Server Connectivity

The firewall controls outbound traffic from clients inside awf to external servers. This guide covers connecting to HTTP, HTTPS, and gRPC servers.

HTTP/HTTPS servers

Clients inside awf can connect to any whitelisted domain over HTTP or HTTPS.

# Connect to HTTPS server
sudo awf --allow-domains api.example.com -- \
  curl https://api.example.com/data

# Connect to HTTP server (non-TLS)
sudo awf --allow-domains 'http://legacy.example.com' -- \
  curl http://legacy.example.com/api

Tip

Use https:// or http:// prefix to restrict a domain to a specific protocol.

gRPC servers

gRPC connections work through the firewall when using standard ports.

gRPC over HTTPS (port 443)

# gRPC with TLS on standard HTTPS port
sudo awf --allow-domains grpc.example.com -- \
  grpcurl grpc.example.com:443 myservice.Service/Method

gRPC-web over HTTP/HTTPS

# gRPC-web uses standard HTTP/HTTPS ports
sudo awf --allow-domains api.example.com -- \
  grpcurl -plaintext api.example.com:80 myservice.Service/Method

Note

The firewall only allows ports 80 (HTTP) and 443 (HTTPS). Non-standard gRPC ports like 50051 are blocked.

Connecting to host services

Use host.docker.internal to connect from inside awf to services running on your host machine:

# Connect to a server running on the host (e.g., localhost:3000)
sudo awf --allow-domains host.docker.internal -- \
  curl http://host.docker.internal:3000/api

Tip

host.docker.internal is automatically configured in awf containers and resolves to the host machine.

Server inside, client outside

To run a server inside awf that accepts external connections, use --keep-containers and connect via Docker:

# Start server inside awf (stays running)
sudo awf --allow-domains example.com --keep-containers -- \
  python3 -m http.server 8080 &

# Connect from host using docker exec
docker exec awf-agent curl http://localhost:8080

Caution

The firewall is designed for egress control. For production server hosting, consider running servers outside the firewall.

Bidirectional communication

A server that accepts requests and makes outbound calls to whitelisted domains:

# API gateway that proxies to backend
sudo awf --allow-domains backend.example.com --keep-containers -- \
  node gateway.js

# Gateway can:
# - Accept connections on its internal port
# - Make outbound requests only to backend.example.com

Debugging connectivity

# Keep containers running for inspection
sudo awf --allow-domains example.com --keep-containers -- sleep 60

# Test connectivity from inside
docker exec awf-agent curl -v https://example.com

# Check Squid logs for blocked requests
sudo grep "TCP_DENIED" /tmp/squid-logs-*/access.log

# View all traffic
awf logs --format pretty

See also

• Domain Filtering - Allowlists, blocklists, wildcards
• CLI Reference - All options