Does Traefik honour http_proxy for corporate proxies? #1110
Comments
|
@lhaig Are your hosts externally accessible? Lets Encrypt uses a TLS challenge to issue certificates, which requires external (separate) TLS access to the client. The bigger question is, does your corporate proxy allow Let's Encrypt access to your binary? |
|
Hi,
Yes the access back is not proxied just the access out.
The request is successful when you use the standard client.
So traefik does not seem to honour the http_proxy environment variables
Thanks
Lance
|
ldez
added
area/acme
kind/enhancement
|
Looks like this is still the case :-( Will this be solved anytime soon? |
|
I had to go with an Nginx reverse proxy for now until this can be solved. |
|
Bumping Issue as it also block's a deployment i'm working one where they use a outbound http_proxy |
|
Hello @lhaig @andrejvanderzee @grealish . Many thanks for your interest in our project. Can you give me more information about your environments? Do you use Traefik directly on the host where you declared your environment variables ( Indeed, I tam currently trying to reproduce your problem on my own machine but I can't! Many thanks in advance. |
|
Hi @nmengin It will be a difficult environment to reproduce, as this customer is using a commercial http proxy that only respects specific HTTPS URL's that are white-listed so, The setup is as simple as this: services:
traefik:
build: .
command: --logLevel=DEBUG
ports:
- "80:80"
- "443:443"
- "127.0.0.1:8484:8484"
restart: always
environment:
- HTTP_PROXY=http://proxyoutbound.corp-network.com:8080/
- HTTPS_PROXY=http://proxyoutbound.corp-network.com:8080/
volumes:
- /var/run/docker.sock:/var/run/docker.sock
For now, that makes lego work, i'll provider more feedback if I get traefik up and running fully |
|
Hello @grealish . Many thanks for these information. |
|
Hi @nmengin We are also running behind a corporate proxy server that whitelist only certain external URLs. I tried running traefik in Kubernetes like this: apiVersion: v1
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: ingress-ctl
namespace: kube-system
spec:
template:
metadata:
labels:
name: ingress-ctl
spec:
containers:
- image: {{docker-registry}}/traefik:v1.2.3
env:
- name: http_proxy
value: {{http_proxy}}
- name: https_proxy
value: {{https_proxy}}
- name: no_proxy
value: {{no_proxy}}
name: ingress-ctl
resources:
limits:
cpu: 200m
memory: 50Mi
requests:
cpu: 100m
memory: 50Mi
ports:
- name: http
containerPort: 80
hostPort: {{host-port}}
- name: admin
containerPort: 8080
args:
- --web
- --web.address=:8080
- --kubernetes
- --kubernetes.namespaces={{namespaces}} |
|
@nmengin We need to find a way so just the lets encrypt http client uses the |
|
@grealish We discussed about the problem with part of the team. I'll give you a feedback in the issue to keep you in touch. cc @containous/traefik |
|
@nmengin what might be of interest is to follow the way docker handle's it using a "NO_PROXY" ENV |
ldez
added
status/0-needs-triage
and removed
kind/enhancement
ldez
added
kind/enhancement
|
I am closing this issue |
What version of Traefik are you using (
traefik version)?Version: v1.1.2
Codename: camembert
Go version: go1.7.4
Built: 2016-12-15_10:27:40AM
OS/Arch: linux/amd64
What is your environment & configuration (arguments, toml...)?
Standard traefik toml file with acme enabled
What did you do?
I tested a connection on http and this worked connecting to the proxied server.
I enabled https and letsencrypt on a separate entrypoint with the staging server
What did you expect to see?
To get a staging certificate from letsencrypt.
What did you see instead?
This error is due to their being no access to the internet directly from hosts. we have to use a corporate proxy.
I configured http_proxy and https_proxy within the system environment variables but it seems that the traefik binary does not honour these variables.
The text was updated successfully, but these errors were encountered: