feat(proxy): support HTTPS sandbox backends#3280
Conversation
Allow sandbox network config to select HTTPS per port. Accept self-signed backend certificates on trusted orchestrator-to-sandbox hop.
PR SummaryMedium Risk Overview The setting is validated on create (limits, duplicates, reserved envd port), stored on ingress config, returned on get, and carried through orchestrator create, node re-sync, and paused snapshot JSON. The orchestrator sandbox proxy picks the backend scheme per port and the shared reverse-proxy pool can skip TLS verify and uses a bounded TLS handshake timeout for HTTPS backends. Reviewed by Cursor Bugbot for commit f2b7e96. Bugbot is set up for automated code reviews on this repo. Configure here. |
❌ 11 Tests Failed:
View the top 3 failed test(s) by shortest run time
View the full list of 1 ❄️ flaky test(s)
To view more test analytics, go to the Test Analytics Dashboard |
There was a problem hiding this comment.
Code Review
This pull request introduces support for HTTPS backend routing within sandboxes, allowing public URLs to connect to configured sandbox ports over HTTPS with backend certificate verification disabled (supporting self-signed certificates). It updates the API spec, database models, orchestrator protobuf, and proxy logic to handle the new httpsPorts configuration, along with adding validation and comprehensive integration tests. The feedback suggests a memory-safety improvement in sandbox_get.go to avoid taking the address of a struct field directly, which could prevent the garbage collection of the parent struct.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
b12e821 to
f2b7e96
Compare
Allow sandbox network config to select HTTPS per port. Accept self-signed backend certificates on trusted orchestrator-to-sandbox hop.