Configuración del proxy saliente

pvdr · 11 Julio, 2017 09:19

Our discourse runs behind a proxy for outbound traffic.
We see that with “external system avatars enabled” selected the avatars are not loaded. Also the check for updates does not work.
We have set http_proxy and https_proxy. In the logging the message “Job exception: invalid address” is repeated.
How can we have outgoing requests working?

sam · 11 Julio, 2017 12:29

Is this the letter avatars that is an issue or the uploaded avatars? Can you describe in detail how stuff is configured?

Falco · 11 Julio, 2017 14:45

What’s the format of your http_ proxy variables? It has user and password inside?

pvdr · 12 Julio, 2017 09:21

We have no user and password, output from set | grep -i proxy

HTTPS_PROXY=http://<server>:<port>/
HTTP_PROXY=http://<server>:<port>/
NO_PROXY='127.0.0.1, localhost, <internal-network>'
http_proxy=http://<server>:<port>/
https_proxy=http://<server>:<port>/
no_proxy='127.0.0.1, localhost, <internal-network>'

A curl from within the container, which uses the proxy-settings:
curl -o /dev/null -v https://avatars.discourse.org/v2/letter/s/5f9b8f/45.png
results in: 200 OK

pvdr · 12 Julio, 2017 09:27

This is the letter avatars, but also the check for updates doesn’t work. It looks like all outgoing requests are failing.

We have a docker-host based on the standalone.yml. In the env: section we added the proxy-settings. Attaching to the running container shows that the proxy-settings are correct.

Falco · 12 Julio, 2017 16:11

Last time I had to work in an environment like this I found that Ruby is the worst language in this aspect, where most http methods don’t respect the proxy variables unless explicitly set, where java, python, node, php all work fine. /rant

You can try to emulate the version check with:

ssh root@your.server.here
cd /var/discourse
./launcher enter app
cd /var/www/discourse
rails c
puts Excon.send( :get, 'https://meta.discourse.org/latest.json', omit_default_port: true).body
## also
puts ENV ## does this prints your proxy info?

It works or fail? What’s the error message?

pvdr · 13 Julio, 2017 11:19

No errors, all output looks fine.

root@93ca6a8ec7a6-discourse:/var/www/discourse# rails c
[1] pry(main)> puts Excon.send( :get, 'https://meta.discourse.org/latest.json', omit_default_port: true).body
{"users":[{"id":1,"username":"sam","avatar_template":"/user_avatar/meta.discourse.org/sam/{size}/5243_1.png"},

... much more ...

Frequent Poster","user_id":1,"primary_group_id":47}]}]}}
=> nil

[2] pry(main)> ENV
...
 "HTTPS_PROXY"=>"http://<server>:8082/",
 "HTTP_PROXY"=>"http://<server>:8082/",
...
 "NO_PROXY"=>
  "127.0.0.1, localhost, <internal>",
...
 "http_proxy"=>"http://<server>:8082/",
 "https_proxy"=>"http://<server>:8082/",
 "no_proxy"=>
  "127.0.0.1, localhost, <internal>"}

pvdr · 16 Agosto, 2017 08:26

Hello @Falco,
Any ideas on my output?
Peter

dvh · 22 Agosto, 2017 13:37

We can emulate the version check and we can disable remote avatars, but are there any more outbound connections known? If not, these workarounds could work for us, but we’re not sure if we introduce some other problems then…

codinghorror · 23 Agosto, 2017 00:20

You can simply disable version check in site settings at least.

pvdr · 23 Agosto, 2017 08:01

We are not sure if there are other problems when we disable the version check and remote avatars. Are there any other outbound connections needed? As Dimitri also asked.

popey · 11 Octubre, 2017 09:59

@pvdr - did you get this fully resolved? We too are running a discourse behind a firewall which means youtube/github oneboxes don’t work as expected. I’m told by our IS that we may be able to allow outbound access to youtube via our internal corp proxy, and searching for help turned up this thread.

pvdr · 12 Octubre, 2017 12:57

We have problems also with the mail, so we haven’t migrated yet. The problems we had are not solved either.

SystemZ · 29 Julio, 2020 02:40

¿Ha habido cambios en versiones más recientes de Discourse?
¿Existe ahora una forma sencilla de configurar un proxy saliente?

Es importante ocultar la IP de origen a los atacantes si la protección de Cloudflare debe funcionar correctamente.

Temas relacionados:

Puedo contribuir al código si es necesario; solo necesito algunas indicaciones sobre qué código debe refactorizarse para utilizar algún tipo de configuración de proxy.

supermathie · 29 Julio, 2020 16:52

Por el momento, no admitimos este caso de uso.

Mi intuición es que lo más adecuado es gestionarlo a nivel del sistema, interceptando las conexiones salientes (o todo el tráfico que no vaya a las direcciones IP de Cloudflare) y redirigiéndolas a un proxy local de algún tipo.

SystemZ · 29 Julio, 2020 17:13

Esto es lamentable. Todo tipo de aplicaciones tienen configuraciones de proxy. Especialmente común en entornos corporativos cerrados.

Claro, ¿algún consejo sobre cómo empezar con eso? ¿iptables?
Agradecería mucho algún ejemplo

supermathie · 29 Julio, 2020 17:22

Para este caso, sugiero comenzar aquí: Install discourse with internet access only via proxy

En la mayoría de los entornos cerrados con los que he trabajado en el pasado, el tráfico generalmente se reenvía de forma transparente a través del proxy de intercepción.

SystemZ · 29 Julio, 2020 17:26

No tengo ningún problema con la instalación, solo con la falta de un proxy personalizable para las conexiones salientes, como al rastrear otros sitios web.

Corrígeme si estoy equivocado, pero el proceso de instalación y el funcionamiento de Rails son aspectos separados en la configuración del proxy.

68uproars · 28 Diciembre, 2024 17:05

¿Resolviste esto?

Tema		Respuestas	Vistas
Install discourse with internet access only via proxy Self-hosting	17	5425	20 Julio 2017
Avatar images broken behind proxy Support	4	635	5 Junio 2022
Discourse Link previews through a proxy server? Self-hosting	25	3936	28 Mayo 2023
I want to install using a reverse proxy for Apache Self-hosting	13	4562	8 Agosto 2021
Deploying discourse on server already running another rails app Self-hosting	8	3789	17 Febrero 2016