配置出站代理

Our discourse runs behind a proxy for outbound traffic.
We see that with “external system avatars enabled” selected the avatars are not loaded. Also the check for updates does not work.
We have set http_proxy and https_proxy. In the logging the message “Job exception: invalid address” is repeated.
How can we have outgoing requests working?

Is this the letter avatars that is an issue or the uploaded avatars? Can you describe in detail how stuff is configured?

What’s the format of your http_ proxy variables? It has user and password inside?

We have no user and password, output from set | grep -i proxy

HTTPS_PROXY=http://<server>:<port>/
HTTP_PROXY=http://<server>:<port>/
NO_PROXY='127.0.0.1, localhost, <internal-network>'
http_proxy=http://<server>:<port>/
https_proxy=http://<server>:<port>/
no_proxy='127.0.0.1, localhost, <internal-network>'

A curl from within the container, which uses the proxy-settings:
curl -o /dev/null -v https://avatars.discourse.org/v2/letter/s/5f9b8f/45.png
results in: 200 OK

This is the letter avatars, but also the check for updates doesn’t work. It looks like all outgoing requests are failing.

We have a docker-host based on the standalone.yml. In the env: section we added the proxy-settings. Attaching to the running container shows that the proxy-settings are correct.

Last time I had to work in an environment like this I found that Ruby is the worst language in this aspect, where most http methods don’t respect the proxy variables unless explicitly set, where java, python, node, php all work fine. /rant

You can try to emulate the version check with:

ssh root@your.server.here
cd /var/discourse
./launcher enter app
cd /var/www/discourse
rails c
puts Excon.send( :get, 'https://meta.discourse.org/latest.json', omit_default_port: true).body
## also
puts ENV ## does this prints your proxy info?

It works or fail? What’s the error message?

No errors, all output looks fine.

root@93ca6a8ec7a6-discourse:/var/www/discourse# rails c
[1] pry(main)> puts Excon.send( :get, 'https://meta.discourse.org/latest.json', omit_default_port: true).body
{"users":[{"id":1,"username":"sam","avatar_template":"/user_avatar/meta.discourse.org/sam/{size}/5243_1.png"},

... much more ...

Frequent Poster","user_id":1,"primary_group_id":47}]}]}}
=> nil

[2] pry(main)> ENV
...
 "HTTPS_PROXY"=>"http://<server>:8082/",
 "HTTP_PROXY"=>"http://<server>:8082/",
...
 "NO_PROXY"=>
  "127.0.0.1, localhost, <internal>",
...
 "http_proxy"=>"http://<server>:8082/",
 "https_proxy"=>"http://<server>:8082/",
 "no_proxy"=>
  "127.0.0.1, localhost, <internal>"}

Hello @Falco,
Any ideas on my output?
Peter

We can emulate the version check and we can disable remote avatars, but are there any more outbound connections known? If not, these workarounds could work for us, but we’re not sure if we introduce some other problems then…

You can simply disable version check in site settings at least.

We are not sure if there are other problems when we disable the version check and remote avatars. Are there any other outbound connections needed? As Dimitri also asked.

@pvdr - did you get this fully resolved? We too are running a discourse behind a firewall which means youtube/github oneboxes don’t work as expected. I’m told by our IS that we may be able to allow outbound access to youtube via our internal corp proxy, and searching for help turned up this thread.

We have problems also with the mail, so we haven’t migrated yet. The problems we had are not solved either.

Discourse 的较新版本中有什么变化吗？
现在是否有简便的方法来配置出站代理？

如果 Cloudflare 防护要正常工作，隐藏源 IP 以避开攻击者非常重要。

相关主题：

如果需要，我可以贡献代码。我只需要一些建议，了解哪些代码需要重构以支持某种代理设置。

我们目前不支持此用例。

我的直觉是，这最好在系统层面处理，通过拦截出站连接（或者：所有不前往 Cloudflare IP 的流量），并将其重定向到某种本地代理。

这令人遗憾。各类应用通常都设有代理设置，在企业封闭环境中尤为常见。

好的，有什么入门建议吗？是 iptables 吗？
如果能提供一些示例那就太好了

针对这种情况，我建议从这里开始：Install discourse with internet access only via proxy

在我过去工作的多数封闭环境中，流量通常通过拦截代理透明地转发。

安装方面没有问题，问题在于缺少可自定义的出站连接代理（例如用于爬取其他网站）。

如果我的理解有误请纠正我：安装过程与 Rails 运行时的代理设置是相互独立的。

你解决这个问题了吗？