菜单
Network egress control for AI agents with domain whitelisting, Squid proxy, iptables enforcement, and secure credential management
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Master GitHub Agentic Workflows authoring - markdown syntax, natural language instructions, YAML frontmatter, compilation, and workflow patterns
Comprehensive expertise in GitHub Agentic Workflows (v0.68.1) — AI-powered repository automation with five-layer security, safe outputs, MCP tools, and Continuous AI patterns
Comprehensive guide for MCP (Model Context Protocol) server setup, transport protocols, configuration validation, lifecycle management, tool discovery, and error handling patterns
Comprehensive Hack23 threat modeling process using STRIDE, MITRE ATT&CK, attack trees, and quantitative risk assessment per ISMS Threat_Modeling.md policy
Fiscal policy, budget analysis, economic forecasting, monetary policy, trade policy for political journalists
Comprehensive guide to integrating agentic automation with GitHub Actions CI/CD pipelines, including workflow triggers, environment configuration, secrets management, matrix strategies, and deployment patterns for production-ready autonomous systems.
| name | gh-aw-firewall |
| description | Network egress control for AI agents with domain whitelisting, Squid proxy, iptables enforcement, and secure credential management |
| license | Apache-2.0 |
| version | 2.0.1 |
| last_updated | "2026-04-13T00:00:00.000Z" |
| tags | ["github-agentic-workflows","network-security","firewall","squid","domain-whitelisting","egress-control"] |
Apply the AI FIRST principle: never accept first-pass quality. Minimum 2 iterations. Read all output, improve every section. No shortcuts.
Master the Agentic Workflow Firewall (AWF) - a network firewall for agentic workflows providing L7 (HTTP/HTTPS) egress control using Squid proxy and Docker containers. This skill provides comprehensive expertise in restricting network access to a whitelist of approved domains for AI agents and their MCP servers.
AWF (Agentic Workflow Firewall) is a network security layer that restricts AI agent network access to explicitly approved domains, preventing data exfiltration and unauthorized external communication.
Key Features:
┌────────────────────────────────────────────────┐
│ AI Agent Container │
│ ┌──────────────────────────────────────┐ │
│ │ Application Code │ │
│ │ (Read-only filesystem) │ │
│ └───────────────┬──────────────────────┘ │
│ │ Network Request │
│ ▼ │
│ ┌──────────────────────────────────────┐ │
│ │ iptables DOCKER-USER Chain │ │
│ │ (Force all traffic through Squid) │ │
│ └───────────────┬──────────────────────┘ │
└──────────────────┼──────────────────────────────┘
│
▼
┌───────────────────────────────┐
│ Squid Proxy │
│ ┌─────────────────────────┐ │
│ │ Domain Whitelist │ │
│ │ - github.com ✅ │ │
│ │ - api.github.com ✅ │ │
│ │ - evil.com ❌ │ │
│ └─────────────────────────┘ │
│ │
│ ┌─────────────────────────┐ │
│ │ SSL Bump (HTTPS) │ │
│ │ (Content Inspection) │ │
│ └─────────────────────────┘ │
└────────────┬──────────────────┘
│
▼
External Network
(Allowed domains only)
awf --allow-domains github.com,api.github.com -- docker run myapp
How it works:
awf --chroot --allow-domains github.com -- python3 script.py
How it works:
Use Cases:
awf --api-proxy --allow-domains api.openai.com,api.anthropic.com -- node agent.js
How it works:
Basic Command Structure:
awf [firewall-options] -- [command-to-run]
The -- separator divides firewall configuration from the command to execute.
