engine: claude — squid proxy rejects chroot localhost connections (transaction-end-before-headers)

[virenpepper]

Description

Follow-up from #23614. The get-claude-key.sh chroot fix (AWF 0.25.5) works — the script is copied and the config path is updated. But Claude Code still can't reach the Anthropic API because the squid proxy rejects all connections from inside the chroot.

Environment

• gh-aw CLI: v0.65.1
• AWF container: 0.25.5
• Claude Code CLI: 2.1.87
• Repo: private, GitHub Teams plan
• Runner: ubuntu-latest

Evidence from squid audit logs

The squid proxy receives two types of traffic:

API proxy container (172.30.0.20) — works:

{"client":"172.30.0.20","host":"api.anthropic.com:443","dest":"160.79.104.10:443","method":"CONNECT","status":200,"decision":"TCP_TUNNEL"}

4 successful CONNECT 200 requests.

Claude Code inside chroot (::1 / localhost) — all fail:

{"client":"::1","host":"-","dest":"-:-","method":"-","status":0,"decision":"NONE_NONE","url":"error:transaction-end-before-headers"}

49 failed requests over ~4 minutes (matching Claude Code's 10 retries with exponential backoff, plus background connection attempts).

The connection drops before any HTTP headers are sent. Squid sees a bare TCP connection with no HTTP protocol.

Timeline within the run

1. get-claude-key.sh copied to chroot ✅
2. apiKeyHelper path updated in both .claude.json and .claude/settings.json ✅
3. apiKeySource: "apiKeyHelper" at init ✅
4. Claude Code starts making API calls → all hit squid at ::1 → all fail with transaction-end-before-headers
5. 10 retries exhausted → EHOSTUNREACH → exit 1

Possible causes

• IPv6 ::1 vs IPv4 127.0.0.1 mismatch — squid might listen on one, Claude Code connects on the other
• HTTP_PROXY/HTTPS_PROXY env vars inside chroot might point to wrong address/port after chroot activation
• LD_PRELOAD one-shot-token mechanism might interfere with the proxy TLS handshake
• Squid port not accessible from inside the chroot's network namespace

Failed run

https://github.com/usepepper/salsa/actions/runs/23814978435

Download firewall-audit-logs artifact → logs/audit.jsonl for the full squid log.

What works

• API proxy container (172.30.0.20) successfully reaches api.anthropic.com through squid
• get-claude-key.sh exists in chroot at correct path
• Config files updated correctly
• MCP servers (github, safeoutputs) both connect successfully
• raw.githubusercontent.com request from API proxy succeeds

[lpcox]

🔗 AWF tracking issue: github/gh-aw-firewall#1543

This was tracked and fixed in AWF 0.25.6: setup-iptables.sh now unconditionally disables IPv6 in the agent network namespace, and squid-config.ts adds a dual-stack http_port [::]:3128 listener as defense-in-depth. The root cause was Node.js happy-eyeballs (RFC 8305) preferring IPv6 connections to api.anthropic.com:443 which bypassed the IPv4-only iptables DNAT rules and arrived at Squid as raw IPv6 TCP with no HTTP headers — hence transaction-end-before-headers. Fix merged in github/gh-aw-firewall#1544.

Generated by Firewall Issue Dispatcher · ◷

[virenpepper]

the AWF 0.25.6 fix hasn't shipped yet. gh-aw CLI v0.65.3 (latest) still hardcodes --image-tag 0.25.5 in compiled workflows. we need a CLI release that bumps to AWF 0.25.6.

confirmed with 2 more runs on v0.65.3 — same EHOSTUNREACH, same transaction-end-before-headers from ::1, still AWF 0.25.5:

• https://github.com/usepepper/salsa/actions/runs/23855572857
• https://github.com/usepepper/salsa/actions/runs/23855742188

when can we expect a CLI release bundling AWF 0.25.6?