Configuração de proxy de saída

Suporte Instalação
1

Our discourse runs behind a proxy for outbound traffic.
We see that with “external system avatars enabled” selected the avatars are not loaded. Also the check for updates does not work.
We have set http_proxy and https_proxy. In the logging the message “Job exception: invalid address” is repeated.
How can we have outgoing requests working?

2

Is this the letter avatars that is an issue or the uploaded avatars? Can you describe in detail how stuff is configured?

3

What’s the format of your http_ proxy variables? It has user and password inside?

4

We have no user and password, output from set | grep -i proxy

HTTPS_PROXY=http://<server>:<port>/
HTTP_PROXY=http://<server>:<port>/
NO_PROXY='127.0.0.1, localhost, <internal-network>'
http_proxy=http://<server>:<port>/
https_proxy=http://<server>:<port>/
no_proxy='127.0.0.1, localhost, <internal-network>'

A curl from within the container, which uses the proxy-settings:
curl -o /dev/null -v https://avatars.discourse.org/v2/letter/s/5f9b8f/45.png
results in: 200 OK

5

This is the letter avatars, but also the check for updates doesn’t work. It looks like all outgoing requests are failing.

We have a docker-host based on the standalone.yml. In the env: section we added the proxy-settings. Attaching to the running container shows that the proxy-settings are correct.

6

Last time I had to work in an environment like this I found that Ruby is the worst language in this aspect, where most http methods don’t respect the proxy variables unless explicitly set, where java, python, node, php all work fine. /rant

You can try to emulate the version check with:

ssh root@your.server.here
cd /var/discourse
./launcher enter app
cd /var/www/discourse
rails c
puts Excon.send( :get, 'https://meta.discourse.org/latest.json', omit_default_port: true).body
## also
puts ENV ## does this prints your proxy info?

It works or fail? What’s the error message?

7

No errors, all output looks fine.

root@93ca6a8ec7a6-discourse:/var/www/discourse# rails c
[1] pry(main)> puts Excon.send( :get, 'https://meta.discourse.org/latest.json', omit_default_port: true).body
{"users":[{"id":1,"username":"sam","avatar_template":"/user_avatar/meta.discourse.org/sam/{size}/5243_1.png"},

... much more ...

Frequent Poster","user_id":1,"primary_group_id":47}]}]}}
=> nil

[2] pry(main)> ENV
...
 "HTTPS_PROXY"=>"http://<server>:8082/",
 "HTTP_PROXY"=>"http://<server>:8082/",
...
 "NO_PROXY"=>
  "127.0.0.1, localhost, <internal>",
...
 "http_proxy"=>"http://<server>:8082/",
 "https_proxy"=>"http://<server>:8082/",
 "no_proxy"=>
  "127.0.0.1, localhost, <internal>"}
8

Hello @Falco,
Any ideas on my output?
Peter

9

We can emulate the version check and we can disable remote avatars, but are there any more outbound connections known? If not, these workarounds could work for us, but we’re not sure if we introduce some other problems then…

10

You can simply disable version check in site settings at least.

11

We are not sure if there are other problems when we disable the version check and remote avatars. Are there any other outbound connections needed? As Dimitri also asked.

12

@pvdr - did you get this fully resolved? We too are running a discourse behind a firewall which means youtube/github oneboxes don’t work as expected. I’m told by our IS that we may be able to allow outbound access to youtube via our internal corp proxy, and searching for help turned up this thread.

13

We have problems also with the mail, so we haven’t migrated yet. The problems we had are not solved either.

14

Houve alguma mudança nas versões mais recentes do Discourse?
Existe agora uma maneira fácil de configurar um proxy de saída?

É importante ocultar o IP de origem de atacantes para que a proteção do Cloudflare funcione corretamente.

Tópicos relacionados:

Posso contribuir com o código, se necessário. Só preciso de algumas dicas sobre quais partes do código precisam ser refatoradas para usar algum tipo de configuração de proxy.

15

Não suportamos esse caso de uso no momento.

Minha intuição é que isso provavelmente seja melhor tratado no nível do sistema, interceptando as conexões de saída (ou: todo o tráfego que não está indo para os IPs da Cloudflare) e redirecionando-as para um proxy local de algum tipo.

16

Isso é lamentável. Todos os tipos de aplicativos possuem configurações de proxy. Especialmente comum em ambientes corporativos fechados.

Claro, alguma dica de como começar com isso? Iptables?
Algum exemplo seria muito apreciado :slight_smile:

17

Para este caso, sugiro começar aqui: Install discourse with internet access only via proxy

Na maioria dos ambientes fechados com os quais trabalhei no passado, o tráfego é normalmente encaminhado de forma transparente por meio do proxy de interceptação.

18

Não tenho problema com a instalação, apenas com a falta de um proxy personalizável para conexões de saída, como ao rastrear outros sites.

Corrija-me se eu estiver errado, mas o processo de instalação e o funcionamento do Rails são separados nas configurações de proxy.

19

Você resolveu isso?