, credentials, and IPv6
- Only create Maven settings.xml and Gradle gradle.properties if they don't
  already exist, to avoid clobbering user-provided configuration
- Derive Java nonProxyHosts from NO_PROXY env var (comma-to-pipe conversion)
  so JVM tools don't attempt to proxy localhost/127.0.0.1 traffic

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/containers/agent/entrypoint.sh b/containers/agent/entrypoint.sh
@@ -166,10 +166,21 @@ fi
 # Java build tools (Maven, Gradle, sbt) do not honor HTTP_PROXY/HTTPS_PROXY env vars
 # and need explicit proxy configuration files
 if [ -n "$HTTP_PROXY" ]; then
-  # Extract proxy host and port from HTTP_PROXY (format: http://IP:PORT)
-  PROXY_HOST="${HTTP_PROXY#http://}"
-  PROXY_HOST="${PROXY_HOST%:*}"
-  PROXY_PORT="${SQUID_PROXY_PORT:-3128}"
+  # Determine proxy host and port for JVM tools.
+  # Prefer SQUID_PROXY_HOST/SQUID_PROXY_PORT (set by docker-manager.ts) over parsing HTTP_PROXY,
+  # since HTTP_PROXY parsing is brittle (doesn't handle https://, credentials, IPv6, etc.)
+  if [ -n "$SQUID_PROXY_HOST" ] && [ -n "$SQUID_PROXY_PORT" ]; then
+    PROXY_HOST="$SQUID_PROXY_HOST"
+    PROXY_PORT="$SQUID_PROXY_PORT"
+  else
+    # Fallback: extract from HTTP_PROXY (format: http://HOST:PORT)
+    PROXY_HOST="${HTTP_PROXY#http://}"
+    PROXY_HOST="${PROXY_HOST#https://}"
+    PROXY_HOST="${PROXY_HOST#*@}"       # strip credentials if present
+    PROXY_PORT="${PROXY_HOST##*:}"      # extract port after last colon
+    PROXY_HOST="${PROXY_HOST%:*}"       # strip port
+    PROXY_PORT="${PROXY_PORT:-3128}"    # default port
+  fi
 
   # Determine path prefix for config files (chroot-aware, same pattern as .claude.json)
   if [ "${AWF_CHROOT_ENABLED}" = "true" ]; then
@@ -181,8 +192,10 @@ if [ -n "$HTTP_PROXY" ]; then
   echo "[entrypoint] Pre-seeding JVM build tool proxy configuration (${PROXY_HOST}:${PROXY_PORT})..."
 
   # Maven proxy config (~/.m2/settings.xml)
+  # Only create if the file does not already exist, to avoid clobbering user-provided settings
   mkdir -p "${JVM_HOME_PREFIX}/.m2"
-  cat > "${JVM_HOME_PREFIX}/.m2/settings.xml" << MAVEN_EOF
+  if [ ! -f "${JVM_HOME_PREFIX}/.m2/settings.xml" ]; then
+    cat > "${JVM_HOME_PREFIX}/.m2/settings.xml" << MAVEN_EOF
 <settings>
   <proxies>
     <proxy>
@@ -202,24 +215,43 @@ if [ -n "$HTTP_PROXY" ]; then
   </proxies>
 </settings>
 MAVEN_EOF
-  chown awfuser:awfuser "${JVM_HOME_PREFIX}/.m2/settings.xml" 2>/dev/null || true
-  echo "[entrypoint] ✓ Created Maven proxy config (${JVM_HOME_PREFIX}/.m2/settings.xml)"
+    chown awfuser:awfuser "${JVM_HOME_PREFIX}/.m2/settings.xml" 2>/dev/null || true
+    echo "[entrypoint] ✓ Created Maven proxy config (${JVM_HOME_PREFIX}/.m2/settings.xml)"
+  else
+    echo "[entrypoint] ✓ Maven settings.xml already exists, skipping proxy config creation"
+  fi
 
   # Gradle proxy config (~/.gradle/gradle.properties)
+  # Only create if the file does not already exist, to avoid clobbering user-provided settings
+  # (e.g., org.gradle.jvmargs, build cache settings, private repo credentials)
   mkdir -p "${JVM_HOME_PREFIX}/.gradle"
-  cat > "${JVM_HOME_PREFIX}/.gradle/gradle.properties" << GRADLE_EOF
+  if [ ! -f "${JVM_HOME_PREFIX}/.gradle/gradle.properties" ]; then
+    cat > "${JVM_HOME_PREFIX}/.gradle/gradle.properties" << GRADLE_EOF
 systemProp.http.proxyHost=${PROXY_HOST}
 systemProp.http.proxyPort=${PROXY_PORT}
 systemProp.https.proxyHost=${PROXY_HOST}
 systemProp.https.proxyPort=${PROXY_PORT}
 GRADLE_EOF
-  chown awfuser:awfuser "${JVM_HOME_PREFIX}/.gradle/gradle.properties" 2>/dev/null || true
-  echo "[entrypoint] ✓ Created Gradle proxy config (${JVM_HOME_PREFIX}/.gradle/gradle.properties)"
+    chown awfuser:awfuser "${JVM_HOME_PREFIX}/.gradle/gradle.properties" 2>/dev/null || true
+    echo "[entrypoint] ✓ Created Gradle proxy config (${JVM_HOME_PREFIX}/.gradle/gradle.properties)"
+  else
+    echo "[entrypoint] ✓ Gradle gradle.properties already exists, skipping proxy config creation"
+  fi
 
   # sbt/JVM proxy config via JAVA_TOOL_OPTIONS
   # This covers sbt and any JVM tool that reads standard system properties
-  export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS:-} -Dhttp.proxyHost=${PROXY_HOST} -Dhttp.proxyPort=${PROXY_PORT} -Dhttps.proxyHost=${PROXY_HOST} -Dhttps.proxyPort=${PROXY_PORT}"
-  echo "[entrypoint] ✓ Set JAVA_TOOL_OPTIONS with proxy flags"
+  # Also set nonProxyHosts from NO_PROXY to prevent JVM tools from proxying localhost traffic
+  NON_PROXY_RAW="${NO_PROXY:-${no_proxy:-}}"
+  JVM_PROXY_FLAGS="-Dhttp.proxyHost=${PROXY_HOST} -Dhttp.proxyPort=${PROXY_PORT} -Dhttps.proxyHost=${PROXY_HOST} -Dhttps.proxyPort=${PROXY_PORT}"
+  if [ -n "$NON_PROXY_RAW" ]; then
+    # Convert comma-separated NO_PROXY to Java's pipe-separated nonProxyHosts format
+    NON_PROXY_HOSTS=$(printf '%s' "$NON_PROXY_RAW" | tr ',' '|' | tr -d ' ')
+    JVM_PROXY_FLAGS="${JVM_PROXY_FLAGS} -Dhttp.nonProxyHosts=${NON_PROXY_HOSTS} -Dhttps.nonProxyHosts=${NON_PROXY_HOSTS}"
+    echo "[entrypoint] ✓ Set JAVA_TOOL_OPTIONS with proxy and nonProxyHosts flags"
+  else
+    echo "[entrypoint] ✓ Set JAVA_TOOL_OPTIONS with proxy flags"
+  fi
+  export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS:-} ${JVM_PROXY_FLAGS}"
 fi
 
 # Print proxy environment
