[Bug]: web_search and web_fetch fail behind HTTP proxy with getaddrinfo EAI_AGAIN, while the same Brave API request succeeds manually from the same container

[vbogdanmg]

Bug type

Behavior bug (incorrect output/state without crash)

Summary

web_search and web_fetch fail with getaddrinfo EAI_AGAIN behind a configured HTTP proxy, even though authenticated Brave API requests succeed manually from the same openclaw container using the same proxy environment.

Steps to reproduce

1. Deploy OpenClaw 2026.3.12 in Kubernetes/OpenShift behind an HTTP proxy (Squid).
2. Set HTTP_PROXY, HTTPS_PROXY, http_proxy, https_proxy, and NO_PROXY on the openclaw container.
3. Configure Brave Search with a valid BRAVE_API_KEY.
4. Start OpenClaw and trigger web_search or web_fetch from the UI/tool flow.
5. Observe getaddrinfo EAI_AGAIN errors in the openclaw container logs.
6. From the same openclaw container, run an authenticated request to Brave Search API with wget.
7. Observe that the manual request succeeds with HTTP 200 through the same proxy.

Expected behavior

When proxy environment variables are configured on the openclaw container, web_search and web_fetch should use the proxy automatically and succeed, just like manual outbound HTTPS requests from the same container.

Actual behavior

web_search and web_fetch fail repeatedly with DNS-style errors such as:

• getaddrinfo EAI_AGAIN api.search.brave.com
• getaddrinfo EAI_AGAIN www.google.com
• getaddrinfo EAI_AGAIN gitlab.com

At the same time, manual authenticated requests to the Brave Search API succeed from the same openclaw container through the configured Squid proxy.

OpenClaw version

2026.3.12

Operating system

OpenShift / Kubernetes Linux container environment

Install method

Kubernetes via openclaw-operator

Model

internal-llm/vllm-backend/cyankiwi/Qwen3.5-9B-AWQ-4bit

Provider / routing chain

openclaw -> Squid proxy -> Brave Search API

Config file / key location

OpenClawInstance spec.env for proxy vars and BRAVE_API_KEY ; OpenClawInstance spec.config.raw.tools.web.search ; generated config map openclaw-1-config

Additional provider/model setup details

• Search provider is Brave.
• BRAVE_API_KEY is injected via Kubernetes secret.
• Proxy env vars are set on the openclaw container:
  • HTTP_PROXY
  • HTTPS_PROXY
  • http_proxy
  • https_proxy
  • NO_PROXY
• The generated StatefulSet contains two containers: openclaw and gateway-proxy.
• The failing behavior appears to come from the openclaw process itself.
• Manual authenticated Brave API calls from the openclaw container succeed through the configured Squid proxy.

Logs, screenshots, and evidence

### Proxy env vars present in the `openclaw` container


oc exec -it -n ciac-openclaw openclaw-1-0 -c openclaw -- sh -c 'env | grep -i proxy'
HTTPS_PROXY=http://proxy.local:3128
NO_PROXY=10.128.0.0/14,127.0.0.1,169.254.169.254,172.22.0.0/24,172.30.0.0/16,.cluster.local,.local,.svc,localhost,api-int.hub-cluster.local
https_proxy=http://proxy.local:3128
http_proxy=http://proxy.local:3128
HTTP_PROXY=http://proxy.local:3128


oc logs -n ciac-openclaw openclaw-1-0 -c openclaw --tail=200

2026-03-14T14:19:44.018+00:00 [tools] web_search failed: getaddrinfo EAI_AGAIN api.search.brave.com
2026-03-14T14:22:36.854+00:00 [tools] web_fetch failed: getaddrinfo EAI_AGAIN www.google.com
2026-03-14T14:32:00.305+00:00 [tools] web_search failed: getaddrinfo EAI_AGAIN api.search.brave.com
2026-03-14T14:32:05.521+00:00 [tools] web_fetch failed: getaddrinfo EAI_AGAIN www.google.com
2026-03-14T14:33:01.215+00:00 [tools] web_search failed: getaddrinfo EAI_AGAIN api.search.brave.com
2026-03-14T14:35:05.879+00:00 [tools] web_search failed: getaddrinfo EAI_AGAIN api.search.brave.com
2026-03-14T14:35:24.855+00:00 [tools] web_search failed: getaddrinfo EAI_AGAIN api.search.brave.com
2026-03-14T14:35:45.160+00:00 [tools] web_search failed: getaddrinfo EAI_AGAIN api.search.brave.com
2026-03-14T14:35:50.505+00:00 [tools] web_fetch failed: getaddrinfo EAI_AGAIN www.bing.com
2026-03-14T14:54:37.925+00:00 [tools] web_fetch failed: getaddrinfo EAI_AGAIN gitlab.com
2026-03-14T14:54:59.133+00:00 [tools] web_fetch failed: getaddrinfo EAI_AGAIN google.com
2026-03-14T15:20:28.670+00:00 [tools] web_search failed: getaddrinfo EAI_AGAIN api.search.brave.com

