feat: add mask request host (#1479)

Co-authored-by: Joe Lombrozo <[email protected]>

Author: dobrac

packages/api/go.mod

@@ -65,6 +65,7 @@ require (
 	go.opentelemetry.io/otel/sdk/metric v1.38.0
 	go.opentelemetry.io/otel/trace v1.38.0
 	go.uber.org/zap v1.27.0
+	golang.org/x/net v0.44.0
 	golang.org/x/sync v0.17.0
 	google.golang.org/grpc v1.75.1
 	google.golang.org/protobuf v1.36.9
@@ -279,7 +280,6 @@ require (
 	golang.org/x/exp v0.0.0-20250531010427-b6e5de432a8b // indirect
 	golang.org/x/image v0.25.0 // indirect
 	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/net v0.44.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
 	golang.org/x/sys v0.36.0 // indirect
 	golang.org/x/text v0.29.0 // indirect

packages/api/internal/api/spec.gen.go

@@ -3,13 +3,16 @@ package handlers
 import (
 	"errors"
 	"fmt"
+	"net"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/gin-gonic/gin"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/trace"
 	"go.uber.org/zap"
+	"golang.org/x/net/idna"
 
 	"github.com/e2b-dev/infra/packages/api/internal/api"
 	"github.com/e2b-dev/infra/packages/api/internal/auth"
@@ -160,9 +163,36 @@ func (a *APIStore) PostSandboxes(c *gin.Context) {
 
 	var network *types.SandboxNetworkConfig
 	if body.Network != nil {
+		maskRequestHost := body.Network.MaskRequestHost
+		if maskRequestHost != nil {
+			hostname, _, err := splitHostPortOptional(*maskRequestHost)
+			if err != nil {
+				telemetry.ReportError(ctx, "error when splitting mask request host", err, telemetry.WithSandboxID(sandboxID))
+				a.sendAPIStoreError(c, http.StatusBadRequest, fmt.Sprintf("Invalid mask request host: %s", err))
+
+				return
+			}
+
+			host, err := idna.Display.ToASCII(hostname)
+			if err != nil {
+				telemetry.ReportError(ctx, "error when parsing mask request host", err, telemetry.WithSandboxID(sandboxID))
+				a.sendAPIStoreError(c, http.StatusBadRequest, fmt.Sprintf("Invalid mask request host: %s", err))
+
+				return
+			}
+
+			if !strings.EqualFold(host, hostname) {
+				telemetry.ReportError(ctx, "mask request host is not ASCII", nil, telemetry.WithSandboxID(sandboxID), attribute.String("mask_request_host", hostname), attribute.String("mask_request_host_ascii", host))
+				a.sendAPIStoreError(c, http.StatusBadRequest, fmt.Sprintf("Mask request host '%s' is not ASCII. Please use ASCII characters only.", hostname))
+
+				return
+			}
+		}
+
 		network = &types.SandboxNetworkConfig{
 			Ingress: &types.SandboxNetworkIngressConfig{
 				AllowPublicAccess: sharedUtils.DerefOrDefault(body.Network.AllowPublicTraffic, true),
+				MaskRequestHost:   maskRequestHost,
 			},
 			Egress: &types.SandboxNetworkEgressConfig{
 				AllowedAddresses: sharedUtils.DerefOrDefault(body.Network.AllowOut, nil),
@@ -266,3 +296,16 @@ func firstAlias(aliases []string) string {
 
 	return aliases[0]
 }
+
+func splitHostPortOptional(hostport string) (host string, port string, err error) {
+	host, port, err = net.SplitHostPort(hostport)
+	if err != nil {
+		if strings.Contains(err.Error(), "missing port") {
+			return hostport, "", nil
+		}
+
+		return "", "", err
+	}
+
+	return host, port, nil
+}

packages/api/internal/api/types.gen.go

@@ -59,6 +59,10 @@ func buildNetworkConfig(network *types.SandboxNetworkConfig, allowInternetAccess
 		orchNetwork.Egress.DeniedCidrs = addressStringsToCIDRs(network.Egress.DeniedAddresses)
 	}
 
+	if network != nil && network.Ingress != nil {
+		orchNetwork.Ingress.MaskRequestHost = network.Ingress.MaskRequestHost
+	}
+
 	// Handle the case where internet access is explicitly disabled
 	// This should be applied after copying the network config to preserve allowed addresses
 	if allowInternetAccess != nil && !*allowInternetAccess {

packages/api/internal/handlers/sandbox_create.go

@@ -51,6 +51,7 @@ func (n *Node) GetSandboxes(ctx context.Context) ([]sandbox.Sandbox, error) {
 		network := &types.SandboxNetworkConfig{
 			Ingress: &types.SandboxNetworkIngressConfig{
 				AllowPublicAccess: networkTrafficAccessToken == nil,
+				MaskRequestHost:   config.GetNetwork().GetIngress().MaskRequestHost,
 			},
 			Egress: &types.SandboxNetworkEgressConfig{
 				AllowedAddresses: config.GetNetwork().GetEgress().GetAllowedCidrs(),

packages/api/internal/orchestrator/create_instance.go

@@ -18,7 +18,8 @@ type SandboxNetworkEgressConfig struct {
 }
 
 type SandboxNetworkIngressConfig struct {
-	AllowPublicAccess bool `json:"allowPublicAccess,omitempty"`
+	AllowPublicAccess bool    `json:"allowPublicAccess,omitempty"`
+	MaskRequestHost   *string `json:"maskRequestHost,omitempty"`
 }
 
 type SandboxNetworkConfig struct {