Single Domain:
awf --allow-domains github.com -- curl https://api.github.com
Multiple Domains:
awf --allow-domains github.com,api.openai.com,anthropic.com -- python agent.py
Wildcard Subdomains:
awf --allow-domains '*.github.com' -- npm install
Domain File:
# domains.txt
github.com
api.github.com
*.githubusercontent.com
awf --allow-domains-file domains.txt -- git clone https://github.com/repo
Passing Variables to Container:
awf --env API_KEY --env DEBUG -- node app.js
With Values:
awf --env API_KEY=secret123 -- python script.py
From File:
# .env file
API_KEY=secret123
DEBUG=true
awf --env-file .env -- npm start
Quick Install:
curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo bash
Manual Install:
npm install -g gh-aw-firewall
Verify:
awf --version
awf --help
The API proxy sidecar provides secure credential management for LLM APIs (OpenAI, Anthropic) without exposing tokens to AI agents.
Architecture:
┌──────────────────────────────────────┐
│ AI Agent Container │
│ ┌────────────────────────────┐ │
│ │ Code makes API call │ │
│ │ http://localhost:8080/v1 │ │
│ │ (No API key in code) │ │
│ └──────────────┬─────────────┘ │
└─────────────────┼────────────────────┘
│
▼
┌─────────────────────────────┐
│ API Proxy Sidecar │
│ ┌──────────────────────┐ │
│ │ Inject Credentials │ │
│ │ Authorization: sk-xx │ │
│ └──────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────┐ │
│ │ Route via Squid │ │
│ └──────────────────────┘ │
└───────────┬─────────────────┘
│
▼
┌─────────────┐
│ Squid Proxy │
│ (Whitelist) │
└──────┬──────┘
│
▼
External API
(api.openai.com)
Configuration:
# Export credentials (not visible to agent)
export OPENAI_API_KEY=sk-xxx
export ANTHROPIC_API_KEY=sk-ant-xxx
# Start with API proxy
awf --api-proxy \
--allow-domains api.openai.com,api.anthropic.com \
-- node agent.js
Agent Code:
// Agent makes calls without credentials
fetch('http://localhost:8080/v1/chat/completions', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
model: 'gpt-4',
messages: [...]
})
});
// API proxy automatically injects:
// Authorization: Bearer sk-xxx
Benefits:
Go Proxy Server:
package main
import (
"net/http"
"net/http/httputil"
"net/url"
"os"
)
func main() {
// Read credentials from environment
openaiKey := os.Getenv("OPENAI_API_KEY")
anthropicKey := os.Getenv("ANTHROPIC_API_KEY")
// Squid proxy URL
squidURL, _ := url.Parse("http://squid:3128")
// Create reverse proxy
proxy := httputil.NewSingleHostReverseProxy(squidURL)
// Modify request to inject credentials
director := proxy.Director
proxy.Director = func(req *http.Request) {
director(req)
// Inject appropriate credential
if req.Host == "api.openai.com" {
req.Header.Set("Authorization", "Bearer "+openaiKey)
} else if req.Host == "api.anthropic.com" {
req.Header.Set("x-api-key", anthropicKey)
}
// Route through Squid
req.URL.Host = req.Host
req.URL.Scheme = "https"
}
http.ListenAndServe(":8080", proxy)
}
SSL Bump allows Squid to inspect HTTPS traffic for URL path filtering and content validation.
