fix: configure Java proxy via JAVA_TOOL_OPTIONS for Maven builds #572
Conversation
Maven and other Java tools don't automatically respect HTTP_PROXY/HTTPS_PROXY environment variables. They require Java system properties to configure proxy settings. This fix adds JAVA_TOOL_OPTIONS environment variable to automatically configure Java proxy settings for all JVMs running in the agent container: - Sets http.proxyHost and http.proxyPort for HTTP traffic - Sets https.proxyHost and https.proxyPort for HTTPS traffic - Adds http.nonProxyHosts when host access is enabled This resolves the "Unsupported or unrecognized SSL message" error that Maven was experiencing when trying to access repo.maven.apache.org through AWF. Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Added unit tests to verify that JAVA_TOOL_OPTIONS environment variable is correctly configured with Java proxy settings: - Base proxy configuration (proxyHost, proxyPort for HTTP/HTTPS) - Non-proxy hosts configuration when host access is enabled All 139 tests in docker-manager.test.ts pass. Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
- Use explicit concatenation instead of += to avoid potential undefined errors - Add comment explaining why 127.0.0.1 is included despite Java IP address limitation
|
Chroot tests failed Smoke Chroot failed - See logs for details. |
|
📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident... |
|
💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges... |
✅ Coverage Check PassedOverall Coverage
Coverage comparison generated by |
Build Test: Rust - FAILED ❌Clone Error: Unable to clone test repository Error Details: The test repository could not be accessed due to a network error (502 Bad Gateway). Please verify:
Overall Status: FAILED ❌
|
There was a problem hiding this comment.
Pull request overview
Configure Java/JVM-based tooling (Maven/Gradle) to use the Squid proxy by injecting JVM proxy system properties via JAVA_TOOL_OPTIONS, addressing Maven SSL failures behind AWF.
Changes:
- Add
JAVA_TOOL_OPTIONSwithhttp(s).proxyHost/proxyPortto the agent container environment. - When host access is enabled, append Java-specific non-proxy host configuration.
- Add unit tests asserting Java proxy env configuration is present and updated with host access.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/docker-manager.ts | Injects JVM proxy configuration via JAVA_TOOL_OPTIONS, and adds Java non-proxy hosts when host access is enabled. |
| src/docker-manager.test.ts | Adds tests validating the new JAVA_TOOL_OPTIONS behavior in compose generation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/docker-manager.ts
Outdated
| // for localhost connections that may use the IP address directly | ||
| const javaNoProxy = `localhost|127.0.0.1|host.docker.internal`; | ||
| // Append Java-specific NO_PROXY settings to JAVA_TOOL_OPTIONS (which is guaranteed to exist) | ||
| environment.JAVA_TOOL_OPTIONS = `${environment.JAVA_TOOL_OPTIONS} -Dhttp.nonProxyHosts="${javaNoProxy}"`; |
There was a problem hiding this comment.
The quotes around the http.nonProxyHosts value may be treated as literal characters when parsed from JAVA_TOOL_OPTIONS (parsing behavior can differ from typical shell tokenization), which would break host matching (e.g., "localhost|..." instead of localhost|...). Prefer setting -Dhttp.nonProxyHosts=${javaNoProxy} without embedded quotes to avoid misparsing.
| environment.JAVA_TOOL_OPTIONS = `${environment.JAVA_TOOL_OPTIONS} -Dhttp.nonProxyHosts="${javaNoProxy}"`; | |
| environment.JAVA_TOOL_OPTIONS = `${environment.JAVA_TOOL_OPTIONS} -Dhttp.nonProxyHosts=${javaNoProxy}`; |
| const environment: Record<string, string> = { | ||
| HTTP_PROXY: `http://${networkConfig.squidIp}:${SQUID_PORT}`, | ||
| HTTPS_PROXY: `http://${networkConfig.squidIp}:${SQUID_PORT}`, | ||
| // Java applications don't automatically respect HTTP_PROXY/HTTPS_PROXY environment variables. | ||
| // Use JAVA_TOOL_OPTIONS to configure Java proxy settings for Maven, Gradle, and other Java tools. | ||
| // This environment variable is automatically picked up by all JVMs. | ||
| JAVA_TOOL_OPTIONS: `-Dhttp.proxyHost=${networkConfig.squidIp} -Dhttp.proxyPort=${SQUID_PORT} -Dhttps.proxyHost=${networkConfig.squidIp} -Dhttps.proxyPort=${SQUID_PORT}`, | ||
| SQUID_PROXY_HOST: 'squid-proxy', | ||
| SQUID_PROXY_PORT: SQUID_PORT.toString(), |
There was a problem hiding this comment.
