Skip to content

remote: use endpoint address for buildkit client authority#3928

Open
jarqvi wants to merge 1 commit into
docker:masterfrom
jarqvi:fix-remote-driver-authority
Open

remote: use endpoint address for buildkit client authority#3928
jarqvi wants to merge 1 commit into
docker:masterfrom
jarqvi:fix-remote-driver-authority

Conversation

@jarqvi

@jarqvi jarqvi commented Jun 28, 2026

Copy link
Copy Markdown

The remote driver created the buildkit client with an empty address:

client.New(ctx, "", opts...)

With an empty address the buildkit client falls back to the system default address (the local unix socket) and derives the gRPC ":authority" pseudo-header from it, which ends up being "localhost". The actual connection was still correct because the remote driver provides its own dialer, but the wrong authority broke HTTP/2 reverse proxies (such as Envoy) that route based on ":authority".

Pass the configured endpoint address to client.New so the authority is derived from the remote endpoint hostname (e.g.
my-buildkit.example.com:443). The custom dialer is preserved, so the dial target and TLS/SNI behavior are unchanged.

Fixes #3880

The remote driver created the buildkit client with an empty address:

    client.New(ctx, "", opts...)

With an empty address the buildkit client falls back to the system
default address (the local unix socket) and derives the gRPC
":authority" pseudo-header from it, which ends up being "localhost".
The actual connection was still correct because the remote driver
provides its own dialer, but the wrong authority broke HTTP/2 reverse
proxies (such as Envoy) that route based on ":authority".

Pass the configured endpoint address to client.New so the authority is
derived from the remote endpoint hostname (e.g.
my-buildkit.example.com:443). The custom dialer is preserved, so the
dial target and TLS/SNI behavior are unchanged.

Fixes docker#3880

Signed-off-by: MohammadHasan Akbari <jarqvi.jarqvi@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

buildx remote driver sends :authority: localhost instead of the endpoint hostname

1 participant