This repository has been archived by the owner. It is now read-only.

Additional proxy settings required behind corporate firewall #106

Closed
dannmartens opened this Issue Jan 11, 2016 · 33 comments

Comments

Projects
None yet
@dannmartens

dannmartens commented Jan 11, 2016

This issue cropped up while trying out the angular2-webpack-starter gdi2290/angular-starter#191

Typings install throws errors. This seems to be caused by a corporate proxy which intercepts the SSL certificate. Typings supports a proxy config as of late, shouldn't it have strict-ssl, as well?

typings install

typings ERR! message Unable to resolve "github:typings/typed-es6-promise#9243c53f70fb4909ed7cce3094bec221b9fb6d5f"

typings ERR! caused by Unable to connect to "https://raw.githubusercontent.com/typings/typed-es6-promise/9243c53f70fb4909ed7cce3094bec221b9fb6d5f/typings.json"

typings ERR! caused by unable to get local issuer certificate

@dsebastien

This comment has been minimized.

dsebastien commented Jan 11, 2016

+1, corporate proxies often do SSL termination

@blakeembrey

This comment has been minimized.

Member

blakeembrey commented Jan 11, 2016

So what would be the right behavior here (I don't have any experience with corporate proxies)? Would it be to disable strict SSL checking (E.g. rejectUnauthorized = false) or enabling something else?

@dsebastien

This comment has been minimized.

dsebastien commented Jan 11, 2016

Basically with ssl/tls termination, the certificate that your client receives is an automatically generated / self signed one (usually signed by the corporate PKI). There's a nice overview there of how it works: https://media.blackhat.com/bh-eu-12/Jarmoc/bh-eu-12-Jarmoc-SSL_TLS_Interception-WP.pdf

AFAIK there are basically two solutions:

  1. workaround (simple but really insecure): completely ignore certificate validation issues through an option like "insecure = true", "strict-ssl = false", "rejectUnauthorized = false", ...

  2. clean (more complex): provide the ability to define one or more trusted certificates (see the ca and cafile npm config settings: https://docs.npmjs.com/misc/config)

In this case, the certificate check should be done against the configured trusted CA certificate.

This allows to ensure that the presented certificate can be trusted. The validation can still check that the signature is valid, that the certificate isn't expired, etc.

@dannmartens

This comment has been minimized.

dannmartens commented Jan 11, 2016

Unfortunately, it's a poor practice, but disabling the chain of trust check on request from the user is the easy way out in npm land.

The larger question is whether you need a separate settings file from what is already in .npmrc - if npm needs a proxy, you are more than likely to need one too. Those proxy settings should be used by any application.

@dsebastien

This comment has been minimized.

dsebastien commented Jan 11, 2016

@dannmartens good point, though not necessarily always true. For example I could decide to use an internal npm mirror (through which i'd get the typings package installed) in the enterprise, but use the corporate proxy to get on the web and get some typings on GitHub.

@blakeembrey

This comment has been minimized.

Member

blakeembrey commented Jan 11, 2016

Thanks for the info! I'll try to enable both alternatives, seems like it should be straightforward. References for myself later:

As for the settings file, it's possible there'll be a lot more options, just proxy is the only one logged so far (for example, a GitHub token, but I've avoided using their API so theoretically we won't be rate-limited).

@oshri551

This comment has been minimized.

oshri551 commented Jan 18, 2016

Hi, unfortunately i tried to change "insecure = true", "strict-ssl = false", "rejectUnauthorized = false" but still the same...

@blakeembrey

This comment has been minimized.

Member

blakeembrey commented Jan 19, 2016

@oshri551 For proper CA file support I'm waiting on dominictarr/rc#61. For inline support, I'll push something out today.

@blakeembrey

This comment has been minimized.

Member

blakeembrey commented Jan 19, 2016

Pushed with https://github.com/typings/typings/releases/tag/v0.6.2. Let me know if this solves the problems, minus the ability to have cafile specified.

@dannmartens

This comment has been minimized.

dannmartens commented Jan 19, 2016

Yes,

I used ini format for a .typingsrc file, setting proxy and
rejectUnauthorized properly for the firewall/proxy: typings install
completed, without errors.

So far so good! Is there a specific reason these settings can not be
sourced from the overall npm environment settings?

Thanks,
Dann
On Jan 19, 2016 1:54 AM, "Blake Embrey" notifications@github.com wrote:

Pushed with https://github.com/typings/typings/releases/tag/v0.6.2. Let
me know if this solves the problems, minus the ability to have cafile
specified.


Reply to this email directly or view it on GitHub
#106 (comment).

@blakeembrey

This comment has been minimized.

Member

blakeembrey commented Jan 19, 2016

No technical reasons, just lack of specification on how it would work (and time). Do both merge, does one override the other, do I always search for NPM options, is it 100% accurate to NPM options (env and CLI flags too?), got to implement the actual resolving, make sure the pieces are consistent too (and actually implement NPM resolve algorithm).

Until I have the time to do all that, it's a little easier to support something similar and know there won't be any negative repercussions of such support.

@stevewirts

This comment has been minimized.

stevewirts commented Jan 25, 2016

Hi, I'm having the same issue....
could someone provide an example of the .typingsrc file, I'm having trouble wrapping my head around exactly what it should look like.
Thanks

@dannmartens

This comment has been minimized.

dannmartens commented Jan 26, 2016

Hi Steve,

I put my .typingsrc in the root of the project.

