docs: add server connectivity guide for HTTP, HTTPS, and gRPC (#179)

Copilot · Mossaka · web-flow · commit 59d1d9cb412e · 2026-01-05T16:17:45.000-08:00
* Initial plan

* docs: add server connectivity guide for HTTP, HTTPS, and gRPC

Co-authored-by: Mossaka &lt;5447827+Mossaka@users.noreply.github.com&gt;

* docs: add host.docker.internal section for host-to-guest communication

Co-authored-by: Mossaka &lt;5447827+Mossaka@users.noreply.github.com&gt;

---------

Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: Mossaka &lt;5447827+Mossaka@users.noreply.github.com&gt;
diff --git a/docs-site/src/content/docs/guides/server-connectivity.md b/docs-site/src/content/docs/guides/server-connectivity.md
@@ -0,0 +1,114 @@
+---
+title: Server Connectivity
+description: Connect to HTTP, HTTPS, and gRPC servers through the firewall.
+---
+
+The firewall controls **outbound** traffic from clients inside awf to external servers. This guide covers connecting to HTTP, HTTPS, and gRPC servers.
+
+## HTTP/HTTPS servers
+
+Clients inside awf can connect to any whitelisted domain over HTTP or HTTPS.
+
+```bash
+# Connect to HTTPS server
+sudo awf --allow-domains api.example.com -- \
+  curl https://api.example.com/data
+
+# Connect to HTTP server (non-TLS)
+sudo awf --allow-domains 'http://legacy.example.com' -- \
+  curl http://legacy.example.com/api
+```
+
+:::tip
+Use `https://` or `http://` prefix to restrict a domain to a specific protocol.
+:::
+
+## gRPC servers
+
+gRPC connections work through the firewall when using standard ports.
+
+### gRPC over HTTPS (port 443)
+
+```bash
+# gRPC with TLS on standard HTTPS port
+sudo awf --allow-domains grpc.example.com -- \
+  grpcurl grpc.example.com:443 myservice.Service/Method
+```
+
+### gRPC-web over HTTP/HTTPS
+
+```bash
+# gRPC-web uses standard HTTP/HTTPS ports
+sudo awf --allow-domains api.example.com -- \
+  grpcurl -plaintext api.example.com:80 myservice.Service/Method
+```
+
+:::note
+The firewall only allows ports 80 (HTTP) and 443 (HTTPS). Non-standard gRPC ports like 50051 are blocked.
+:::
+
+## Connecting to host services
+
+Use `host.docker.internal` to connect from inside awf to services running on your host machine:
+
+```bash
+# Connect to a server running on the host (e.g., localhost:3000)
+sudo awf --allow-domains host.docker.internal -- \
+  curl http://host.docker.internal:3000/api
+```
+
+:::tip
+`host.docker.internal` is automatically configured in awf containers and resolves to the host machine.
+:::
+
+## Server inside, client outside
+
+To run a server inside awf that accepts external connections, use `--keep-containers` and connect via Docker:
+
+```bash
+# Start server inside awf (stays running)
+sudo awf --allow-domains example.com --keep-containers -- \
+  python3 -m http.server 8080 &
+
+# Connect from host using docker exec
+docker exec awf-agent curl http://localhost:8080
+```
+
+:::caution
+The firewall is designed for egress control. For production server hosting, consider running servers outside the firewall.
+:::
+
+## Bidirectional communication
+
+A server that accepts requests and makes outbound calls to whitelisted domains:
+
+```bash
+# API gateway that proxies to backend
+sudo awf --allow-domains backend.example.com --keep-containers -- \
+  node gateway.js
+
+# Gateway can:
+# - Accept connections on its internal port
+# - Make outbound requests only to backend.example.com
+```
+
+## Debugging connectivity
+
+```bash
+# Keep containers running for inspection
+sudo awf --allow-domains example.com --keep-containers -- sleep 60
+
+# Test connectivity from inside
+docker exec awf-agent curl -v https://example.com
+
+# Check Squid logs for blocked requests
+sudo grep "TCP_DENIED" /tmp/squid-logs-*/access.log
+
+# View all traffic
+awf logs --format pretty
+```
+
+## See also
+
+- [Domain Filtering](/gh-aw-firewall/guides/domain-filtering) - Allowlists, blocklists, wildcards
+- [CLI Reference](/gh-aw-firewall/reference/cli-reference) - All options