Configuration:
# Enable SSL Bump
http_port 3128 ssl-bump \
cert=/etc/squid/certs/squid-ca-cert.pem \
key=/etc/squid/certs/squid-ca-key.pem
# SSL Bump rules
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
# URL path filtering
acl allowed_paths url_regex ^https://api\.github\.com/repos/
http_access allow allowed_paths
http_access deny all
Use Cases:
Security Considerations:
name: Agentic Workflow with Firewall
on: pull_request
jobs:
agent:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install AWF
run: |
curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo bash
- name: Run Agent with Firewall
run: |
awf --allow-domains github.com,api.github.com \
-- node agent.js
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Run MCP Server with Firewall
run: |
awf --allow-domains github.com,api.githubcopilot.com \
--env GITHUB_TOKEN \
-- docker run -i \
-e GITHUB_TOKEN \
ghcr.io/github/github-mcp-server:latest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Build with NPM Registry
run: |
awf --allow-domains registry.npmjs.org \
-- npm install
- name: Test with External APIs
run: |
awf --allow-domains api.github.com,api.openai.com \
--api-proxy \
-- npm test
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
- name: Deploy (No Network)
run: |
awf --allow-domains '' \
-- npm run build
Squid Access Log:
# Location
/var/log/squid/access.log
# Format
timestamp ip method url status bytes
# View recent
tail -f /var/log/squid/access.log
# Filter blocked requests
grep "TCP_DENIED" /var/log/squid/access.log
Squid Cache Log:
# Location
/var/log/squid/cache.log
# Contains
- Squid startup/shutdown
- Configuration errors
- Domain whitelist violations
# Monitor
tail -f /var/log/squid/cache.log
View All Traffic:
awf --log-level debug --allow-domains github.com -- curl https://api.github.com
Filter by Domain:
grep "github.com" /var/log/squid/access.log
Count Requests:
awk '{print $7}' /var/log/squid/access.log | sort | uniq -c | sort -rn
Blocked Requests:
grep "TCP_DENIED" /var/log/squid/access.log | awk '{print $7}' | sort | uniq
Prometheus Exporter:
# docker-compose.yml
services:
squid-exporter:
image: boynux/squid-exporter
ports:
- "9301:9301"
environment:
- SQUID_HOSTNAME=squid
- SQUID_PORT=3128
Grafana Dashboard:
Symptom:
Error: connect ECONNREFUSED 127.0.0.1:3128
Diagnosis:
# Check Squid is running
ps aux | grep squid
# Check Squid port
netstat -tlnp | grep 3128
# Check Squid logs
tail /var/log/squid/cache.log
Solutions:
Symptom:
HTTP 403 Forbidden
TCP_DENIED/403
Diagnosis:
# Check domain in whitelist
grep "example.com" /etc/squid/allowed-domains.txt
# View denied requests
grep "TCP_DENIED" /var/log/squid/access.log | tail -20
Solutions:
*.example.com (for known trusted organizations only)⚠️ NEVER use TLD-level wildcards like
*.com,*.org,*.se,*.io— these effectively disable the firewall by allowing all traffic to those TLDs. Always use explicit domain names (e.g.,api.example.com,data.example.se) or scoped subdomain wildcards for trusted organizations only.
Symptom:
Error: certificate verify failed
Diagnosis:
# Check CA certificate
ls -la /etc/squid/certs/
# Test SSL connection
openssl s_client -connect api.github.com:443 -proxy localhost:3128
Solutions:
--insecure flag for testing (not production)Symptom:
Diagnosis:
# Check Squid CPU/memory
docker stats squid
# Monitor request timing
tail -f /var/log/squid/access.log | grep -o "TCP_[A-Z_]*"
Solutions:
Symptom:
Error: network unreachable
Diagnosis:
# Check Docker network
docker network ls
docker network inspect awf-network
# Check iptables
sudo iptables -L DOCKER-USER -n -v
Solutions:
squid.conf:
# Basic ACLs
acl localnet src 172.16.0.0/12
acl SSL_ports port 443
acl Safe_ports port 80
acl CONNECT method CONNECT
# Allowed domains from file
acl allowed_domains dstdomain "/etc/squid/allowed-domains.txt"
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
# Allow only safe ports
http_access deny !Safe_ports
