fix: normalize API target env vars to bare hostnames via URL parsing (#1799)

* fix: normalize API target env vars to strip scheme prefix

When --*-api-target values originate from GitHub Actions expressions
(e.g., ${{ vars.ANTHROPIC_BASE_URL }}), the scheme is not stripped at
compile time. At runtime the full URL (https://host) reaches the API
proxy, which prepends https:// again, producing double-scheme URLs
like https://https://host that Squid rejects.

Fix at two layers:

1. containers/api-proxy/server.js: add normalizeApiTarget() that
   strips any http(s):// prefix. Applied to all four API targets
   (OpenAI, Anthropic, Gemini, Copilot) on startup.

2. src/docker-manager.ts: add stripScheme() and apply it when
   setting *_API_TARGET env vars in the api-proxy container. This
   prevents the scheme from ever reaching the container.

Fixes #1795
Upstream: github/gh-aw#25137

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: normalize API targets to bare hostnames only

Use URL parsing in both normalizeApiTarget() and stripScheme() to
extract only the hostname, discarding path, query, fragment, port,
and credentials. Paths must use the separate *_API_BASE_PATH settings.

Addresses review feedback that target values are used as TLS SNI /
hostname in https.request(), so including paths would break requests.

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/ab65b061-c924-41d8-a573-dd954497def2

* fix: improve error message in normalizeApiTarget

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/ab65b061-c924-41d8-a573-dd954497def2

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

Author: 3 people

containers/api-proxy/server.js

@@ -64,10 +64,48 @@ const ANTHROPIC_API_KEY = (process.env.ANTHROPIC_API_KEY || '').trim() || undefi
 const COPILOT_GITHUB_TOKEN = (process.env.COPILOT_GITHUB_TOKEN || '').trim() || undefined;
 const GEMINI_API_KEY = (process.env.GEMINI_API_KEY || '').trim() || undefined;
 
+/**
+ * Normalizes an API target value to a bare hostname.
+ * Accepts either a hostname or a full URL and extracts only the hostname,
+ * discarding any scheme, path, query, fragment, credentials, or port.
+ * Path configuration must be provided separately via the existing
+ * *_API_BASE_PATH environment variables.
+ *
+ * @param {string|undefined} value - Raw env var value
+ * @returns {string|undefined} Bare hostname, or undefined if input is falsy
+ */
+function normalizeApiTarget(value) {
+  if (!value) return value;
+
+  const trimmed = value.trim();
+  if (!trimmed) return undefined;
+
+  const candidate = /^[a-zA-Z][a-zA-Z\d+\-.]*:\/\//.test(trimmed)
+    ? trimmed
+    : `https://${trimmed}`;
+
+  try {
+    const parsed = new URL(candidate);
+
+    if (parsed.pathname !== '/' || parsed.search || parsed.hash || parsed.username || parsed.password || parsed.port) {
+      console.warn(
+        `Ignoring unsupported API target URL components in ${sanitizeForLog(trimmed)}; ` +
+        'configure path prefixes via the corresponding *_API_BASE_PATH environment variable.'
+      );
+    }
+
+    return parsed.hostname || undefined;
+  } catch (err) {
+    console.warn(`Invalid API target ${sanitizeForLog(trimmed)}; expected a hostname (e.g. 'api.example.com') or URL`);
+    return undefined;
+  }
+}
+
 // Configurable API target hosts (supports custom endpoints / internal LLM routers)
-const OPENAI_API_TARGET = process.env.OPENAI_API_TARGET || 'api.openai.com';
-const ANTHROPIC_API_TARGET = process.env.ANTHROPIC_API_TARGET || 'api.anthropic.com';
-const GEMINI_API_TARGET = process.env.GEMINI_API_TARGET || 'generativelanguage.googleapis.com';
+// Values are normalized to bare hostnames — buildUpstreamPath() prepends https://
+const OPENAI_API_TARGET = normalizeApiTarget(process.env.OPENAI_API_TARGET) || 'api.openai.com';
+const ANTHROPIC_API_TARGET = normalizeApiTarget(process.env.ANTHROPIC_API_TARGET) || 'api.anthropic.com';
+const GEMINI_API_TARGET = normalizeApiTarget(process.env.GEMINI_API_TARGET) || 'generativelanguage.googleapis.com';
 
