Skip to main content
The palyra-egress-proxy crate provides a deny-by-default outbound security layer for all network I/O initiated by the Palyra daemon. It implements a fail-closed evaluation pipeline that validates request schemes, enforces host allowlists, prevents DNS rebinding, blocks private network access, and manages secure credential injection from the vault.

Architecture and Policy Evaluation

The core of the egress security system is the EgressProxyPolicyService. This service is stateless and performs evaluation of EgressProxyRequest objects before any network socket is opened. Every request must receive an EgressPolicyVerdict to proceed; any deviation from policy results in an EgressPolicyError which immediately halts the operation.

Data Flow: HTTP Fetch to Network

The following diagram illustrates how the palyra.http.fetch tool utilizes the egress proxy to ensure secure communication. Egress Validation Sequence Sources: crates/palyra-daemon/src/application/tool_runtime/http_fetch.rs#1-15, crates/palyra-egress-proxy/src/lib.rs#1-6, crates/palyra-egress-proxy/src/lib.rs#140-150

Key Components and Logic

EgressProxyRequest and Verdict

The EgressProxyRequest structure encapsulates all parameters required for a security decision, including the target URL, allowlists, and credential requirements.
FieldDescriptionCode Entity
URL SchemeOnly http and https are permitted.EgressProxyRequest::url
Host AllowlistExact matches or DNS-suffix matches (e.g., example.com matches api.example.com).allowed_hosts, allowed_dns_suffixes
Private BlockingBlocks 127.0.0.1, 10.0.0.0/8, etc., unless allow_private_targets is true.EgressProxyRequest::allow_private_targets
Response BudgetEnforces a non-zero byte limit on the response body.max_response_bytes
The EgressPolicyVerdict returns resolved_addresses (SocketAddr). These addresses are pinned in the HTTP client to prevent DNS rebinding attacks between the time of policy evaluation and the actual connection. Sources: crates/palyra-egress-proxy/src/lib.rs#33-48, crates/palyra-egress-proxy/src/lib.rs#54-72, crates/palyra-egress-proxy/src/lib.rs#103-105

DNS Rebinding and Private IP Protection

The function validate_resolved_addrs is critical for SSRF (Server-Side Request Forgery) protection. It inspects every IP returned by DNS resolution. If a single address in the set is private or local, and the request has not explicitly opted into private targets, the entire request is blocked. Sources: crates/palyra-egress-proxy/tests/critical_attack_scenarios.rs#9-10, crates/palyra-egress-proxy/tests/critical_attack_scenarios.rs#70-74

Tool Integration: palyra.http.fetch

The palyra.http.fetch tool (implemented in execute_http_fetch_tool) is the primary consumer of the egress proxy. It implements a manual redirect loop (Policy::none) to ensure that every hop in a redirect chain is re-evaluated against the security policy.

Credential Injection

The proxy supports CredentialBindingPlan, which allows the daemon to inject secrets into outbound requests without exposing them to the agent’s context.
  • Vault-Only: Only SecretSource::Vault references are permitted for egress injection.
  • Header Validation: Header names must be “credential-shaped” (e.g., Authorization, X-Api-Key).
  • Exec Forbidden: SecretSource::Exec is explicitly forbidden in egress policy to prevent arbitrary local execution during request assembly.
Sources: crates/palyra-daemon/src/application/tool_runtime/http_fetch.rs#49-61, crates/palyra-egress-proxy/src/lib.rs#19-29, crates/palyra-egress-proxy/src/lib.rs#112-117

Worker Fleet Egress Attestation

In distributed environments, the palyra-workerd crate enforces that workers boot with an attested egress proxy. This is part of the WorkerAttestation contract. Worker Egress Security Mapping The WorkerFleetManager rejects any worker attempting to register without a valid egress proxy binding if require_egress_proxy is enabled in the WorkerFleetPolicy. Sources: crates/palyra-workerd/src/lib.rs#35-42, crates/palyra-workerd/src/lib.rs#69-85, crates/palyra-workerd/src/lib.rs#127-129

Security Testing and Verification

Egress controls are verified using a “Critical Attack Corpus” located in fixtures/security/critical_attack_scenarios.json. These tests ensure:
  1. Private Target Blocking: Replays scenarios where DNS resolves to mixed public/private IPs.
  2. Credential Leak Prevention: Ensures secrets are redacted in export scans via palyra-safety.
  3. Attestation Integrity: Ensures workers cannot bypass egress proxy requirements.
Sources: crates/palyra-egress-proxy/tests/critical_attack_scenarios.rs#1-6, crates/palyra-workerd/tests/critical_attack_scenarios.rs#1-6, crates/palyra-safety/tests/critical_attack_scenarios.rs#78-90