This unconditionally sets JAVA_TOOL_OPTIONS, which can unintentionally drop user-provided JVM flags when running with --env-all (since the later env pass-through won’t override existing keys). Consider merging with an existing host value (append your proxy flags to process.env.JAVA_TOOL_OPTIONS when present), while still allowing config.additionalEnv.JAVA_TOOL_OPTIONS to override.
| const environment: Record<string, string> = { | |
| HTTP_PROXY: `http://${networkConfig.squidIp}:${SQUID_PORT}`, | |
| HTTPS_PROXY: `http://${networkConfig.squidIp}:${SQUID_PORT}`, | |
| // Java applications don't automatically respect HTTP_PROXY/HTTPS_PROXY environment variables. | |
| // Use JAVA_TOOL_OPTIONS to configure Java proxy settings for Maven, Gradle, and other Java tools. | |
| // This environment variable is automatically picked up by all JVMs. | |
| JAVA_TOOL_OPTIONS: `-Dhttp.proxyHost=${networkConfig.squidIp} -Dhttp.proxyPort=${SQUID_PORT} -Dhttps.proxyHost=${networkConfig.squidIp} -Dhttps.proxyPort=${SQUID_PORT}`, | |
| SQUID_PROXY_HOST: 'squid-proxy', | |
| SQUID_PROXY_PORT: SQUID_PORT.toString(), | |
| const baseJavaToolOptions = process.env.JAVA_TOOL_OPTIONS ? `${process.env.JAVA_TOOL_OPTIONS} ` : ''; | |
| const environment: Record<string, string> = { | |
| HTTP_PROXY: `http://${networkConfig.squidIp}:${SQUID_PORT}`, | |
| HTTPS_PROXY: `http://${networkConfig.squidIp}:${SQUID_PORT}`, | |
| // Java applications don't automatically respect HTTP_PROXY/HTTPS_PROXY environment variables. | |
| // Use JAVA_TOOL_OPTIONS to configure Java proxy settings for Maven, Gradle, and other Java tools. | |
| // This environment variable is automatically picked up by all JVMs. | |
| JAVA_TOOL_OPTIONS: `${baseJavaToolOptions}-Dhttp.proxyHost=${networkConfig.squidIp} -Dhttp.proxyPort=${SQUID_PORT} -Dhttps.proxyHost=${networkConfig.squidIp} -Dhttps.proxyPort=${SQUID_PORT}`, | |
| SQUID_PROXY_HOST: 'squid-proxy', | |
| SQUID_PROXY_PORT: SQUID_PROXY_PORT.toString(), |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded. |
|
@copilot do not have code this but add these to the smoke java workflow |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
Deno Build Test Results
Overall: ✅ PASS
|
Smoke Test Results (Claude)Last 2 Merged PRs:
Test Results:
Status: PASS
|
Rust Build Test Results
Overall: PASS ✅ All Rust projects built and tested successfully.
|
Bun Build Test Results
Overall: PASS ✅ All Bun projects built and tested successfully.
|
C++ Build Test Results
Overall: PASS ✅ All C++ projects successfully configured with CMake and built without errors.
|
Go Build Test Results
Overall: PASS ✅ All Go projects successfully downloaded dependencies and passed tests.
|
Deno Build Test Results
Overall: ✅ PASS All Deno tests completed successfully.
|
|
Smoke Test: Claude Engine - PASS ✅
Status: PASS
|
|
Smoke Test Results ✅ Last 2 Merged PRs:
Test Results:
Overall Status: PASS cc
|
Node.js Build Test Results ✅All projects tested successfully!
