Skip to content

Worker region hints break outbound interception #226

Open
Open
Worker region hints break outbound interception#226
Assignees
gabivlj

Description

@neekolas
neekolas
opened on Jun 17, 2026

Summary

Outbound interception for @cloudflare/containers appears to stop working when a Worker is deployed with a targeted region placement hint.

Reproduction PR: #225

The PR modifies examples/egress-tests so the same service can be deployed in two environments:

  • global: no Worker region hint
  • regional: uses placement = { mode = "targeted", region = "aws:us-east-1" }

Both environments use the same egress interception configuration. The main behavioral difference is the regional Worker placement hint.

Expected Behavior

The global and regional deployments should behave the same:

  • deniedHosts should block denied hosts with 520
  • allowedHosts should block non-allowed hosts with 520
  • outboundByHost handlers should intercept matching hosts
  • catch-all outbound should intercept allowed hosts without a specific handler

Actual Behavior

The global deployment passes all egress interception tests.

Test Files  1 passed (1)
     Tests  9 passed (9)
  Start at  08:09:26
  Duration  30.09s (transform 12ms, setup 0ms, import 21ms, tests 29.97s, environment 0ms)

The regional deployment fails all egress interception tests.

❯ test/egress.test.ts (9 tests | 9 failed) 66403ms
      × deniedHosts blocks the request 2861ms
      × allowedHosts gate blocks non-allowed hosts 1953ms
      × outboundByHost handler is invoked for matching allowed host 2440ms
      × catch-all outbound handler is invoked for allowed host without specific handler 2988ms
      × denied host is blocked even if it would match allowedHosts 2122ms
      × glob pattern in outboundByHost matches subdomains 3466ms
      × glob pattern in outboundByHost matches deeply nested subdomains 3172ms
      × glob pattern in allowedHosts blocks non-matching host 29074ms
      × denyHost also blocks the same hostname with a trailing dot 18326ms

Representative failures:

FAIL  test/egress.test.ts > egress interception > regional > deniedHosts blocks the request
AssertionError: expected 200 to be 520 // Object.is equality

- Expected
+ Received

- 520
+ 200

FAIL  test/egress.test.ts > egress interception > regional > outboundByHost handler is invoked for matching allowed host
AssertionError: expected 'Not Found' to be 'outboundByHost: by-host.com' // Object.is equality

Expected: "outboundByHost: by-host.com"
Received: "Not Found"

This suggests requests from the regional deployment are reaching the origin path instead of going through the configured outbound interception logic.

Reproduction

From the PR branch:

cd examples/egress-tests

npx wrangler deploy --env global
npx wrangler deploy --env regional

Then run:

EGRESS_TEST_ENV=global \
EGRESS_TEST_BASE_URL=https://egress-tests-global.$YOUR_WORKERS_DEV_DOMAIN \
npx vitest run test/egress.test.ts
EGRESS_TEST_ENV=regional \
EGRESS_TEST_BASE_URL=https://egress-tests-regional.$YOUR_WORKERS_DEV_DOMAIN \
npx vitest run test/egress.test.ts

Notes

The repro uses distinct container application names per environment so both deployments can exist in the same account.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions