HTTP Proxy settings from preferences are injected as environment variables in containers

[lukevella]

Expected behavior

I am behind a corporate proxy so I configured the preferences with an HTTP Proxy so that I can pull images from Docker Hub when building my containers, but don't expect the same settings to be injected into the containers as environment variables.

Actual behavior

The images are pulled successfully through the proxy however, the same HTTP Proxy settings are being injected in to the containers as environment variables. This causes some issues since I am using docker-compose to link two containers and they are attempting to communicate with each other through the proxy (which fails). I tried to exclude the hostnames of the linked containers via the preferences, hoping that they will be injected as $NO_PROXY but this doesn't happen.

Steps to reproduce the behavior

1. Configure the preferences with an HTTP/S Proxy and Exclude values.
   HTTP_PROXY: http://proxy.co.corp:8080
   Exclude:localhost,co.corp
2. docker run -it ubuntu bash
3. echo $HTTP_PROXY
   output: http://proxy.co.corp:8080
4. echo $NO_PROXY
   output: empty

[ebriney]

docker run -e HTTP_PROXY= -it ubuntu bash will do the job, no?

[lukevella]

@ebriney That might be a workaround but it doesn't solve the issue.

I'm hoping that setting the HTTP Proxy settings in the app preferences will have the same effect as setting the environment variables for the docker daemon in systemd. See: https://docs.docker.com/engine/admin/systemd/#/http-proxy

When doing the above the HTTP Proxy environment variables do not get injected into containers. It should be the same on macOS. These settings are only for enabling a connection to Docker registries through a proxy.

[jamshid]

Strongly agree, this behavior where a proxy I happen to be using for web browsing on my mac automatically and without my choice gets injected into all containers seems a bit nuts.

This feature, although documented (https://docs.docker.com/docker-for-mac/networking/), is too clever, causes more confusion than it's worth. Let users enter the proxy in the Docker Preferences tab, anyway there's no guarantee you'd want to use the same proxy the Mac is otherwise using.

And a really bad bug is that Docker for Mac doesn't "reset" this after "unchecking" "Web Proxy (HTTP)" in Settings => Network => Proxies tab. The old value is still in the Docker Preferences, grayed out. I have to actually delete the ip and port from the Mac settings, even though those fields are being ignored by the Mac.

[djs55]

Thanks for the report. I've escalated this to the Docker for Mac and Windows networking team. We hope to work on our support for HTTP proxies over the next few releases -- I'll let you know how we get on.

[djs55]

@lukevella the latest master builds of Docker for Mac have experimental support for transparent HTTP(S) proxying. If this special mode is enabled then no environment variables are rewritten. If you'd like to try it, I've written some instructions: https://github.com/moby/vpnkit/blob/master/docs/transparent-http-proxy.md

(Note the current implementation doesn't currently support no_proxy properly -- hopefully this will be implemented soon)

Feedback is very welcome!

[ascatox]

The problem has become extremely urgent, without the no_proxy radio option in Proxies Tab. I hope the option will be introduced again.

[docker-robott]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale comment.
Stale issues will be closed after an additional 30d of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle stale

[uk0]

look https://uk0.github.io/2018/04/16/docker-macos-proxy-https-http/

[unlikezy]

@djs55 I think this issue may be resolved better.

Let me explain the problem I encounter first:

1. I am using docker behind a corporate proxy
2. I use docker to maintain and iterate my development environment.
3. To pull images from dockerhub, of course, I need to set docker daemon proxy, as this:
   
4. I need to access Internet in the development environment, so I also set the proxy inside container, as this:
   
5. And I need to connect to company local git through https/ssh, which shouldn't be accessed with proxy setting. As you can see in the pictures above, I set "git.local.co" to no_proxy both in docker daemon proxy setting and in container env.
6. Now I encounter the problem:
   a. I can not access "git.local.co" now, because vpn passthrough strategy pass all my container's flow into docker daemon proxy, even when no_proxy is set.
   b. If I want to access "git.local.co", I have to unset docker daemon proxy to "system proxy", in order to use container proxy completely;
   c. If I need to download images from dockerhub, I have to set docker daemon proxy to "manual proxy".
   d. And switching this setting require restarting docker daemon, so I have to close all my container when I am developing. This make my life much harder.

I think the key problem is that the proxy to pull images and the proxy for container(vpn passthrough) shouldn't be mixed. They are completely for different purpose. Providing two separate setting might be a better solution.
Or did I misunderstand some of these setting?

[Gladskih]

Funny that I have reverse problem with Docker for Windows: proxy configuration from docker settings is not injected into containers.

[hamza15]

Was this issue ever resolved? I have a problem similar to the original issue. My Jenkins server has proxy setting for both docker engine and docker containers. I need a proxy to build containers and install container binaries (apt-get, npm install etc) but I do not require proxy settings injected into containers after install.

The docker engine proxy settings are added via:
/etc/systemd/system/docker.service.d/http-proxy.conf

The docker container proxy settings are added via:
~/.docker/config.json

My jenkins job will build containers locally and deploy to my development environment but the proxy settings are injected into the containers. This prevents communication between containers since they try to speak to each other via proxy.

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked