Configuration outbound proxy

pvdr · July 11, 2017, 9:19am

Our discourse runs behind a proxy for outbound traffic.
We see that with “external system avatars enabled” selected the avatars are not loaded. Also the check for updates does not work.
We have set http_proxy and https_proxy. In the logging the message “Job exception: invalid address” is repeated.
How can we have outgoing requests working?

sam · July 11, 2017, 12:29pm

Is this the letter avatars that is an issue or the uploaded avatars? Can you describe in detail how stuff is configured?

Falco · July 11, 2017, 2:45pm

What’s the format of your http_ proxy variables? It has user and password inside?

pvdr · July 12, 2017, 9:21am

We have no user and password, output from set | grep -i proxy

HTTPS_PROXY=http://<server>:<port>/
HTTP_PROXY=http://<server>:<port>/
NO_PROXY='127.0.0.1, localhost, <internal-network>'
http_proxy=http://<server>:<port>/
https_proxy=http://<server>:<port>/
no_proxy='127.0.0.1, localhost, <internal-network>'

A curl from within the container, which uses the proxy-settings:
curl -o /dev/null -v https://avatars.discourse.org/v2/letter/s/5f9b8f/45.png
results in: 200 OK

pvdr · July 12, 2017, 9:27am

This is the letter avatars, but also the check for updates doesn’t work. It looks like all outgoing requests are failing.

We have a docker-host based on the standalone.yml. In the env: section we added the proxy-settings. Attaching to the running container shows that the proxy-settings are correct.

Falco · July 12, 2017, 4:11pm

Last time I had to work in an environment like this I found that Ruby is the worst language in this aspect, where most http methods don’t respect the proxy variables unless explicitly set, where java, python, node, php all work fine. /rant

You can try to emulate the version check with:

ssh root@your.server.here
cd /var/discourse
./launcher enter app
cd /var/www/discourse
rails c
puts Excon.send( :get, 'https://meta.discourse.org/latest.json', omit_default_port: true).body
## also
puts ENV ## does this prints your proxy info?

It works or fail? What’s the error message?

pvdr · July 13, 2017, 11:19am

No errors, all output looks fine.

root@93ca6a8ec7a6-discourse:/var/www/discourse# rails c
[1] pry(main)> puts Excon.send( :get, 'https://meta.discourse.org/latest.json', omit_default_port: true).body
{"users":[{"id":1,"username":"sam","avatar_template":"/user_avatar/meta.discourse.org/sam/{size}/5243_1.png"},

... much more ...

Frequent Poster","user_id":1,"primary_group_id":47}]}]}}
=> nil

[2] pry(main)> ENV
...
 "HTTPS_PROXY"=>"http://<server>:8082/",
 "HTTP_PROXY"=>"http://<server>:8082/",
...
 "NO_PROXY"=>
  "127.0.0.1, localhost, <internal>",
...
 "http_proxy"=>"http://<server>:8082/",
 "https_proxy"=>"http://<server>:8082/",
 "no_proxy"=>
  "127.0.0.1, localhost, <internal>"}

pvdr · August 16, 2017, 8:26am

Hello @Falco,
Any ideas on my output?
Peter

dvh · August 22, 2017, 1:37pm

We can emulate the version check and we can disable remote avatars, but are there any more outbound connections known? If not, these workarounds could work for us, but we’re not sure if we introduce some other problems then…

codinghorror · August 23, 2017, 12:20am

You can simply disable version check in site settings at least.

pvdr · August 23, 2017, 8:01am

We are not sure if there are other problems when we disable the version check and remote avatars. Are there any other outbound connections needed? As Dimitri also asked.

popey · October 11, 2017, 9:59am

@pvdr - did you get this fully resolved? We too are running a discourse behind a firewall which means youtube/github oneboxes don’t work as expected. I’m told by our IS that we may be able to allow outbound access to youtube via our internal corp proxy, and searching for help turned up this thread.

pvdr · October 12, 2017, 12:57pm

We have problems also with the mail, so we haven’t migrated yet. The problems we had are not solved either.

SystemZ · July 29, 2020, 2:40am

Anything changed in newer versions of Discourse?
Is there now an easy way to setup outgoing proxy?

Is important to hide origin IP from attackers if Cloudflare protection must work correctly.

Related topics:

I can contribute to code if it’s necessary, I just need some tips which code needs to be refactored to use some kind of proxy settings.

supermathie · July 29, 2020, 4:52pm

We don’t support this use case at the moment.

My instinct is that this is probably best handled at the system level by intercepting outbound connections (or: all traffic not going to Cloudflare’s IPs) and shunting them to a local proxy of some sort.

SystemZ · July 29, 2020, 5:13pm

This is unfortunate. All kind of apps have proxy settings. Especially common in corp. closed environment.

Sure, any tips how to start with that? Iptables?
Some example would be much appreciated

supermathie · July 29, 2020, 5:22pm

For this case, I would suggest starting here: Install discourse with internet access only via proxy

In most of the closed environments I’ve worked with in the past, the traffic is usually forwarded transparently the intercepting proxy.

SystemZ · July 29, 2020, 5:26pm

I have no problem with installation, only with lack of customizable proxy for outgoing connections like crawling other websites.

Correct me if I’m wrong, installation process vs working rails are separate in proxy settings.

Topic		Replies	Views
Discourse Link previews through a proxy server? installation	25	3399	May 28, 2023
Remote users IPV6 address shows as localhost support	30	4363	September 13, 2020
Discourse in a closed intranet installation	26	5934	November 6, 2017
Discourse shows server IP/localhost as user's IP installation unsupported-install	19	1556	July 12, 2022
Site is accessible on the IP address when not following th install guide feature	18	1814	June 30, 2020

Configuration outbound proxy

Related Topics