Documentation
¶
Index ¶
Constants ¶
const ( HostAnthropic = "api.anthropic.com" HostOpenAI = "api.openai.com" HostCopilot = "api.individual.githubcopilot.com" )
Known AI provider hosts.
const ( RequestTypeMITM = "mitm" RequestTypeTunneled = "tunneled" )
const ( // ProxyAuthRealm is the realm used in Proxy-Authenticate challenges. // The realm helps clients identify which credentials to use. ProxyAuthRealm = `"Coder AI Bridge Proxy"` )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CertCache ¶
type CertCache struct {
// contains filtered or unexported fields
}
CertCache implements goproxy.CertStorage to cache generated leaf certificates in memory. Certificate generation is expensive (RSA key generation + signing), so caching avoids repeated generation for the same hostname during MITM.
func NewCertCache ¶
func NewCertCache() *CertCache
NewCertCache creates a new certificate cache that maps hostnames to their generated TLS certificates.
func (*CertCache) Fetch ¶
func (c *CertCache) Fetch(hostname string, genFunc func() (*tls.Certificate, error)) (*tls.Certificate, error)
Fetch retrieves a cached certificate for the given hostname, or generates and caches a new one using the provided generator function.
Uses singleflight to ensure concurrent requests for the same hostname share a single in-flight generation rather than waiting on a mutex. This means only one goroutine generates the certificate while others wait on the result directly.
type Metrics ¶
type Metrics struct {
// ConnectSessionsTotal counts CONNECT sessions established.
// Labels: type (mitm/tunneled)
ConnectSessionsTotal *prometheus.CounterVec
// MITMRequestsTotal counts MITM requests handled by the proxy.
// Labels: provider
MITMRequestsTotal *prometheus.CounterVec
// InflightMITMRequests tracks the number of MITM requests currently being processed.
// Labels: provider
InflightMITMRequests *prometheus.GaugeVec
// MITMResponsesTotal counts MITM responses by HTTP status code.
// Labels: code (HTTP status code), provider
// Cardinality is bounded: ~100 used status codes x few providers.
MITMResponsesTotal *prometheus.CounterVec
// contains filtered or unexported fields
}
Metrics holds all prometheus metrics for aibridgeproxyd.
func NewMetrics ¶
func NewMetrics(reg prometheus.Registerer) *Metrics
NewMetrics creates and registers all metrics for aibridgeproxyd.
func (*Metrics) Unregister ¶
func (m *Metrics) Unregister()
Unregister removes all metrics from the registerer.
type Options ¶
type Options struct {
// ListenAddr is the address the proxy server will listen on.
ListenAddr string
// TLSCertFile is the path to the TLS certificate file for the proxy listener.
TLSCertFile string
// TLSKeyFile is the path to the TLS private key file for the proxy listener.
TLSKeyFile string
// CoderAccessURL is the URL of the Coder deployment where aibridged is running.
// Requests to supported AI providers are forwarded here.
CoderAccessURL string
// MITMCertFile is the path to the CA certificate file used for MITM.
MITMCertFile string
// MITMKeyFile is the path to the CA private key file used for MITM.
MITMKeyFile string
// AllowedPorts is the list of ports allowed for CONNECT requests.
// Defaults to ["80", "443"] if empty.
AllowedPorts []string
// CertStore is an optional certificate cache for MITM. If nil, a default
// cache is created. Exposed for testing.
CertStore goproxy.CertStorage
// DomainAllowlist is the list of domains to intercept and route through AI Bridge.
// Only requests to these domains will be MITM'd and forwarded to aibridged.
// Requests to other domains will be tunneled directly without decryption.
DomainAllowlist []string
// AIBridgeProviderFromHost maps a hostname to a known aibridge provider
// name. Must be non-nil; the caller derives it from the configured
// provider list.
AIBridgeProviderFromHost func(host string) string
// UpstreamProxy is the URL of an upstream HTTP proxy to chain tunneled
// (non-allowlisted) requests through. If empty, tunneled requests connect
// directly to their destinations.
// Format: http://[user:pass@]host:port or https://[user:pass@]host:port
UpstreamProxy string
// UpstreamProxyCA is the path to a PEM-encoded CA certificate file to trust
// for the upstream proxy's TLS connection. Only needed for HTTPS upstream
// proxies with certificates not trusted by the system. If empty, the system
// certificate pool is used.
UpstreamProxyCA string
// AllowedPrivateCIDRs is a list of CIDR ranges that are permitted even
// though they fall within blocked private/reserved IP ranges. This allows
// access to specific internal networks while keeping all other private
// ranges blocked. If empty, all private ranges are blocked.
AllowedPrivateCIDRs []string
// Metrics is the prometheus metrics instance for recording proxy metrics.
// If nil, metrics will not be recorded.
Metrics *Metrics
}
Options configures the AI Bridge Proxy server.
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server is the AI MITM (Man-in-the-Middle) proxy server. It is responsible for:
- intercepting HTTPS requests to AI providers
- decrypting requests using the configured MITM CA certificate
- forwarding requests to aibridged for processing
func (*Server) Addr ¶
Addr returns the address the server is listening on. This is useful when the server was started with port 0.
func (*Server) CoderAccessURL ¶ added in v2.32.0
CoderAccessURL returns the parsed Coder access URL with a normalized port.
func (*Server) Handler ¶
Handler returns an HTTP handler for the AI Bridge Proxy's HTTP endpoints. This is separate from the proxy server itself and is used by coderd to serve endpoints like the CA certificate.
func (*Server) IsTLSListener ¶ added in v2.32.0
IsTLSListener reports whether the proxy listener is serving TLS.
Source Files