Proxy and credentials injection configuration #692

mNantern · 2026-04-16T08:58:07Z

mNantern
Apr 16, 2026

Hi,

I'm currently experimenting with an headless VM (Debian 13 with Lima) and nono to execute an AI agent with full permission (including root on the VM).

I'm using nono for it's proxy and credentials injection (currently with headless keyring).

This is my current configuration:

{
  "extends": "claude-code",
  "meta": {
    "name": "claude-code-locked",
    "version": "1.0.0",
    "description": "Claude Code locked"
  },
  "network": {
    "network_profile": null,
    "credentials": ["gitlab"],
    "allow_domain": [
      "api.anthropic.com",
      "platform.claude.com",
      "gitlab.mysite.com",
      "galaxy.ansible.com",
      "ansible-galaxy-ng.s3.dualstack.us-east-1.amazonaws.com"
    ],
    "custom_credentials": {
      "gitlab": {
        "upstream": "https://gitlab.mysite.com",
        "credential_key": "gitlab_token",
        "env_var": "GITLAB_TOKEN",
        "inject_header": "Authorization",
        "credential_format": "Bearer {}"
      }
    }
  }
}

I think that I have an issue with my config because I can easily bypass the proxy:

nono run --profile /mnt/nono-profiles/claude-code-locked.json -v --allow-cwd -- curl --noproxy '*' "https://google.com"

  nono v0.36.0
…
2026-04-16T08:30:40.244573Z  INFO Landlock available (Landlock V6, features: Basic filesystem access control, File rename across directories (Refer), File truncation (Truncate), TCP network filtering, Device ioctl filtering, Process scoping)
  mode supervised (proxy, supervisor)
2026-04-16T08:30:40.244883Z  INFO Proxy server listening on 127.0.0.1:43441
2026-04-16T08:30:40.246404Z  INFO Network proxy started on localhost:43441
2026-04-16T08:30:40.246549Z  INFO Executing with strategy: Supervised, threading: CryptoExpected
  Applying sandbox...
2026-04-16T08:30:40.249482Z  INFO Executing (supervised): curl ["--noproxy", "*", "https://google.com"]
2026-04-16T08:30:40.249998Z  INFO Using Landlock ABI V6
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>

Without noproxy:

$ nono run --profile /mnt/nono-profiles/claude-code-locked.json -v --allow-cwd -- curl "https://google.com"              

  nono v0.36.0
…
2026-04-16T08:30:36.176036Z  INFO Landlock available (Landlock V6, features: Basic filesystem access control, File rename across directories (Refer), File truncation (Truncate), TCP network filtering, Device ioctl filtering, Process scoping)
  mode supervised (proxy, supervisor)
2026-04-16T08:30:36.177913Z  INFO Proxy server listening on 127.0.0.1:38809
2026-04-16T08:30:36.179688Z  INFO Network proxy started on localhost:38809
2026-04-16T08:30:36.179955Z  INFO Executing with strategy: Supervised, threading: CryptoExpected
  Applying sandbox...
2026-04-16T08:30:36.183216Z  INFO Executing (supervised): curl ["https://google.com"]
2026-04-16T08:30:36.184199Z  INFO Using Landlock ABI V6
2026-04-16T08:30:36.192514Z  INFO proxy request denied mode=connect host="google.com" port=443 decision="deny" reason="host google.com is not in the allowlist"
curl: (56) CONNECT tunnel failed, response 403

And same with the keyring, I can access the secret from inside nono:

$ nono run --profile /mnt/nono-profiles/claude-code-locked.json -v --allow-cwd -- secret-tool search --all service nono

  nono v0.36.0
…
2026-04-16T08:56:57.702217Z  INFO Using Landlock ABI V6
[/1]
label = nono: gitlab_token
secret = dummy-test-token
created = 2026-04-16 08:47:02
modified = 2026-04-16 08:47:02
schema = org.freedesktop.Secret.Generic
attribute.service = nono
attribute.target = default
attribute.username = gitlab_token

What I am doing wrong?

lukehinds · 2026-04-19T12:50:38Z

lukehinds
Apr 19, 2026
Maintainer

will take a look @mNantern

1 reply

mNantern Apr 22, 2026
Author

Thank you @lukehinds 🙏

mNantern · 2026-04-28T15:41:10Z

mNantern
Apr 28, 2026
Author

I've tested again with nono v0.42.0 and I see a better outcome for the proxy:

  nono v0.42.0
…
2026-04-28T09:10:50.904606Z  INFO Executing (supervised): curl ["https://google.com"]
2026-04-28T09:10:50.906516Z  INFO Using Landlock ABI V6
2026-04-28T09:10:50.951147Z  INFO proxy request denied mode=connect host="google.com" port=443 decision="deny" reason="host google.com is not in the allowlist"
curl: (56) CONNECT tunnel failed, response 403

Command exited with code 56.