oc exec -it -n ciac-openclaw openclaw-1-0 -c openclaw -- sh -c \
'wget --server-response \
  --header="Accept: application/json" \
  --header="X-Subscription-Token: $BRAVE_API_KEY" \
  -O- "https://api.search.brave.com/res/v1/web/search?q=test&count=2"'

--2026-03-14 15:32:33--  https://api.search.brave.com/res/v1/web/search?q=test&count=2
Resolving proxy.local (proxy.local)... 172.22.0.11
Connecting to proxy.local (proxy.local)|172.22.0.11|:3128... connected.
Proxy request sent, awaiting response...
  HTTP/1.1 200 OK
  Date: Sat, 14 Mar 2026 15:32:34 GMT
  Content-Type: application/json
  Content-Length: 29283
  Connection: keep-alive
  x-ratelimit-limit: 50, 0
  x-ratelimit-remaining: 49, 0

1773501962.016    658 172.22.0.100 TCP_TUNNEL/200 4761 CONNECT api.search.brave.com:443 - HIER_DIRECT/3.33.153.106 -
1773501962.666    649 172.22.0.100 TCP_TUNNEL/200 5409 CONNECT api-dashboard.search.brave.com:443 - HIER_DIRECT/75.2.96.101 -
1773501962.970    303 172.22.0.100 TCP_TUNNEL/200 4989 CONNECT brave.com:443 - HIER_DIRECT/3.160.246.19 -
1773501963.250    279 172.22.0.100 TCP_TUNNEL/200 6456 CONNECT brave.com:443 - HIER_DIRECT/3.160.246.19 -


Conclusion from evidence

Proxy env vars are present in the openclaw container.

Squid allows outbound HTTPS CONNECT to Brave domains.

Authenticated Brave API requests succeed manually from the same container.

Only OpenClaw’s internal web_search / web_fetch path fails with EAI_AGAIN.

This suggests the OpenClaw HTTP client path used by web tools is not consistently honoring proxy configuration.

Impact and severity

Impact and severity

Affected: OpenClaw deployments behind an HTTP proxy (Squid) using web tools such as web_search and web_fetch

Severity: High (blocks core tool functionality in proxied enterprise environments)

Frequency: 100% reproducible in this environment

Consequence: Built-in web tools fail even though outbound HTTPS through the proxy works, preventing internet-backed tool usage and making search/fetch unusable in this deployment model

Additional information

• Deployment: OpenShift / Kubernetes
• Install: openclaw-operator
• Proxy: Squid (http://proxy.local:3128)
• Search provider: Brave
• API key configured via Kubernetes secret
• Main workload: StatefulSet openclaw-1
• Containers: openclaw, gateway-proxy

[kkav004]

Fix submitted in #50650.

Root cause: In STRICT mode (the default), fetchWithSsrFGuard creates a pinned dispatcher that connects directly to the DNS-resolved IP, bypassing HTTPS_PROXY entirely. This fails when direct outbound connections are blocked (sandboxes, Docker containers, corporate proxies).

Fix: Use EnvHttpProxyAgent when proxy env vars are configured, instead of createPinnedDispatcher. The SSRF hostname validation still runs before the dispatcher is chosen — only the connection method changes.

One-line change in src/infra/net/fetch-guard.ts:

-      if (canUseTrustedEnvProxy) {
+      if (canUseTrustedEnvProxy || hasProxyEnvConfigured()) {
         dispatcher = new EnvHttpProxyAgent();

Context: Found while deploying NemoClaw in an OpenShell sandbox where DNS is blocked and all traffic goes through a transparent proxy. TRUSTED_ENV_PROXY mode (#45248) works but isn't triggered by default. The fix makes proxy detection automatic.