Bitcrumbs, LLC

When Digital World Falls Apart

How to propagate HTTP Proxy

Posted by

Dr. Ponomarev

·

Do you work in corporate environment and need to build someone else’s Dockerfile? Are you having headaches from trying propagate proxy settings inside of docker-in-docker setups? Do you have VM images running ansible playbooks that build maven applications?

What is HTTP Proxy

You are likely to find HTTP Proxies used on corporate networks. Especially the corporations that need to be able to trace sources of malware or attacks. An HTTP proxy is a service that inspects and relays HTTP responses and requests between you and the destination server. A common setup is to block HTTP(S) port (80 and 443) for all computers on a subnet, but let them route HTTP traffic through a proxy. If you open an unconfigured web-browser on such a system and try to reach a website it will tell you that the host either can’t be reached or your connection timed out. However, if you enable proxy settings the browser will suddenly work! That is because instead of connecting to your destination server on an HTTP port you are now connecting to the HTTP proxy and asking it to reach out to the destination instead.

The benefits of such a setup are two-fold. The proxy may redirect traffic to local cache for common destinations such as a package repository, or it can inspect (and modify) the traffic that goes through it. This enables the use of intrusion detection systems, anti-viruses, and other security features, as well as allows the proxy to log every destination your session has visited, allowing the IT to trace back where the leak or attack went/came from.

Most linux tools respect three environment variables that deal with proxy settings. For proxies that need no authentication “usename:password@” can be dropped:

$ export http_proxy="http://usename:password@host:port"
$ export https_proxy="https://usename:password@host:port"
$ export no_proxy="comma,separated,subnets,and,*.hosts"

However if you are in charge of development efforts and you deal with running different DevOps pipelines you are likely to run into a trouble – a prebuilt Docker image will refuse to connect. Neither will a process used while building a Dockerfile, maven, ansible, or even some versions of curl.

How to configure docker

Luckly docker can propagate proxy settings to most of its containers using docker’s client config. On linux machines this file can be created in ~/.docker/config.json:

{
 "proxies": {
   "default": {
     "httpProxy": "http://usename:password@host:port",
     "httpsProxy": "https://usename:password@host:port",
     "noProxy": "comma,separated,subnets,and,*.hosts"
   }
 }
}

After this, the next time you create a container (to build an image or run an existing one), docker will populate the container’s environment variables (http_proxy, https_proxy, and no_proxy) with the values provided. More information about this specific setup can be found in Docker’s documenation.

How to configure Maven

Like Docker, Maven does not respect proxy environment variables. Instead it uses its settings file. Again, you can create one with your proxy information in ~/.m2/settings.xml:

<settings>
[...]
  <proxies>
    <proxy>
      <active>true</active>
      <protocol>http</protocol>
      <host>host</host>
      <port>port</port>
      <username>username</username>
      <password>password</password>
      <nonProxyHosts>pipe|separated|subnets|and|*.hosts</nonProxyHosts>
    </proxy>
  </proxies>
[...]
</settings>

How to configure Ansible

If you are reading this, you are likely not writing Ansible playbooks, but rather are trying to run someone else’s playbook. They didn’t foresee running their playbook behind a proxy, is everything lost? Ansible supports proxies for its hosts, however those are ansible-only variables. They will not propagate and will not effect commands that ansible calls. Instead we can create a “Master Playbook” with tasks to setup environment variables and docker proxies, and then run the target playbook:

- hosts: all
  tasks:
    - name: Setup Environment Proxy
      ansible.builtin.lineinfile:
          path: /etc/environment
          line: "{{ item }}"
      with_items:
          - 'http_proxy="http://usename:password@host:port"'
          - 'https_proxy="https://usename:password@host:port"'
          - 'no_proxy="comma,separated,subnets,and,*.hosts"'
    - name: Setup Docker Proxy
      copy:
          src: "~/.docker/config.json"
          dest: "~/.docker/config.json"
    - name: Setup Maven Proxy
      copy:
          src: "~/.m2/settings.xml"
          dest: "~/.m2/settings.xml"

- import_playbook: path-to-target-playbook.yml

How to keep your sanity in the complex world of security?

My name is Dr. Ponomarev and I’ve been doing research in cybersecurity for years. If you liked what you’ve read here please subscribe for more informative content about problems that matter.

Dr. Ponomarev Avatar

About the author

Hello, I am Dr. Ponomarev and I’ve been doing research in computer science and cyber security for 15 years. It’s an amazing yet scary and confusing world out there and I strive to describe and educate about it in accessible and digestible form. If you like what you saw here please subscribe to get more content about problems that matter.

Discover more from Bitcrumbs, LLC

Subscribe now to keep reading and get access to the full archive.

Continue reading