 /**
  * Normalizes a base path for use as a URL path prefix.
@@ -123,7 +161,7 @@ const GEMINI_API_BASE_PATH = normalizeBasePath(process.env.GEMINI_API_BASE_PATH)
 // Priority: COPILOT_API_TARGET env var > auto-derive from GITHUB_SERVER_URL > default
 function deriveCopilotApiTarget() {
   if (process.env.COPILOT_API_TARGET) {
-    return process.env.COPILOT_API_TARGET;
+    return normalizeApiTarget(process.env.COPILOT_API_TARGET);
   }
   // Auto-derive from GITHUB_SERVER_URL:
   // - GitHub Enterprise Cloud (*.ghe.com): Copilot inference/models/MCP are served at
@@ -932,4 +970,4 @@ if (require.main === module) {
 }
 
 // Export for testing
-module.exports = { deriveCopilotApiTarget, normalizeBasePath, buildUpstreamPath, proxyWebSocket };
+module.exports = { normalizeApiTarget, deriveCopilotApiTarget, normalizeBasePath, buildUpstreamPath, proxyWebSocket };

containers/api-proxy/server.test.js

@@ -5,7 +5,46 @@
 const http = require('http');
 const tls = require('tls');
 const { EventEmitter } = require('events');
-const { deriveCopilotApiTarget, normalizeBasePath, buildUpstreamPath, proxyWebSocket } = require('./server');
+const { normalizeApiTarget, deriveCopilotApiTarget, normalizeBasePath, buildUpstreamPath, proxyWebSocket } = require('./server');
+
+describe('normalizeApiTarget', () => {
+  it('should strip https:// prefix', () => {
+    expect(normalizeApiTarget('https://my-gateway.example.com')).toBe('my-gateway.example.com');
+  });
+
+  it('should strip http:// prefix', () => {
+    expect(normalizeApiTarget('http://my-gateway.example.com')).toBe('my-gateway.example.com');
+  });
+
+  it('should preserve bare hostname', () => {
+    expect(normalizeApiTarget('api.openai.com')).toBe('api.openai.com');
+  });
+
+  it('should normalize a URL with a path to just the hostname', () => {
+    expect(normalizeApiTarget('https://my-gateway.example.com/some-path')).toBe('my-gateway.example.com');
+  });
+
+  it('should trim whitespace', () => {
+    expect(normalizeApiTarget('  https://api.openai.com  ')).toBe('api.openai.com');
+  });
+
+  it('should return undefined for falsy input', () => {
+    expect(normalizeApiTarget(undefined)).toBeUndefined();
+    expect(normalizeApiTarget('')).toBe('');
+  });
+
+  it('should not strip scheme-like substrings in the middle', () => {
+    expect(normalizeApiTarget('api.https.example.com')).toBe('api.https.example.com');
+  });
+
+  it('should discard port from URL', () => {
+    expect(normalizeApiTarget('https://my-gateway.example.com:8443')).toBe('my-gateway.example.com');
+  });
+
+  it('should discard query and fragment from URL', () => {
+    expect(normalizeApiTarget('https://my-gateway.example.com/path?key=val#frag')).toBe('my-gateway.example.com');
+  });
+});
 
