10. Appendix

10.1. Using a Proxy Sevrer

10.1.1. Configure Linux to use a proxy

Linux and UNIX-like systems have environment variables called http_proxy and the https_proxy. They allow to establish connections via the proxy server. The environment variables are used by almost all utilities and system commands. Required is the proxy server IP address (URL) and port value.

Type the following command to set the proxy server for the current bash session:

export http_proxy=http://<PROXY_USERNAME>:<PROXY_PASSWORD>@<PROXY_URL>:<PROXY_PORT>
export https_proxy=http://<PROXY_USERNAME>:<PROXY_PASSWORD>@<PROXY_URL>:<PROXY_PORT>

There are several other ways to configure a proxy server in Linux. Consider editing /etc/profile, /etc/environment or ~/.bashrc to set the required environment variables.

Check if the required tools are working (Use curl as it respects the variables http_proxy and https_proxy):

curl -sSI www.gyrotools.com

10.1.2. CA certificates

When your proxy scans an HTTPS connection with content inspection, the proxy intercepts the HTTPS request and initiates its own connection to the destination HTTPS server on behalf of the client. After the proxy receives a reply and a copy of the remote server certificate from the destination HTTPS server, the proxy presents an altered version of the certificate from the remote server (signed with the Proxy Authority CA certificate) to the originating client. The Common Name (CN), Subject Alternative Name (SAN), and other values remain the same for identity validation. The client will complain a untrusted CA certificate if the Proxy Authority CA certificate is not installed as a trusted root certificate on the client.

curl complains with a message like this:

SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Ask your IT to hand over the appropriate certificate and use the common ways to install the the Proxy Authority CA certificate.

Ubuntu

sudo cp proxy_ca.crt /usr/local/share/ca-certificates
sudo update-ca-certificates

RHEL, CentOS

sudo cp proxy_ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

10.1.3. apt-get (Ubuntu)

Ubuntu users must also configure the apt-get tool:

vi /etc/apt/apt.conf.d/40proxy

Acquire::http::Proxy "http://<PROXY_USERNAME>:<PROXY_PASSWORD>@<PROXY_URL>:<PROXY_PORT>";

Check if the apt-get tools is working correctly:

apt-get update

10.1.4. yum (RHEL, CentOS)

Centos or RHEL users must also configure the yum tool:

vi /etc/yum.conf

[main]
...
proxy=http://<PROXY_URL>:<PROXY_PORT>
proxy_username=<PROXY_USERNAME>
proxy_password=<PROXY_PASSWORD>
...

Check if the yum tools is working correctly:

yum update

10.1.5. Docker Service

Configure Docker daemon to use a proxy server

If your system requries a proxy server to connect to the internet, make sure your system is configured properly before starting the setup.sh script. See also Configure Linux to use a proxy. Skip this step if your system is directly accessing the internet.

A common misconception with the Docker client is that it connects to the registry to download an image when you run docker pull. Configuring your environment by setting http_proxy and https_proxy should be enough to pull an image from behind a firewall? Unfortunately this is not true. The Docker client only makes REST requests to the Docker daemon, which does the actual work. Therefore it is the Docker daemon configuration that needs to be adjusted.

../../../_images/docker-proxy.png

Create a systemd drop-in directory for the docker service:

sudo mkdir -p /etc/systemd/system/docker.service.d

Create a script called /etc/systemd/system/docker.service.d/http-proxy.conf that adds the HTTP_PROXY environment variable:

[Service]
Environment="HTTP_PROXY=http://<PROXY_USERNAME>:<PROXY_PASSWORD>@<PROXY_URL>:<PROXY_PORT>/" "HTTPS_PROXY=http://<PROXY_USERNAME>:<PROXY_PASSWORD>@<PROXY_URL>:<PROXY_PORT>/" "NO_PROXY=localhost,127.0.0.1"

Flush changes:

sudo systemctl daemon-reload

Restart Docker:

sudo systemctl restart docker

Check the docker deamon configuration:

docker search debian

10.1.6. Sudo

Another pitfall is the sudo command. Normally sudo cleans the environment and the http_proxy and https_proxy variables are unset when sudo calls the command. Sudo needs to be configured to transfer the http_proxy and the https_proxy variables from the current environment to the new environment.

visudo

Then find a line that states:

Defaults env_reset

and add after it:

Defaults env_keep = "http_proxy https_proxy"

Hint

If there are multiple lines beginning with Defaults env_keep, add the new line last and use the += operater:

Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults    env_keep += "http_proxy https_proxy"

Check the sudo configuration with

sudo wget -O/dev/null http://www.gyrotools.com
sudo wget -O/dev/null https://www.gyrotools.com

Important

The docker service needs to be configured as well. Configure the docker service after running setup.sh. See Configure Docker daemon to use a proxy server.