Error with System Proxy in Docker #2367
Description
Describe the bug
On the host machine, I enabled the system proxy through proxy software (Surge or Clash). Without going through any proxy nodes (in direct connection mode), the c URL command inside the container exhibited abnormal behavior.
To Reproduce
- Set a system proxy on the host machine
- Run a new Docker Container with
docker run --rm curlimages/curl -v https://google.com - See the error with following log
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 0* Host google.com:443 was resolved.
* IPv6: 2607:f8b0:4023:1804::8a, 2607:f8b0:4023:1804::65, 2607:f8b0:4023:1804::8b, 2607:f8b0:4023:1804::71
* IPv4: 142.250.137.138, 142.250.137.139, 142.250.137.101, 142.250.137.113, 142.250.137.102, 142.250.137.100
* Trying [2607:f8b0:4023:1804::8a]:443...
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [1556 bytes data]
* SSL Trust Anchors:
* CAfile: /cacert.pem
} [5 bytes data]
* TLSv1.3 (OUT), TLS alert, decode error (562):
} [2 bytes data]
* TLS connect error: error:0A000126:SSL routines::unexpected eof while reading
Expected behavior
Expected Log
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 0* Host google.com:443 was resolved.
* IPv6: 2607:f8b0:4023:1804::8a, 2607:f8b0:4023:1804::65, 2607:f8b0:4023:1804::8b, 2607:f8b0:4023:1804::71
* IPv4: 142.250.137.138, 142.250.137.139, 142.250.137.101, 142.250.137.113, 142.250.137.102, 142.250.137.100
* Trying [2607:f8b0:4023:1804::8a]:443...
* Trying 142.250.137.138:443...
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [1556 bytes data]
* SSL Trust Anchors:
* CAfile: /cacert.pem
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [1210 bytes data]
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [6342 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
* subject: CN=*.google.com
* start date: Feb 23 18:19:44 2026 GMT
* expire date: May 18 18:19:43 2026 GMT
* issuer: C=US; O=Google Trust Services; CN=WR2
* Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
* subjectAltName: "google.com" matches cert's "google.com"
* SSL certificate verified via OpenSSL.
* Established connection to google.com (142.250.137.138 port 443) from 192.168.215.2 port 37420
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://google.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: google.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.18.0]
* [HTTP/2] [1] [accept: */*]
} [5 bytes data]
> GET / HTTP/2
> Host: google.com
> User-Agent: curl/8.18.0
> Accept: */*
>
* Request completely sent off
} [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [283 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [283 bytes data]
< HTTP/2 301
< location: https://www.google.com/
< content-type: text/html; charset=UTF-8
< content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-JIaxteQPq9ozMM9e-kE9tg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< reporting-endpoints: default="//www.google.com/httpservice/retry/jserror?ei=at7DacfeKdKFp84Pr-yWwA4&cad=crash&error=Page%20Crash&jsel=1&bver=2408&dpf=Sj3EYDM6y25PbUsuwOaXp5ivpp772HVOVjJgmHnBr7I"
< date: Wed, 25 Mar 2026 13:08:58 GMT
< expires: Fri, 24 Apr 2026 13:08:58 GMT
< cache-control: public, max-age=2592000
< <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
Diagnostic report (REQUIRED)
OrbStack info:
Version: 2.0.5
Commit: cfe47627f138ffd822c958553b0a93eaf2692c71 (v2.0.5)
System info:
macOS: 26.4 (25E241)
CPU: arm64, 14 cores
CPU model: Apple M4 Pro
Model: Mac16,8
Memory: 48 GiB
Full report: https://orbstack.dev/_admin/diag/orbstack-diagreport_2026-03-25T12-59-42.696834Z.zip
Screenshots and additional context (optional)
No response