It looks like this:

proxy=http://proxy.example.com:8080
rejectUnauthorized=false

The URL I use is the https proxy, by the way.

Cheers,
Dann

On Mon, Jan 25, 2016, 17:00 stevewirts notifications@github.com wrote:

Hi, I'm having the same issue....
could someone provide an example of the .typingsrc file, I'm having
trouble wrapping my head around exactly what it should look like.

Thanks


Reply to this email directly or view it on GitHub
#106 (comment).

@dsebastien

This comment has been minimized.

dsebastien commented Jan 27, 2016

@blakeembrey do you know what user agent is used by typings? I'm preparing things here at work to make sure that it is allowed through the proxy.

@blakeembrey

This comment has been minimized.

Member

blakeembrey commented Jan 27, 2016

@dsebastien Currently it's populated by the HTTP request library I use, Popsicle. I think it makes sense to update it to reflect the application running and make life easier, so next update I'll change it to - User-Agent: Typings <https://github.com/typings/typings>.

@dsebastien

This comment has been minimized.

dsebastien commented Jan 27, 2016

Thanks @blakeembrey

FYI, from what I've seen (e.g., git, npm), applications usually define their own user agent as follows: name/ (e.g., typings/0.6.0).

@blakeembrey

This comment has been minimized.

Member

blakeembrey commented Jan 27, 2016

Thanks for the feedback! Cool that someone knows this 👍 I checked it out and the default is here: https://github.com/npm/npm/blob/234983925dd548ddaac99dee57476e7d7864dc61/lib/config/defaults.js#L181-L184. Looks like a bit more than just npm/, but I'm happy to follow it as the model. I can also make it configurable.

@dsebastien

This comment has been minimized.

dsebastien commented Jan 27, 2016

That would be great. Open source is crazy like that! :)

@blakeembrey

This comment has been minimized.

@dsebastien

This comment has been minimized.

dsebastien commented Jan 28, 2016

👍

@Bigous

This comment has been minimized.

Bigous commented Jan 28, 2016

I can confirm - I'm behind corporate proxy. It works if you write the .typingsrc file at the directory of the project or (preferable as it will be the same to all repositories) at %USERPROFILE% (on windows).
[]s

@blakeembrey

This comment has been minimized.

Member

blakeembrey commented Feb 3, 2016

Can anyone here try 0.6.6? I pushed a change to using only http and https proxies which default to the environment variables going forward.

@joeskeen

This comment has been minimized.

joeskeen commented Feb 3, 2016

@blakeembrey I just tried 0.6.6 without the .typingsrc file and it did pick up my proxy settings from the environment variable. Thanks!

@blakeembrey

This comment has been minimized.

Member

blakeembrey commented Feb 3, 2016

Awesome! Really glad to hear that 😄 The install footprint should also be smaller now too (proxy-agent was surprisingly huge).

@Bigous

This comment has been minimized.

Bigous commented Feb 4, 2016

Confirmed! works with http_proxy environment variables! tks.

@dsebastien

This comment has been minimized.

dsebastien commented Feb 24, 2016

I could finally test this today at work. Works like a charm, thanks @blakeembrey

@grantsheer

This comment has been minimized.

grantsheer commented Mar 1, 2016

Hi Blake

Thanks for the info above. My proxy setting are working perfectly, but I cannot for the life of me get the 'ca' attribute to work in the .typingsrc file.

I am behind a corporate firewall/proxy with the proxy decrypting and re-encrypting traffic with the companies root certificate(s). We have multiple proxies and multiple root proxy certificates - one for each.

I have to have the 'ca' attribute correctly filled in for my traffic to get through. I have searched high and low and cannot find any examples of this. It would really help if you could post an example of passing multiple certificates to rc via the 'ca' attribute in the .typingsrc file.

Thanks so much,

Grant

@blakeembrey

This comment has been minimized.

Member

blakeembrey commented Mar 2, 2016

Closing as resolved. @grantsheer can you create a new issue for this? Hopefully someone will be able to help you, the proxy implementation was mostly done blind since I don't have a corporate proxy.

@grantsheer

This comment has been minimized.

grantsheer commented Mar 3, 2016

Thanks. Created #276

And thanks for the speedy reply! :-)

@HarpyWar

This comment has been minimized.

HarpyWar commented Jul 16, 2016

Error

typings ERR! message Unable to connect to "https://api.typings.org/entries/npm/m
oment/versions/latest"
typings ERR! caused by certificate not trusted

Creating a new file .typingsrc in the root of project with the following contents resolves the issue:

{
    "rejectUnauthorized": false
}
@aniruddhadas9

This comment has been minimized.

aniruddhadas9 commented Sep 26, 2016

in the .typingsrc I put below line and it worked for me. remember to put it in ini format not in json format.

rejectUnauthorized = false

note: just the like and enter to make a line break. not in json format

@OriginalMoscato

This comment has been minimized.

OriginalMoscato commented Nov 2, 2016

@aniruddhadas9 Does it matter which format you write it in? I use JSON and it works fine.

@aniruddhadas9

This comment has been minimized.

aniruddhadas9 commented Nov 6, 2016

@OriginalMoscato I have not tried {'rejectUnauthorized': 'false'} this way. So its working in both INI and JSON format.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.