Add domain name and wildcard support to no-proxy list

IP/CIDR entries continue to bypass the proxy through iptables rules.
Domain and wildcard entries now generate moproxy policy rules that use
"dst domain ... direct" for domain-based proxy bypass.

The backend splits noproxy entries by type: IP/CIDR entries go to
MOPROXY_NOPROXY for iptables processing, while domain entries produce
/etc/moproxy/policy.rules consumed by the new --policy flag. SIGHUP
already reloads both the proxy list and the policy file.

The settings validator now accepts domain names (example.com) and
wildcard domains (*.example.com) in addition to IP addresses and
CIDR subnets.

Ref #9803

Author: check-spelling-bot

pkg/rancher-desktop/assets/scripts/moproxy.initd

@@ -25,7 +25,7 @@ description_reload="Reload the proxy list."
 : ${noproxy_rules:=${MOPROXY_NOPROXY:-"0.0.0.0/8,10.0.0.0/8,127.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16,224.0.0.0/4,240.0.0.0/4"}}
 
 command="'${MOPROXY_BINARY:-/usr/sbin/moproxy}'"
-command_args="--host ${host} --port ${port} ${moproxy_remotedns} --list ${proxy_list} ${moproxy_args}"
+command_args="--host ${host} --port ${port} ${moproxy_remotedns} --list ${proxy_list} --policy /etc/moproxy/policy.rules ${moproxy_args}"
 command_background="yes"
 pidfile="/run/${name}.pid"
 

pkg/rancher-desktop/backend/wsl.ts

@@ -2,6 +2,7 @@
 
 import events from 'events';
 import fs from 'fs';
+import net from 'net';
 import os from 'os';
 import path from 'path';
 import stream from 'stream';
@@ -776,7 +777,22 @@ export default class WSLBackend extends events.EventEmitter implements VMBackend
       await this.writeFile(`/etc/moproxy/proxy.ini`, '; no proxy defined');
     }
 
-    await this.modifyConf('moproxy', { MOPROXY_NOPROXY: proxy.noproxy.join(',') });
+    const ipEntries: string[] = [];
+    const domainRules: string[] = [];
+
+    for (const entry of proxy.noproxy) {
+      if (net.isIP(entry) !== 0 || entry.includes('/')) {
+        ipEntries.push(entry);
+      } else {
+        const domain = entry.startsWith('*.') ? entry.substring(2) : entry;
+
+        domainRules.push(`dst domain ${ domain } direct`);
+      }
+    }
+
+    await this.writeFile('/etc/moproxy/policy.rules',
+      domainRules.length > 0 ? `${ domainRules.join('\n') }\n` : '; no domain noproxy rules\n');
+    await this.modifyConf('moproxy', { MOPROXY_NOPROXY: ipEntries.join(',') });
   }
 
   /**

pkg/rancher-desktop/main/commandServer/__tests__/settingsValidator.spec.ts

@@ -1035,22 +1035,52 @@ describe('SettingsValidator', () => {
       expect({ needToUpdate, errors }).toEqual({ needToUpdate: false, errors: [] });
     });
 
-    it('should reject hostnames', () => {
+    it('should accept domain names', () => {
       const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['example.com']));
 
+      expect({ needToUpdate, errors }).toEqual({ needToUpdate: true, errors: [] });
+    });
+
+    it('should accept wildcard domain entries', () => {
+      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['*.example.com']));
+
+      expect({ needToUpdate, errors }).toEqual({ needToUpdate: true, errors: [] });
+    });
+
+    it('should accept domain names with subdomains', () => {
+      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['sub.example.com']));
+
+      expect({ needToUpdate, errors }).toEqual({ needToUpdate: true, errors: [] });
+    });
+
+    it('should accept mixed IP and domain entries', () => {
+      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['10.0.0.0/8', 'example.com', '*.internal.corp']));
+
+      expect({ needToUpdate, errors }).toEqual({ needToUpdate: true, errors: [] });
+    });
+
+    it('should reject single-label hostnames', () => {
+      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['localhost']));
+
       expect(needToUpdate).toBe(false);
       expect(errors).toHaveLength(1);
       expect(errors[0]).toContain('invalid entries');
-      expect(errors[0]).toContain('example.com');
     });
 
-    it('should reject wildcard DNS entries', () => {
-      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['*.example.com']));
+    it('should reject bare wildcard', () => {
+      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['*.']));
+
+      expect(needToUpdate).toBe(false);
+      expect(errors).toHaveLength(1);
+      expect(errors[0]).toContain('invalid entries');
+    });
+
+    it('should reject domains with labels starting with hyphens', () => {
+      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['-example.com']));
 
       expect(needToUpdate).toBe(false);
       expect(errors).toHaveLength(1);
       expect(errors[0]).toContain('invalid entries');
-      expect(errors[0]).toContain('*.example.com');
     });
 
     it('should reject duplicate entries', () => {
@@ -1085,12 +1115,12 @@ describe('SettingsValidator', () => {
     });
 
     it('should report all invalid entries at once', () => {
-      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['foo.bar', '10.0.0.0/8', 'baz.qux']));
+      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['-invalid', '10.0.0.0/8', 'also-invalid-']));
 
       expect(needToUpdate).toBe(false);
       expect(errors).toHaveLength(1);
-      expect(errors[0]).toContain('foo.bar');
-      expect(errors[0]).toContain('baz.qux');
+      expect(errors[0]).toContain('-invalid');
+      expect(errors[0]).toContain('also-invalid-');
     });
 
     it('should be gated to win32 platform', () => {

pkg/rancher-desktop/main/commandServer/settingsValidator.ts

@@ -691,7 +691,28 @@ export default class SettingsValidator {
   }
 
   /**
-   * Validate the noproxy list: must be unique strings, each a valid IP or CIDR.
+   * Validate that a string is a domain name, optionally with a wildcard prefix.
+   * Accepts entries like "example.com" or "*.example.com".
+   */
+  protected static isDomainName(entry: string): boolean {
+    const domain = entry.startsWith('*.') ? entry.substring(2) : entry;
+
+    if (domain.length === 0 || domain.length > 253) {
+      return false;
+    }
+    const labels = domain.split('.');
+
+    if (labels.length < 2) {
+      return false;
+    }
+    const labelRE = /^[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/;
+
+    return labels.every(label => labelRE.test(label));
+  }
+
+  /**
+   * Validate the noproxy list: must be unique strings, each a valid IP address,
+   * CIDR subnet, domain name, or wildcard domain.
    */
   protected checkNoproxyList<S>(mergedSettings: S, currentValue: string[], desiredValue: string[], errors: string[], fqname: string): boolean {
     if (!Array.isArray(desiredValue) || desiredValue.some(s => typeof (s) !== 'string')) {
@@ -707,10 +728,10 @@ export default class SettingsValidator {
 
       return false;
     }
-    const invalidEntries = desiredValue.filter(entry => !SettingsValidator.isIPAddressOrCIDR(entry));
+    const invalidEntries = desiredValue.filter(entry => !SettingsValidator.isIPAddressOrCIDR(entry) && !SettingsValidator.isDomainName(entry));
 
     if (invalidEntries.length > 0) {
-      errors.push(`field "${ fqname }" has invalid entries (must be IP addresses or CIDR subnets): "${ invalidEntries.join('", "') }"`);
+      errors.push(`field "${ fqname }" has invalid entries (must be IP addresses, CIDR subnets, or domain names): "${ invalidEntries.join('", "') }"`);
 
       return false;
     }