Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usage of an http/https proxy #23

Closed
radenui opened this issue Feb 20, 2015 · 12 comments
Closed

Usage of an http/https proxy #23

radenui opened this issue Feb 20, 2015 · 12 comments
Labels
kind/enhancement

Comments

@radenui
Copy link

radenui commented Feb 20, 2015

Hi,

The host machines do not access the internet directly, but through an http/https proxy into my infrastructure: I'd like to be able to use it!
I tried to write :
HTTP_PROXY=http://proxyaddress:proxyport
HTTPS_PROXY=http://proxyaddress:proxyport
NO_PROXY=169.254.169.254
into /etc/ecs/ecs.config (as I believe it should work ?), but had no success so far.

Is is a feature you intend to implement ?

Thanks,

Arthur
@euank
Copy link
Contributor

euank commented Feb 24, 2015

Currently it doesn’t work for two reasons:

  1. The service client used does not use the default http client. This will be resolved when we migrate to using the official aws go sdk.
  2. Our services relies on communicating over a websocket, and the library we use for that does not support http proxying. It’s also possible your proxy would not support websockets either.

You might be able to use other networking, such as a vpn, to accomplish this lower down the network stack.

We do not currently have plans to implement proxying for the websocket connection within our application in the short term.

I would like to hear a little more about your proxying setup though, such as if it would support a websocket connection or if a vpn could potentially work.

Best,
Euan

@radenui
Copy link
Author

radenui commented Feb 25, 2015

Thanks for your answer.

As a matter of fact, some of the services I intend to deploy will not be internet facing, and the instances will be in private subnets.
When they have to connect the internet (let's say for an AWS API Call), they use an http/https squid proxy into the environment. This one is made highly available by the use of an ELB and multiple instances running squid attached to this ELB.

As I understand it (I may be wrong), the ECS agent performs a call to an https AWS endpoint for ecs. The fact that it uses websocket is probably the must difficult point here.
Of course I'd like to leverage the same infrastructure I already have in place.

I've read in many websites that websockets works over an https connection on squid.

So should I do the same request (proxy support) on the gorilla/websocket project ?

Thanks,
Arthur

@euank
Copy link
Contributor

euank commented Feb 26, 2015

If the Gorilla authors want to integrate proxy support I'd be happy to consume it.

However, even if they don't, it could probably be implemented within the agent's code by passing in a proxying dialer to the websocket connection.

I'll leave this issue open as a feature request and welcome any further information or questions.

@radenui
Copy link
Author

radenui commented Feb 26, 2015

Thanks Euan, this will be a great improvement!
FYI, I managed to configure docker itself so it can use a proxy by adding the export commands into the /etc/sysconfig/docker file.

euank added a commit to euank/amazon-ecs-agent that referenced this issue Apr 9, 2015
@euank
Switch to the AWS Go SDK for api communication
6a33e84 
Relates to aws#23

The authv4 signer is still present for ACS.

This should also improve exception retriability for some exceptions and
performance (connection pooling)
euank added a commit to euank/amazon-ecs-agent that referenced this issue Apr 9, 2015
@euank
Switch to the AWS Go SDK for api communication
37a0bb7 
Relates to aws#23

The authv4 signer is still present for ACS.

This should also improve exception retriability for some exceptions and
performance (connection pooling)
euank added a commit to euank/amazon-ecs-agent that referenced this issue Apr 9, 2015
@euank
Switch to the AWS Go SDK for api communication
4c29f97 
Relates to aws#23

The authv4 signer is still present for ACS.

This should also improve exception retriability for some exceptions and
performance (connection pooling)
euank added a commit to euank/amazon-ecs-agent that referenced this issue Apr 24, 2015
@euank
Switch to the AWS Go SDK for api communication
bf0c59e 
Relates to aws#23

The authv4 signer is still present for ACS.

This should also improve exception retriability for some exceptions and
performance (connection pooling)
@damnhandy
Copy link

@radenui were you able to get the ECS Agent to register with the cluster? I've been able to get everything running, but the agent simply can't register with the cluster due to our proxy.

@radenui
Copy link
Author

radenui commented Apr 29, 2015

@damnhandy Unfortunately no, I had to connect the internet directly or through a NAT instance, as far as I know proxy is not yet usable. I hope this will be soon available!

@sathiyas
Copy link

Hello Team, is this supported yet?

@euank
Copy link
Contributor

euank commented Jul 19, 2015

Unfortunately, it's still not supported. The registration part should work now since the above-referenced sdk migration has been completed, but the websocket connection, required for running any tasks, does not respect proxy settings. As far as I know, the websocket connection's dial is the only part left that doesn't handle proxy settings.

I'll update this issue with any changes.

@euank euank mentioned this issue Jul 19, 2015
Closed
@abrgr abrgr mentioned this issue Sep 24, 2015
Merged
@sathiyas
Copy link

Folks, is this Proxy support available now?

@euank
Copy link
Contributor

euank commented Oct 19, 2015

Still not available, but getting closer! We've got it merged into the dev branch, which means it should be in the next release. You're also welcome to build the dev branch and try it out.

Best,
Euan

@wolfeidau wolfeidau mentioned this issue Oct 20, 2015
Merged
@wolfeidau
Copy link

Proxy support is now supported in the upstream library, I was hoping this would save you doing work on this but it seems to have also been done in the agent itself.

If I can help with integration I am happy to pitch in.

@euank euank mentioned this issue Oct 29, 2015
Closed
@euank
Copy link
Contributor

euank commented Oct 29, 2015

We've released agent version v1.6.0 which adds support for proxies via #211.

We appreciate that you added support upstream @wolfeidau, and I think it'd be awesome to switch since it makes more sense to be maintained there I think.

Since this issue is about the feature, not implementation, I've opened a separate issue, #239, to track that and am resolving this.
Best,
Euan

@euank euank closed this as completed Oct 29, 2015
danehlim pushed a commit to danehlim/amazon-ecs-agent that referenced this issue Oct 26, 2022
@sparrc
Cleanup script fix (aws#23)
405113c 
- the [[ -f ... ]] and [[ -d ... ]] checks are changed to use 'sudo test
  -f and sudo test -d'. This is so that we correctly detect files that
  are only readable by the root user.
- the cleanup script was leaving behind /root/.ssh/authorized_keys
  because it was not using 'sudo' to check for this file
- the cleanup script was previously also leaving behind
  /etc/sudoers.d/90-cloud-init-users, but we need this file for the
  ec2-user to have sudo access, so delete it from the list of files to
  delete from the AMI.
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@wolfeidau @damnhandy @samuelkarp @euank @sathiyas @radenui