And with --noproxy '*':

  nono v0.42.0
…
2026-04-28T09:11:03.583847Z  INFO Executing (supervised): curl ["--noproxy", "*", "https://google.com"]
2026-04-28T09:11:03.584745Z  INFO Using Landlock ABI V6
curl: (7) Failed to connect to google.com port 443 after 1 ms: Could not connect to server

Command exited with code 7.

As for the keyring I have the same issue:

  nono v0.42.0
…
2026-04-28T15:40:05.247499Z  INFO Executing (supervised): secret-tool ["lookup", "service", "nono", "username", "github_token"]
2026-04-28T15:40:05.248552Z  INFO Using Landlock ABI V6
test_github

0 replies

hnanda21 · 2026-05-11T10:08:57Z

hnanda21
May 11, 2026

Hey @lukehinds, I'm facing the same issue (as @mNantern ) with injection custom proxy credentials (Nono Version: 0.40.0).

Config:

"network": {
    "block": false,
    "network_profile": null,
    "allow_domain": [
        "webhook.site"
    ],
    "custom_credentials": {
        "random": {
            "upstream": "https://webhook.site",
            "credential_key": "test_token",
            "inject_header": "Host",
            "credential_format": "Bearer {}"
        }
    },
    "credentials": [
        "random"
    ]
}

Command (run inside sandbox): curl https://webhook.site

Output:

2026-05-11T11:14:08.430221Z DEBUG Accepted connection from 127.0.0.1:54685
2026-05-11T11:14:08.430299Z DEBUG Blocked CONNECT to route upstream webhook.site:443 — use reverse proxy path instead
2026-05-11T11:14:08.430315Z  INFO proxy request denied mode=connect host="webhook.site" port=443 decision="deny" reason="route upstream: CONNECT bypasses L7 filtering"
curl: (56) CONNECT tunnel failed, response 403

Verbose Logs:

2026-05-11T11:12:09.892279Z  INFO macOS Seatbelt sandbox available
  mode supervised (proxy, supervisor)
2026-05-11T11:12:09.893511Z  INFO Proxy server listening on 127.0.0.1:54633
2026-05-11T11:12:09.893521Z DEBUG Loading route 'random' -> https://webhook.site
2026-05-11T11:12:09.893544Z DEBUG Loading credential for route prefix: random (mode: Header)
2026-05-11T11:12:09.893555Z DEBUG creating entry with service nono, user test_token, and no target
2026-05-11T11:12:09.893562Z DEBUG created entry MacCredential { domain: User, service: "nono", account: "test_token" }
2026-05-11T11:12:09.893568Z DEBUG get password from entry MacCredential { domain: User, service: "nono", account: "test_token" }
2026-05-11T11:12:19.628761Z DEBUG Successfully loaded secret 'test_token'
2026-05-11T11:12:19.628888Z  INFO Network proxy started on localhost:54633
2026-05-11T11:12:19.632768Z  INFO Executing with strategy: Supervised, threading: CryptoExpected

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Proxy and credentials injection configuration #692

Uh oh!

{{title}}

Uh oh!

Replies: 3 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Uh oh!

Proxy and credentials injection configuration #692

Uh oh!

mNantern Apr 16, 2026

Replies: 3 comments · 1 reply

Uh oh!

lukehinds Apr 19, 2026 Maintainer

Uh oh!

mNantern Apr 22, 2026 Author

Uh oh!

mNantern Apr 28, 2026 Author

Uh oh!

Uh oh!

hnanda21 May 11, 2026

mNantern
Apr 16, 2026

Replies: 3 comments 1 reply

lukehinds
Apr 19, 2026
Maintainer

mNantern Apr 22, 2026
Author

mNantern
Apr 28, 2026
Author

hnanda21
May 11, 2026