palyra-egress-proxy crate provides a deny-by-default outbound security layer for all network I/O initiated by the Palyra daemon. It implements a fail-closed evaluation pipeline that validates request schemes, enforces host allowlists, prevents DNS rebinding, blocks private network access, and manages secure credential injection from the vault.
Architecture and Policy Evaluation
The core of the egress security system is theEgressProxyPolicyService. This service is stateless and performs evaluation of EgressProxyRequest objects before any network socket is opened. Every request must receive an EgressPolicyVerdict to proceed; any deviation from policy results in an EgressPolicyError which immediately halts the operation.
Data Flow: HTTP Fetch to Network
The following diagram illustrates how thepalyra.http.fetch tool utilizes the egress proxy to ensure secure communication.
Egress Validation Sequence
Sources: crates/palyra-daemon/src/application/tool_runtime/http_fetch.rs#1-15, crates/palyra-egress-proxy/src/lib.rs#1-6, crates/palyra-egress-proxy/src/lib.rs#140-150
Key Components and Logic
EgressProxyRequest and Verdict
TheEgressProxyRequest structure encapsulates all parameters required for a security decision, including the target URL, allowlists, and credential requirements.
| Field | Description | Code Entity |
|---|---|---|
| URL Scheme | Only http and https are permitted. | EgressProxyRequest::url |
| Host Allowlist | Exact matches or DNS-suffix matches (e.g., example.com matches api.example.com). | allowed_hosts, allowed_dns_suffixes |
| Private Blocking | Blocks 127.0.0.1, 10.0.0.0/8, etc., unless allow_private_targets is true. | EgressProxyRequest::allow_private_targets |
| Response Budget | Enforces a non-zero byte limit on the response body. | max_response_bytes |
EgressPolicyVerdict returns resolved_addresses (SocketAddr). These addresses are pinned in the HTTP client to prevent DNS rebinding attacks between the time of policy evaluation and the actual connection.
Sources: crates/palyra-egress-proxy/src/lib.rs#33-48, crates/palyra-egress-proxy/src/lib.rs#54-72, crates/palyra-egress-proxy/src/lib.rs#103-105
DNS Rebinding and Private IP Protection
The functionvalidate_resolved_addrs is critical for SSRF (Server-Side Request Forgery) protection. It inspects every IP returned by DNS resolution. If a single address in the set is private or local, and the request has not explicitly opted into private targets, the entire request is blocked.
Sources: crates/palyra-egress-proxy/tests/critical_attack_scenarios.rs#9-10, crates/palyra-egress-proxy/tests/critical_attack_scenarios.rs#70-74
Tool Integration: palyra.http.fetch
The palyra.http.fetch tool (implemented in execute_http_fetch_tool) is the primary consumer of the egress proxy. It implements a manual redirect loop (Policy::none) to ensure that every hop in a redirect chain is re-evaluated against the security policy.
Credential Injection
The proxy supportsCredentialBindingPlan, which allows the daemon to inject secrets into outbound requests without exposing them to the agent’s context.
- Vault-Only: Only
SecretSource::Vaultreferences are permitted for egress injection. - Header Validation: Header names must be “credential-shaped” (e.g.,
Authorization,X-Api-Key). - Exec Forbidden:
SecretSource::Execis explicitly forbidden in egress policy to prevent arbitrary local execution during request assembly.
Worker Fleet Egress Attestation
In distributed environments, thepalyra-workerd crate enforces that workers boot with an attested egress proxy. This is part of the WorkerAttestation contract.
Worker Egress Security Mapping
The WorkerFleetManager rejects any worker attempting to register without a valid egress proxy binding if require_egress_proxy is enabled in the WorkerFleetPolicy.
Sources: crates/palyra-workerd/src/lib.rs#35-42, crates/palyra-workerd/src/lib.rs#69-85, crates/palyra-workerd/src/lib.rs#127-129
Security Testing and Verification
Egress controls are verified using a “Critical Attack Corpus” located infixtures/security/critical_attack_scenarios.json. These tests ensure:
- Private Target Blocking: Replays scenarios where DNS resolves to mixed public/private IPs.
- Credential Leak Prevention: Ensures secrets are redacted in export scans via
palyra-safety. - Attestation Integrity: Ensures workers cannot bypass egress proxy requirements.