Problem
When using the Gemini engine (AIza... key), all requests fail with 400 API_KEY_INVALID from generativelanguage.googleapis.com. The gemini CLI ignores GEMINI_API_BASE_URL=(172.30.0.30/redacted) and connects directly to Google from the agent container (172.30.0.20`), bypassing the api-proxy sidecar entirely. No key is injected, so the request reaches Google unauthenticated or with an empty key.
Context
Reported in github/gh-aw#29417. Affects gh-aw v0.71.3 with AWF firewall image 0.25.29. Squid access.log confirms source IP 172.30.0.20 (agent) instead of 172.30.0.30 (api-proxy). awf-config.json correctly shows "apiProxy": {"enabled": true, "targets": {"gemini": {"host": "generativelanguage.googleapis.com"}}}, indicating the config is generated but not honoured at runtime.
Root Cause
The gemini CLI does not respect the GEMINI_API_BASE_URL environment variable for all request paths (or the variable name/format differs from what the CLI expects). The api-proxy intercept on port 10003 is therefore never reached.
Proposed Solution
- In
containers/api-proxy/, audit the Gemini proxy handler — verify port 10003 is listening and forwarding correctly.
- Determine the exact env var name(s) the installed gemini CLI version uses for base URL override; update
src/docker-manager.ts to set the correct variable(s).
- Add an integration test that asserts Gemini traffic originates from
172.30.0.30, not 172.30.0.20.
Generated by Firewall Issue Dispatcher · ● 1M · ◷
Problem
When using the Gemini engine (
AIza...key), all requests fail with400 API_KEY_INVALIDfromgenerativelanguage.googleapis.com. The gemini CLI ignoresGEMINI_API_BASE_URL=(172.30.0.30/redacted) and connects directly to Google from the agent container (172.30.0.20`), bypassing the api-proxy sidecar entirely. No key is injected, so the request reaches Google unauthenticated or with an empty key.Context
Reported in github/gh-aw#29417. Affects gh-aw v0.71.3 with AWF firewall image 0.25.29. Squid
access.logconfirms source IP172.30.0.20(agent) instead of172.30.0.30(api-proxy).awf-config.jsoncorrectly shows"apiProxy": {"enabled": true, "targets": {"gemini": {"host": "generativelanguage.googleapis.com"}}}, indicating the config is generated but not honoured at runtime.Root Cause
The gemini CLI does not respect the
GEMINI_API_BASE_URLenvironment variable for all request paths (or the variable name/format differs from what the CLI expects). The api-proxy intercept on port 10003 is therefore never reached.Proposed Solution
containers/api-proxy/, audit the Gemini proxy handler — verify port 10003 is listening and forwarding correctly.src/docker-manager.tsto set the correct variable(s).172.30.0.30, not172.30.0.20.