Skip to content

remote: use endpoint address for buildkit client authority#3928

Open
jarqvi wants to merge 2 commits into
docker:masterfrom
jarqvi:fix-remote-driver-authority
Open

remote: use endpoint address for buildkit client authority#3928
jarqvi wants to merge 2 commits into
docker:masterfrom
jarqvi:fix-remote-driver-authority

Conversation

@jarqvi

@jarqvi jarqvi commented Jun 28, 2026

Copy link
Copy Markdown

The remote driver created the buildkit client with an empty address:

client.New(ctx, "", opts...)

With an empty address the buildkit client falls back to the system default address (the local unix socket) and derives the gRPC ":authority" pseudo-header from it, which ends up being "localhost". The actual connection was still correct because the remote driver provides its own dialer, but the wrong authority broke HTTP/2 reverse proxies (such as Envoy) that route based on ":authority".

Pass the configured endpoint address to client.New so the authority is derived from the remote endpoint hostname (e.g.
my-buildkit.example.com:443). The custom dialer is preserved, so the dial target and TLS/SNI behavior are unchanged.

Fixes #3880

The remote driver created the buildkit client with an empty address:

    client.New(ctx, "", opts...)

With an empty address the buildkit client falls back to the system
default address (the local unix socket) and derives the gRPC
":authority" pseudo-header from it, which ends up being "localhost".
The actual connection was still correct because the remote driver
provides its own dialer, but the wrong authority broke HTTP/2 reverse
proxies (such as Envoy) that route based on ":authority".

Pass the configured endpoint address to client.New so the authority is
derived from the remote endpoint hostname (e.g.
my-buildkit.example.com:443). The custom dialer is preserved, so the
dial target and TLS/SNI behavior are unchanged.

Fixes docker#3880

Signed-off-by: MohammadHasan Akbari <jarqvi.jarqvi@gmail.com>

@tonistiigi tonistiigi left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is already servername driver-opt. Iiuc if it is set then grpc.WithAuthority(d.tlsOpts.serverName) should be set instead of getting it from endpoint.

When the servername driver-opt is set it is also used for TLS SNI and
certificate validation, so use it for the gRPC ":authority" pseudo-header
as well, falling back to the endpoint host otherwise. This matches how the
buildkit client derives the authority from the server name when TLS
credentials are supplied.

Since the driver terminates TLS in its own dialer, the authority is set
explicitly via client.WithGRPCDialOption(grpc.WithAuthority(...)).

Signed-off-by: MohammadHasan Akbari <jarqvi.jarqvi@gmail.com>
@jarqvi

jarqvi commented Jul 11, 2026

Copy link
Copy Markdown
Author

Good catch.
Updated to use servername for :authority when set, falling back to the endpoint host. Added a test.

@jarqvi jarqvi requested a review from tonistiigi July 11, 2026 06:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

buildx remote driver sends :authority: localhost instead of the endpoint hostname

2 participants