-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
S3 binary caches don't work with network proxies #4883
Comments
A possible quick workaround that's easier than trying to read HTTP_PROXY and such would be to make new variables like |
For anyone stumbling here, we have a following work-around. We have a location that has no Internet access and needs to use a proxy.
With server {
listen 443 ssl;
server_name <%= @s3_bucket %>.s3.<%= @s3_endpoint_region %>.amazonaws.com;
resolver <%= @s3_endpoint_resolver %>;
location / {
proxy_pass https://<%= @s3_bucket %>.s3.<%= @s3_endpoint_region %>.amazonaws.com;
}
ssl_certificate <%= @ssl_certificate %>;
ssl_certificate_key <%= @ssl_certificate_key %>;
access_log /var/log/nginx/site-<%= @s3_bucket %>.s3.<%= @s3_endpoint_region %>.amazonaws.com-access.log;
error_log /var/log/nginx/site-<%= @s3_bucket %>.s3.<%= @s3_endpoint_region %>.amazonaws.com-error.log;
} You can see it pass the request to the real AWS. This is necessary as the AWS SDK will sign the requests, including the hostname it uses. So we can't use a different hostname. |
I marked this as stale due to inactivity. → More info |
Still very much an issue that we can't use HTTP proxy with S3 caches |
I need to add some info to #4883 (comment) As libcurl uses libresolve, to actually end up using your nginx proxy you need to make sure the AWS address resolves to your proxy address: /etc/hosts doesn't work as libresolve doesn't read it. For us we happen to have a DNS that all these machines use so I followed https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html and added the S3 endpoint to |
I marked this as stale due to inactivity. → More info |
Not stale unless we explicitly change how we use the AWS SDK. |
Probably still important :) |
Patched https://github.com/NixOS/nix/blob/master/src/libstore/s3-binary-cache-store.cc#L146 to enable https://sdk.amazonaws.com/cpp/api/LATEST/aws-cpp-sdk-core/html/struct_aws_1_1_client_1_1_client_configuration.html#a0197eb33dffeb845f98d14e5058921c1 seems like I can query packages through the proxy will PR soon™️ |
Hello, I open a pull request to try to keep track of resolution of this issue. |
Describe the bug
We can't use S3 binary caches with network proxies.
This was hinted at in #3529 . But the symptom is worse: if you try to do
nix-build
or something, it'll hang somewhere in AWS SDK code and you have to open second terminal and kill -9 the nix process.Steps To Reproduce
nix-build '<nixpkgs>' -A hello --no-out-link
for a package you don't have.Expected behavior
Binary cache is queried properly.
nix-env --version
outputLooking at source, I have no reason to believe this is not the case still in HEAD.
Additional context
As per aws/aws-sdk-cpp#1049 , the values for any proxy have to be explicitly set by the SDK user. If we look at
s3-binary-cache-store.cc
, you'll see that nowhere does it do anything like this.It is pretty annoying that they unset it because now nix presumably has to figure out what the proxy values are set, parse them, pass them to AWS SDK and have that just spit it back out.
The text was updated successfully, but these errors were encountered: