containers: Add experimental support for interceptOutboundHttps

`interceptOutboundHttps` is a way for users to intercept their own TLS
traffic.

The way this works is different from interceptOutboundHttp. In the first
one, we can decide which IP and port combinations should intercept HTTP
traffic, but HTTPS is more idiomatic to handle at the SNI level.

The reasoning behind this is that customers that want to intercept
TLS might want to only be triggering on certain SNIs being intercepted.

We do support currently other ports than 443 but that might change in the future by
extending the method to accept a port with the SNI. It's just the
use-case is clear to be SNI based only.

The glob format of the SNI that we accept is really simple, only '*' and the
domain (to support cases like *google.com and all its subdomains).
No plans on supporting regex here whatsoever.

The way local dev works is we generate the certificates in the
networking sidecar, we read it via exec, and write them to the
container to a known path
(/etc/cloudflare/certs/cloudflare-containers-ca.crt).

We could try to append the certificate to
known distro paths, but that might be a more controversial move, we can
discuss in the MR if it's worth doing.

The flow of the connection is:

```
[container] --> [proxy-everything] (tls) -->
[workerd container-client.c++] (processes configured egress policies) ->
[workerd subrequest channel]
```

The only way to make files being written consistently across distros is
by using the Docker /archive API. It can only accept a tar right now, so
we had to add a method that creates a simple tar file that contains a
single file that we want to add to the container (the CA).

Author: gabivlj

.opencode/package.json

@@ -1,5 +1,5 @@
 {
   "dependencies": {
-    "@opencode-ai/plugin": "^1"
+    "@opencode-ai/plugin": "1.2.18"
   }
-}
+}

images/container-client-test/app.js

@@ -2,6 +2,7 @@ const { createServer } = require('http');
 
 const webSocketEnabled = process.env.WS_ENABLED === 'true';
 const wsProxyTarget = process.env.WS_PROXY_TARGET || null;
+const wsProxySecure = process.env.WS_PROXY_SECURE === 'true';
 
 const server = createServer(function (req, res) {
   if (req.url === '/ws') {
@@ -55,6 +56,24 @@ const server = createServer(function (req, res) {
     return;
   }
 
+  if (req.url === '/intercept-https') {
+    const targetHost = req.headers['x-host'] || 'example.com';
+    fetch(`https://${targetHost}`)
+      .then((result) => result.text())
+      .then((body) => {
+        res.writeHead(200);
+        res.write(body);
+        res.end();
+      })
+      .catch((err) => {
+        res.writeHead(500);
+        res.write(`${targetHost} ${err.message}`);
+        res.end();
+      });
+
+    return;
+  }
+
   res.writeHead(200, { 'Content-Type': 'text/plain' });
   res.write('Hello World!');
   res.end();
@@ -66,7 +85,8 @@ if (webSocketEnabled) {
 
   wss.on('connection', function (clientWs) {
     if (wsProxyTarget) {
-      const targetWs = new WebSocket(`ws://${wsProxyTarget}/ws`);
+      const protocol = wsProxySecure ? 'wss' : 'ws';
+      const targetWs = new WebSocket(`${protocol}://${wsProxyTarget}/ws`);
       const ready = new Promise(function (resolve) {
         targetWs.on('open', resolve);
       });

src/workerd/api/container.c++

@@ -106,6 +106,19 @@ jsg::Promise<void> Container::interceptAllOutboundHttp(jsg::Lock& js, jsg::Ref<F
       kj::joinPromisesFailFast(kj::arr(reqV4.sendIgnoringResult(), reqV6.sendIgnoringResult())));
 }
 
+jsg::Promise<void> Container::interceptOutboundHttps(
+    jsg::Lock& js, kj::String sniGlob, jsg::Ref<Fetcher> binding) {
+  auto& ioctx = IoContext::current();
+  auto channel = binding->getSubrequestChannel(ioctx);
+  auto token = channel->getToken(IoChannelFactory::ChannelTokenUsage::RPC);
+
+  auto req = rpcClient->setEgressHttpsRequest();
+  req.setSniGlob(sniGlob);
+  req.setChannelToken(token);
+
+  return ioctx.awaitIo(js, req.sendIgnoringResult());
+}
+
 jsg::Promise<void> Container::monitor(jsg::Lock& js) {
   JSG_REQUIRE(running, Error, "monitor() cannot be called on a container that is not running.");
 

src/workerd/api/container.h

@@ -65,6 +65,8 @@ class Container: public jsg::Object {
   jsg::Promise<void> interceptOutboundHttp(
       jsg::Lock& js, kj::String addr, jsg::Ref<Fetcher> binding);
   jsg::Promise<void> interceptAllOutboundHttp(jsg::Lock& js, jsg::Ref<Fetcher> binding);
+  jsg::Promise<void> interceptOutboundHttps(
+      jsg::Lock& js, kj::String sniGlob, jsg::Ref<Fetcher> binding);
 
   // TODO(containers): listenTcp()
 
@@ -80,6 +82,7 @@ class Container: public jsg::Object {
     if (flags.getWorkerdExperimental()) {
       JSG_METHOD(interceptOutboundHttp);
       JSG_METHOD(interceptAllOutboundHttp);
+      JSG_METHOD(interceptOutboundHttps);
     }
   }
 

src/workerd/io/container.capnp

@@ -119,8 +119,19 @@ interface Container @0x9aaceefc06523bca {
   # Configures egress HTTP routing for the container. When the container attempts to connect to the
   # specified host:port, the connection should be routed back to the Workers runtime using the channel token.
   # The format of hostPort can be '<ip|cidr>[':'<port>]'. If port is omitted, it's assumed to only cover port 80.
-  # This method does not support HTTPs yet.
 
+  setEgressHttps @9 (sniGlob :Text, channelToken :Data);
+  # Intercepts outbound TLS connections whose SNI matches `sniGlob`, routing decrypted
+  # HTTP to the worker binding identified by `channelToken`. The runtime must ensure
+  # the container trusts the interception CA.
+  #
+  # sniGlob: glob pattern for TLS SNI hostnames (e.g. "*.example.com", "*").
+  #   "*.example.com" matches any subdomain including nested ones like "a.b.example.com".
+  # channelToken: opaque token identifying the worker binding to route requests to.
+  #
+  # This method does not support specifying ports as it's designed for traffic firewall
+  # of internet access of the container through Workers. To hit a Worker in another
+  # port that is not 443, use setEgressHttp.
 
   # TODO: setEgressTcp
 }