updates to air-gapped containers and FAQs (#23844)

karman-docker · aevesdocker · web-flow · commit 8d8aaf791733 · 2025-12-16T15:18:03.000Z
## Description Doc updates from an internal feedback: https://docker.slack.com/archives/C0W4XJVFW/p1759224192244879?thread_ts=1759135611.564829&cid=C0W4XJVFW ## Related issues or tickets  ## Reviews   - [ ] Technical review - [x] Editorial review - [ ] Product review --------- Co-authored-by: aevesdocker <allie.sadler@docker.com>
diff --git a/content/manuals/desktop/troubleshoot-and-support/faqs/general.md b/content/manuals/desktop/troubleshoot-and-support/faqs/general.md
@@ -66,6 +66,47 @@ For more information and examples, see [how to connect from a container to a ser
 
 Docker Desktop does not support direct USB device passthrough. However, you can use USB over IP to connect common USB devices to the Docker Desktop VM and in turn be forwarded to a container. For more details, see [Using USB/IP with Docker Desktop](/manuals/desktop/features/usbip.md).
 
+### How do I verify Docker Desktop is using a proxy server ?
+
+To verify, look at the most recent events logged in `httpproxy.log`. This is located at `~/Library/Containers/com.docker.docker/Data/log/host` on macOS or `%LOCALAPPDATA%/Docker/log/host/` on Windows. 
+
+The following shows a few examples of what you can expect to see:
+
+- Docker Desktop using app level settings (proxy mode manual) for proxy:
+
+   ```console
+   host will use proxy: app settings http_proxy=http://172.211.16.3:3128 https_proxy=http://172.211.16.3:3128
+   Linux will use proxy: app settings http_proxy=http://172.211.16.3:3128 https_proxy=http://172.211.16.3:3128
+   ```
+
+- Docker Desktop using system level settings (proxy mode system) for proxy:
+
+   ```console
+   host will use proxy: static system http_proxy=http://172.211.16.3:3128 https_proxy=http://172.211.16.3:3128 no_proxy=
+   Linux will use proxy: static system http_proxy=http://172.211.16.3:3128 https_proxy=http://172.211.16.3:3128 no_proxy=
+   ```
+
+- Docker Desktop is not configured to use a proxy server:
+
+   ```console
+   host will use proxy: disabled
+   Linux will use proxy: disabled
+   ```
+
+- Docker Desktop is configured to use app level settings (proxy mode manual) and using a PAC file:
+
+   ```console
+   using a proxy PAC file: http://127.0.0.1:8081/proxy.pac
+   host will use proxy: app settings from PAC file http://127.0.0.1:8081/proxy.pac
+   Linux will use proxy: app settings from PAC file http://127.0.0.1:8081/proxy.pac
+   ```
+
+- Connect request using the configured proxy server:
+
+   ```console
+   CONNECT desktop.docker.com:443: host connecting via static system HTTPS proxy http://172.211.16.3:3128
+   ```
+
 ### How do I run Docker Desktop without administrator privileges?
 
 Docker Desktop requires administrator privileges only for installation. Once installed, administrator privileges are not needed to run it. However, for non-admin users to run Docker Desktop, it must be installed using a specific installer flag and meet certain prerequisites, which vary by platform.
diff --git a/content/manuals/enterprise/security/hardened-desktop/air-gapped-containers.md b/content/manuals/enterprise/security/hardened-desktop/air-gapped-containers.md
@@ -39,7 +39,6 @@ Some important considerations include:
 
 - The existing `proxy` setting continues to apply to Docker Desktop application traffic on the host
 - If PAC file download fails, containers block requests to target URLs
-- URL parameter format is `http://host_or_ip:port` or `https://host_or_ip:port`
 - Hostname is available for ports 80 and 443, but only IP addresses for other ports
 
 ## Prerequisites
@@ -143,6 +142,21 @@ function FindProxyForURL(url, host) {
 }
 ```
 
+### General considerations
+
+ - `FindProxyForURL` function URL parameter format is http://host_or_ip:port or https://host_or_ip:port
+ - If you have an internal container trying to access https://docs.docker.com/enterprise/security/hardened-desktop/air-gapped-containers the docker proxy service will submit docs.docker.com for the host value and https://docs.docker.com:443 for the url value to FindProxyForURL, if you are using `shExpMatch` function in your PAC file as follows:
+
+   ```console
+   if(shExpMatch(url, "https://docs.docker.com:443/enterprise/security/*")) return "DIRECT";
+   ```
+
+   `shExpMatch` function will fail, instead use:
+
+   ```console
+   if (host == docs.docker.com && url.indexOf(":443") > 0) return "DIRECT";
+   ```
+
 ### PAC file return values
 
 | Return value | Action |
