docs: document upstream proxy chaining for sandboxes

[robmry]

Description

Documents how Docker Sandboxes' outbound traffic interacts with an upstream (for example, corporate) proxy. This was previously only described in internal-facing notes.

Adds an Upstream proxy subsection under the existing Networking heading on the Sandboxes architecture page, covering:

• How the host-side proxy chains to an upstream proxy — direct routes are followed directly, and only destinations that require a proxy are forwarded to it, so sandbox traffic respects the same egress controls as other host applications.
• The HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables the sandbox daemon reads (including lowercase equivalents), and using NO_PROXY for direct-reach exclusions.
• DOCKER_SANDBOXES_PROXY — scoped to sandbox traffic only, sets one URL for both HTTP and HTTPS, and doesn't affect image pulls or the daemon's own requests.
• That the variables must be set in the daemon's environment at launch.
• Limitations: only HTTP/HTTPS traffic can be forwarded (no raw TCP), and proxy.pac files aren't supported.

Prompted by support questions about routing sandbox traffic through a corporate proxy.

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for docsdocker ready!

Name	Link
🔨 Latest commit	f9a09aa
🔍 Latest deploy log	https://app.netlify.com/projects/docsdocker/deploys/6a2fcf9a3be819000899f7d8
😎 Deploy Preview	https://deploy-preview-25359--docsdocker.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[docker-agent]

Assessment: 🟢 APPROVE

The new Upstream proxy subsection is clear, well-scoped, and accurately documents sandbox proxy chaining behavior. One minor style guide issue was found.

Severity	Count
🟡 Medium	1

[dvdksn]

LGTM!