 describe('deriveCopilotApiTarget', () => {
   let originalEnv;
@@ -268,6 +307,25 @@ describe('buildUpstreamPath', () => {
         .toBe('/serving-endpoints/v1/chat/completions');
     });
   });
+
+  describe('with normalized API target (gh-aw#25137 regression)', () => {
+    it('should produce correct path when target was already normalized', () => {
+      // normalizeApiTarget('https://my-gateway.example.com/some-path')
+      // returns 'my-gateway.example.com' (hostname only)
+      const target = 'my-gateway.example.com';
+      expect(buildUpstreamPath('/v1/messages', target, ''))
+        .toBe('/v1/messages');
+    });
+
+    it('should produce wrong hostname if scheme is NOT stripped (demonstrating the bug)', () => {
+      // Without normalizeApiTarget, the scheme-prefixed value causes
+      // new URL() to parse 'https' as the hostname instead of the real host
+      const badTarget = 'https://my-gateway.example.com';
+      const targetUrl = new URL('/v1/messages', `https://${badTarget}`);
+      // Node parses this as hostname='https', not 'my-gateway.example.com'
+      expect(targetUrl.hostname).not.toBe('my-gateway.example.com');
+    });
+  });
 });
 
 // ── Helpers for proxyWebSocket tests ──────────────────────────────────────────

src/docker-manager.test.ts

@@ -1,4 +1,4 @@
-import { generateDockerCompose, subnetsOverlap, writeConfigs, startContainers, stopContainers, fastKillAgentContainer, isAgentExternallyKilled, resetAgentExternallyKilled, AGENT_CONTAINER_NAME, cleanup, runAgentCommand, validateIdNotInSystemRange, getSafeHostUid, getSafeHostGid, getRealUserHome, extractGhHostFromServerUrl, readGitHubPathEntries, mergeGitHubPathEntries, readEnvFile, MIN_REGULAR_UID, ACT_PRESET_BASE_IMAGE } from './docker-manager';
+import { generateDockerCompose, subnetsOverlap, writeConfigs, startContainers, stopContainers, fastKillAgentContainer, isAgentExternallyKilled, resetAgentExternallyKilled, AGENT_CONTAINER_NAME, cleanup, runAgentCommand, validateIdNotInSystemRange, getSafeHostUid, getSafeHostGid, getRealUserHome, extractGhHostFromServerUrl, readGitHubPathEntries, mergeGitHubPathEntries, readEnvFile, MIN_REGULAR_UID, ACT_PRESET_BASE_IMAGE, stripScheme } from './docker-manager';
 import { WrapperConfig } from './types';
 import * as fs from 'fs';
 import * as path from 'path';
@@ -295,6 +295,28 @@ describe('docker-manager', () => {
     });
   });
 
+  describe('stripScheme', () => {
+    it('should strip https:// prefix', () => {
+      expect(stripScheme('https://my-gateway.example.com')).toBe('my-gateway.example.com');
+    });
+
+    it('should strip http:// prefix', () => {
+      expect(stripScheme('http://my-gateway.example.com')).toBe('my-gateway.example.com');
+    });
+
+    it('should preserve bare hostname', () => {
+      expect(stripScheme('api.openai.com')).toBe('api.openai.com');
+    });
+
+    it('should normalize URL with path to hostname only', () => {
+      expect(stripScheme('https://my-gateway.example.com/some-path')).toBe('my-gateway.example.com');
+    });
+
+    it('should not strip scheme-like substrings in the middle', () => {
+      expect(stripScheme('api.https.example.com')).toBe('api.https.example.com');
+    });
+  });
+
   describe('generateDockerCompose', () => {
     const mockConfig: WrapperConfig = {
       allowedDomains: ['github.com', 'npmjs.org'],
@@ -2439,6 +2461,22 @@ describe('docker-manager', () => {
         expect(env.ANTHROPIC_API_TARGET).toBe('custom.anthropic-router.internal');
       });
 