# Allow localhost
http_access allow localnet
# Allow only whitelisted domains
http_access allow allowed_domains
# Deny everything else
http_access deny all
# Logging
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
# Performance
cache_mem 256 MB
maximum_object_size 50 MB
cache_dir ufs /var/spool/squid 1000 16 256
# DNS
dns_nameservers 8.8.8.8 8.8.4.4
version: '3.8'
services:
squid:
image: ubuntu/squid:latest
container_name: awf-squid
ports:
- "3128:3128"
volumes:
- ./squid.conf:/etc/squid/squid.conf:ro
- ./allowed-domains.txt:/etc/squid/allowed-domains.txt:ro
- squid-cache:/var/spool/squid
- squid-logs:/var/log/squid
networks:
- awf-network
restart: unless-stopped
agent:
image: myagent:latest
depends_on:
- squid
environment:
- HTTP_PROXY=http://squid:3128
- HTTPS_PROXY=http://squid:3128
networks:
- awf-network
networks:
awf-network:
driver: bridge
volumes:
squid-cache:
squid-logs:
Automatic (via AWF):
awf --allow-domains github.com -- docker run myapp
# iptables rules applied automatically
Manual:
# Force all container traffic to Squid
sudo iptables -I DOCKER-USER -p tcp --dport 80 -j REDIRECT --to-port 3128
sudo iptables -I DOCKER-USER -p tcp --dport 443 -j REDIRECT --to-port 3128
# Verify rules
sudo iptables -L DOCKER-USER -n -v
❌ DON'T: Allow all subdomains
awf --allow-domains '*' -- node agent.js
✅ DO: Specific domains only
awf --allow-domains api.github.com,api.openai.com -- node agent.js
❌ DON'T: Expose tokens to agent
const token = process.env.OPENAI_API_KEY; // Visible to agent
✅ DO: Use API proxy
awf --api-proxy -- node agent.js # Tokens in proxy only
Enable comprehensive logging:
awf --log-level debug \
--audit-log /var/log/awf/audit.log \
--allow-domains github.com \
-- python agent.py
Review logs regularly:
# Daily review
grep "TCP_DENIED" /var/log/squid/access.log | wc -l
# Alert on suspicious patterns
grep "evil.com" /var/log/squid/access.log && notify-admin
Verify blocking:
# Should succeed
awf --allow-domains github.com -- curl https://api.github.com
# Should fail
awf --allow-domains github.com -- curl https://evil.com
Enable caching:
cache_mem 512 MB
maximum_object_size 100 MB
cache_dir ufs /var/spool/squid 10000 16 256
Use connection pooling:
persistent_connection_timeout 60 seconds
client_persistent_connections on
server_persistent_connections on
Disable unnecessary features:
# No FTP
acl FTP proto FTP
http_access deny FTP
# No HTTPS without SSL Bump
acl SSL_ports port 443
http_access deny CONNECT !SSL_ports
Regular updates:
# Update Squid
docker pull ubuntu/squid:latest
# Update AWF
npm update -g gh-aw-firewall
The Agent Workflow Firewall (AWF) is Layer 3 of the five-layer security model:
Layer 1: Read-only tokens (agent can't write)
Layer 2: Zero secrets in agent (nothing to steal)
Layer 3: AWF Firewall (can't call unauthorized servers) ← THIS SKILL
Layer 4: Safe outputs (structured, validated writes)
Layer 5: Threat detection (AI scans for malicious content)
The firewall allows essential domains:
api.github.com — GitHub API accessgithub.com — Repository contentapi.githubcopilot.com — Copilot APIapi.anthropic.com — Claude API (if using Claude engine)api.openai.com — Codex API (if using Codex engine)Custom domains can be added per workflow:
---
network:
allowed:
- api.example.com
- data.government.se
---
Version: 2.0.0
Last Updated: 2026-04-02
Maintained by: Hack23 AB
This gh-aw skill is applied by the 11 agentic news workflows in .github/workflows/news-*.md. Their domain contract (analysis-artifact product, gate, article contract) lives in:
.github/prompts/README.md — module catalogue, import rules, AI-FIRST 2-pass rule.analysis/methodologies/ai-driven-analysis-guide.md + analysis/templates/ — 9 core / 14 Tier-C artifacts.05-analysis-gate.md — the single blocking gate before any article content is written.Upstream gh-aw docs (v0.69.3): abridged · complete · agentic-workflows blog series · source repo · GitHub CLI manual.