Configuration outbound proxy

Our discourse runs behind a proxy for outbound traffic.
We see that with “external system avatars enabled” selected the avatars are not loaded. Also the check for updates does not work.
We have set http_proxy and https_proxy. In the logging the message “Job exception: invalid address” is repeated.
How can we have outgoing requests working?

1 Like

Is this the letter avatars that is an issue or the uploaded avatars? Can you describe in detail how stuff is configured?

What’s the format of your http_ proxy variables? It has user and password inside?

We have no user and password, output from set | grep -i proxy

HTTPS_PROXY=http://<server>:<port>/
HTTP_PROXY=http://<server>:<port>/
NO_PROXY='127.0.0.1, localhost, <internal-network>'
http_proxy=http://<server>:<port>/
https_proxy=http://<server>:<port>/
no_proxy='127.0.0.1, localhost, <internal-network>'

A curl from within the container, which uses the proxy-settings:
curl -o /dev/null -v https://avatars.discourse.org/v2/letter/s/5f9b8f/45.png
results in: 200 OK

This is the letter avatars, but also the check for updates doesn’t work. It looks like all outgoing requests are failing.

We have a docker-host based on the standalone.yml. In the env: section we added the proxy-settings. Attaching to the running container shows that the proxy-settings are correct.

Last time I had to work in an environment like this I found that Ruby is the worst language in this aspect, where most http methods don’t respect the proxy variables unless explicitly set, where java, python, node, php all work fine. /rant

You can try to emulate the version check with:

ssh root@your.server.here
cd /var/discourse
./launcher enter app
cd /var/www/discourse
rails c
puts Excon.send( :get, 'https://meta.discourse.org/latest.json', omit_default_port: true).body
## also
puts ENV ## does this prints your proxy info?

It works or fail? What’s the error message?

1 Like

No errors, all output looks fine.

root@93ca6a8ec7a6-discourse:/var/www/discourse# rails c
[1] pry(main)> puts Excon.send( :get, 'https://meta.discourse.org/latest.json', omit_default_port: true).body
{"users":[{"id":1,"username":"sam","avatar_template":"/user_avatar/meta.discourse.org/sam/{size}/5243_1.png"},

... much more ...

Frequent Poster","user_id":1,"primary_group_id":47}]}]}}
=> nil

[2] pry(main)> ENV
...
 "HTTPS_PROXY"=>"http://<server>:8082/",
 "HTTP_PROXY"=>"http://<server>:8082/",
...
 "NO_PROXY"=>
  "127.0.0.1, localhost, <internal>",
...
 "http_proxy"=>"http://<server>:8082/",
 "https_proxy"=>"http://<server>:8082/",
 "no_proxy"=>
  "127.0.0.1, localhost, <internal>"}

Hello @Falco,
Any ideas on my output?
Peter

1 Like

We can emulate the version check and we can disable remote avatars, but are there any more outbound connections known? If not, these workarounds could work for us, but we’re not sure if we introduce some other problems then…

You can simply disable version check in site settings at least.

We are not sure if there are other problems when we disable the version check and remote avatars. Are there any other outbound connections needed? As Dimitri also asked.

@pvdr - did you get this fully resolved? We too are running a discourse behind a firewall which means youtube/github oneboxes don’t work as expected. I’m told by our IS that we may be able to allow outbound access to youtube via our internal corp proxy, and searching for help turned up this thread.

We have problems also with the mail, so we haven’t migrated yet. The problems we had are not solved either.

Anything changed in newer versions of Discourse?
Is there now an easy way to setup outgoing proxy?

Is important to hide origin IP from attackers if Cloudflare protection must work correctly.

Related topics:

I can contribute to code if it’s necessary, I just need some tips which code needs to be refactored to use some kind of proxy settings.

1 Like

We don’t support this use case at the moment.

My instinct is that this is probably best handled at the system level by intercepting outbound connections (or: all traffic not going to Cloudflare’s IPs) and shunting them to a local proxy of some sort.

This is unfortunate. All kind of apps have proxy settings. Especially common in corp. closed environment.

Sure, any tips how to start with that? Iptables?
Some example would be much appreciated :slight_smile:

For this case, I would suggest starting here: Install discourse with internet access only via proxy

In most of the closed environments I’ve worked with in the past, the traffic is usually forwarded transparently the intercepting proxy.

1 Like

I have no problem with installation, only with lack of customizable proxy for outgoing connections like crawling other websites.

Correct me if I’m wrong, installation process vs working rails are separate in proxy settings.