Fix Codex MCP Gateway connection by removing hardcoded IP#13792
Fix Codex MCP Gateway connection by removing hardcoded IP#13792
Conversation
The hardcoded IP 172.30.0.1 was added to work around perceived DNS resolution issues in Rust, but it broke Squid ACL matching because `dstdomain` ACLs only match domain names, not IP addresses. This change aligns Codex with how Claude already works successfully: - Remove 172.30.0.1 from CodexDefaultDomains - Use host.docker.internal directly in convert_gateway_config_codex.sh - Update tests to reflect the new domain list Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR fixes Codex MCP Gateway connection issues by removing the hardcoded 172.30.0.1 IP address and using host.docker.internal directly, matching the approach successfully used by Claude. The IP was originally added to work around perceived DNS resolution issues in Rust's async resolver (PR #9999), but this inadvertently broke Squid's firewall ACL matching since dstdomain ACLs only match domain names, not IP addresses.
Changes:
- Removed hardcoded
172.30.0.1from Codex default domains configuration - Updated gateway configuration script to use domain directly without IP resolution
- Updated all related tests to reflect the change
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
pkg/workflow/domains.go |
Removed 172.30.0.1 from CodexDefaultDomains array |
pkg/workflow/domains_test.go |
Updated test expectations to exclude 172.30.0.1 from all test cases |
actions/setup/sh/convert_gateway_config_codex.sh |
Removed IP resolution logic, now uses MCP_GATEWAY_DOMAIN directly like Claude/Copilot converters |
.github/workflows/smoke-codex.lock.yml |
Recompiled workflow with updated domain lists (removed 172.30.0.1 from --allow-domains and GH_AW_ALLOWED_DOMAINS) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
|
🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰 |
Agent Container Tool Check - Smoke Test Results
Result: 10/12 tools fully functional ✅ Notes:
|
|
🤖 The smoke test agent stopped by to say hello! All systems operational and ready to verify workflows. ✨
|
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
Updates the default MCP Gateway version to v0.0.99 which includes the fix for OAuth discovery requests hanging instead of returning 404. This fix (github/gh-aw-mcpg#672) adds a handler at the standard `/.well-known/oauth-authorization-server` path to return 404 immediately, preventing the 15-second timeout that was causing 4/6 MCP servers to fail. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
💀 Blimey! Changeset Generator failed and walked the plank! No treasure today, matey! ☠️ |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
Agent Container Tool Check
Result: 11/12 tools available ❌ Note: .NET runtime (dotnet) is not available in this agent container. All other essential development tools are present and functional.
|
Smoke Test ResultsPR: #13820 - Add shared workflow for Microsoft Amplifier CLI ✅ GitHub MCP Overall Status: PASS ✅ cc: @Mossaka
|
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
Smoke Test Results
Status: PASS (9/10)
|
1 participant
Summary
172.30.0.1IP from Codex configurationhost.docker.internaldirectly (like Claude does successfully)dstdomainACLs don't match IP addressesRoot Cause
The IP
172.30.0.1was added in PR #9999 to work around perceived DNS resolution issues in Rust's async resolver. However, this broke Squid'sdstdomainACL matching because:172.30.0.1for MCP Gateway URLsdstdomainACLsdstdomainonly matches domain names, not IP addressesThe irony: The IP was added to avoid DNS issues, but Claude uses
host.docker.internalsuccessfully in the same AWF environment.Changes
pkg/workflow/domains.go172.30.0.1fromCodexDefaultDomainsactions/setup/sh/convert_gateway_config_codex.shhost.docker.internaldirectly instead of resolving to IPpkg/workflow/domains_test.go.github/workflows/smoke-codex.lock.ymlTest plan
go test ./pkg/workflow/... -run Codex)host.docker.internal🤖 Generated with Claude Code
Changeset