Overall: PASS
|
Java Build Test Results✅ Java Proxy Configuration StatusJAVA_TOOL_OPTIONS: Detected Proxy Properties:
Build/Test Results
Overall: ✅ PASS All Java projects compiled successfully and all tests passed through the AWF firewall.
|
Chroot Version Comparison Test Results
Overall Result: ❌ Tests Failed The chroot environment successfully accessed host binaries, but version mismatches were detected for Python and Node.js. This may indicate the chroot is using container binaries instead of host binaries for these runtimes.
|
|
feat: add runtime configuration for one-shot token protection via AWF_ONE_SHOT_TOKENS
|
Instead of adding JAVA_TOOL_OPTIONS and Maven settings.xml generation to docker-manager.ts, instruct the agent to create ~/.m2/settings.xml with proxy settings before running Maven commands. This is simpler and doesn't require changes to the AWF core. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded. |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
Build Test: Node.js - Results
Overall: PASS ✅ All Node.js projects built and tested successfully.
|
Build Test: Rust - ❌ FAILEDStatus: Cannot execute test - Rust toolchain not installed
Overall: FAILED Error DetailsThe Rust toolchain (cargo, rustc) is not available in the GitHub Actions runner environment. Required ActionAdd Rust installation step to the workflow: - name: Install Rust
uses: actions-rs/toolchain@v1
with:
toolchain: stable
profile: minimal
|
Bun Build Test Results
Overall: PASS ✅ All Bun projects built and tested successfully with Bun v1.3.9.
|
Go Build Test Results
Overall: PASS ✅ All Go projects built and tested successfully.
|
Deno Build Test Results
Overall: ✅ PASS All Deno tests completed successfully.
|
C++ Build Test Results
Overall: PASS ✅ All C++ projects built successfully.
|
|
Smoke Test: Claude Engine Last 2 merged PRs:
✅ GitHub MCP Overall: PASS
|
|
🧪 Smoke Test Results Last 2 Merged PRs:
Test Results:
Overall Status: PASS ✅ cc @Mossaka
|
|
Recent merged PRs: feat: add build-test-dotnet workflow | feat: add skip-unset mode to one-shot token library with value preview (enabled by default)
|
Chroot Version Comparison Test Results
Overall Result: ❌ Tests Failed The chroot mode successfully accessed host binaries, but version mismatches were detected for Python and Node.js. Go matched exactly between host and chroot environments.
|
Maven builds fail with "Unsupported or unrecognized SSL message" when accessing
repo.maven.apache.orgthrough AWF. Java applications ignoreHTTP_PROXY/HTTPS_PROXYenvironment variables and require JVM system properties.Changes
JAVA_TOOL_OPTIONSwith Java proxy properties (-Dhttp.proxyHost,-Dhttps.proxyHost, etc.) pointing to Squid at container startup-Dhttp.nonProxyHostsfor localhost bypass when host access enabledTechnical Details
AWF sets
HTTP_PROXY/HTTPS_PROXYfor tools like curl and npm, but Java's networking stack requires explicit JVM properties. Without them, Maven attempts direct connections that get transparently redirected by iptables to Squid, which then receives raw SSL handshake data instead of HTTP CONNECT requests.Example configuration applied:
JAVA_TOOL_OPTIONS="-Dhttp.proxyHost=172.30.0.10 -Dhttp.proxyPort=3128 -Dhttps.proxyHost=172.30.0.10 -Dhttps.proxyPort=3128"This environment variable is automatically picked up by all JVMs (Maven, Gradle, Java applications) running in the agent container.
Workflow Validation
The build-test-java workflow now includes a verification step that:
JAVA_TOOL_OPTIONSenvironment variable valuejava -XshowSettings:propertiesto show actual JVM proxy configuration✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.