+      it('should strip https:// scheme from API target values (gh-aw#25137)', () => {
+        const configWithProxy = {
+          ...mockConfig,
+          enableApiProxy: true,
+          anthropicApiKey: 'sk-ant-test-key',
+          anthropicApiTarget: 'https://my-gateway.example.com',
+          openaiApiKey: 'sk-openai-test',
+          openaiApiTarget: 'https://openai-router.internal',
+        };
+        const result = generateDockerCompose(configWithProxy, mockNetworkConfigWithProxy);
+        const proxy = result.services['api-proxy'];
+        const env = proxy.environment as Record<string, string>;
+        expect(env.ANTHROPIC_API_TARGET).toBe('my-gateway.example.com');
+        expect(env.OPENAI_API_TARGET).toBe('openai-router.internal');
+      });
+
       it('should not set ANTHROPIC_API_TARGET in api-proxy when anthropicApiTarget is not provided', () => {
         const configWithProxy = { ...mockConfig, enableApiProxy: true, anthropicApiKey: 'sk-ant-test-key' };
         const result = generateDockerCompose(configWithProxy, mockNetworkConfigWithProxy);

src/docker-manager.ts

@@ -372,6 +372,29 @@ export interface SslConfig {
   sslDbPath: string;
 }
 
+/**
+ * Normalizes an API target value to a bare hostname.
+ * API target values should be bare hostnames (e.g., "api.openai.com"), but
+ * may arrive with a scheme or path when set via GitHub Actions expressions
+ * that are resolved at runtime (see github/gh-aw#25137).
+ * Discards any scheme, path, query, fragment, credentials, or port —
+ * path prefixes must use the separate *_API_BASE_PATH settings.
+ */
+export function stripScheme(value: string): string {
+  const trimmed = value.trim();
+  if (!trimmed) return trimmed;
+
+  const candidate = /^[a-zA-Z][a-zA-Z\d+\-.]*:\/\//.test(trimmed)
+    ? trimmed
+    : `https://${trimmed}`;
+
+  try {
+    return new URL(candidate).hostname || trimmed;
+  } catch {
+    return trimmed;
+  }
+}
+
 /**
  * Generates Docker Compose configuration
  * Note: Uses external network 'awf-net' created by host-iptables setup
@@ -1460,12 +1483,15 @@ export function generateDockerCompose(
         ...(config.copilotGithubToken && { COPILOT_GITHUB_TOKEN: config.copilotGithubToken }),
         ...(config.geminiApiKey && { GEMINI_API_KEY: config.geminiApiKey }),
         // Configurable API targets (for GHES/GHEC / custom endpoints)
-        ...(config.copilotApiTarget && { COPILOT_API_TARGET: config.copilotApiTarget }),
-        ...(config.openaiApiTarget && { OPENAI_API_TARGET: config.openaiApiTarget }),
+        // Strip any scheme prefix — server.js also normalizes defensively, but
+        // stripping here prevents a scheme-prefixed hostname from reaching the
+        // container at all (belt-and-suspenders for gh-aw#25137).
+        ...(config.copilotApiTarget && { COPILOT_API_TARGET: stripScheme(config.copilotApiTarget) }),
+        ...(config.openaiApiTarget && { OPENAI_API_TARGET: stripScheme(config.openaiApiTarget) }),
         ...(config.openaiApiBasePath && { OPENAI_API_BASE_PATH: config.openaiApiBasePath }),
-        ...(config.anthropicApiTarget && { ANTHROPIC_API_TARGET: config.anthropicApiTarget }),
+        ...(config.anthropicApiTarget && { ANTHROPIC_API_TARGET: stripScheme(config.anthropicApiTarget) }),
         ...(config.anthropicApiBasePath && { ANTHROPIC_API_BASE_PATH: config.anthropicApiBasePath }),
-        ...(config.geminiApiTarget && { GEMINI_API_TARGET: config.geminiApiTarget }),
+        ...(config.geminiApiTarget && { GEMINI_API_TARGET: stripScheme(config.geminiApiTarget) }),
         ...(config.geminiApiBasePath && { GEMINI_API_BASE_PATH: config.geminiApiBasePath }),
         // Forward GITHUB_SERVER_URL so api-proxy can auto-derive enterprise endpoints
         ...(process.env.GITHUB_SERVER_URL && { GITHUB_SERVER_URL: process.env.GITHUB_SERVER_URL }),