Additional proxy settings required behind corporate firewall #106
Comments
|
+1, corporate proxies often do SSL termination |
|
So what would be the right behavior here (I don't have any experience with corporate proxies)? Would it be to disable strict SSL checking (E.g. |
|
Basically with ssl/tls termination, the certificate that your client receives is an automatically generated / self signed one (usually signed by the corporate PKI). There's a nice overview there of how it works: https://media.blackhat.com/bh-eu-12/Jarmoc/bh-eu-12-Jarmoc-SSL_TLS_Interception-WP.pdf AFAIK there are basically two solutions:
In this case, the certificate check should be done against the configured trusted CA certificate. This allows to ensure that the presented certificate can be trusted. The validation can still check that the signature is valid, that the certificate isn't expired, etc. |
|
Unfortunately, it's a poor practice, but disabling the chain of trust check on request from the user is the easy way out in npm land. The larger question is whether you need a separate settings file from what is already in .npmrc - if npm needs a proxy, you are more than likely to need one too. Those proxy settings should be used by any application. |
|
@dannmartens good point, though not necessarily always true. For example I could decide to use an internal npm mirror (through which i'd get the typings package installed) in the enterprise, but use the corporate proxy to get on the web and get some typings on GitHub. |
|
Thanks for the info! I'll try to enable both alternatives, seems like it should be straightforward. References for myself later:
As for the settings file, it's possible there'll be a lot more options, just |
|
Hi, unfortunately i tried to change "insecure = true", "strict-ssl = false", "rejectUnauthorized = false" but still the same... |
|
@oshri551 For proper CA file support I'm waiting on dominictarr/rc#61. For inline support, I'll push something out today. |
|
Pushed with https://github.com/typings/typings/releases/tag/v0.6.2. Let me know if this solves the problems, minus the ability to have |
|
Yes, I used ini format for a .typingsrc file, setting proxy and So far so good! Is there a specific reason these settings can not be Thanks,
|
|
No technical reasons, just lack of specification on how it would work (and time). Do both merge, does one override the other, do I always search for NPM options, is it 100% accurate to NPM options (env and CLI flags too?), got to implement the actual resolving, make sure the pieces are consistent too (and actually implement NPM resolve algorithm). Until I have the time to do all that, it's a little easier to support something similar and know there won't be any negative repercussions of such support. |
|
Hi, I'm having the same issue.... |
|
Hi Steve, I put my .typingsrc in the root of the project. It looks like this:
The URL I use is the https proxy, by the way. Cheers, On Mon, Jan 25, 2016, 17:00 stevewirts notifications@github.com wrote:
|
|
@blakeembrey do you know what user agent is used by typings? I'm preparing things here at work to make sure that it is allowed through the proxy. |
|
@dsebastien Currently it's populated by the HTTP request library I use, Popsicle. I think it makes sense to update it to reflect the application running and make life easier, so next update I'll change it to - |
|
Thanks @blakeembrey FYI, from what I've seen (e.g., git, npm), applications usually define their own user agent as follows: name/ (e.g., typings/0.6.0). |
|
Thanks for the feedback! Cool that someone knows this 👍 I checked it out and the default is here: https://github.com/npm/npm/blob/234983925dd548ddaac99dee57476e7d7864dc61/lib/config/defaults.js#L181-L184. Looks like a bit more than just |
|
That would be great. Open source is crazy like that! :) |
|
👍 |
|
I can confirm - I'm behind corporate proxy. It works if you write the .typingsrc file at the directory of the project or (preferable as it will be the same to all repositories) at %USERPROFILE% (on windows). |
|
Can anyone here try |
|
@blakeembrey I just tried |
|
Awesome! Really glad to hear that 😄 The install footprint should also be smaller now too ( |
|
Confirmed! works with http_proxy environment variables! tks. |
|
I could finally test this today at work. Works like a charm, thanks @blakeembrey |
|
Hi Blake Thanks for the info above. My proxy setting are working perfectly, but I cannot for the life of me get the 'ca' attribute to work in the I am behind a corporate firewall/proxy with the proxy decrypting and re-encrypting traffic with the companies root certificate(s). We have multiple proxies and multiple root proxy certificates - one for each. I have to have the 'ca' attribute correctly filled in for my traffic to get through. I have searched high and low and cannot find any examples of this. It would really help if you could post an example of passing multiple certificates to Thanks so much, Grant |
|
Closing as resolved. @grantsheer can you create a new issue for this? Hopefully someone will be able to help you, the proxy implementation was mostly done blind since I don't have a corporate proxy. |
|
Thanks. Created #276 And thanks for the speedy reply! :-) |
ghost
mentioned this issue
|
Error Creating a new file |
|
in the .typingsrc I put below line and it worked for me. remember to put it in ini format not in json format. rejectUnauthorized = false note: just the like and enter to make a line break. not in json format |
|
@aniruddhadas9 Does it matter which format you write it in? I use JSON and it works fine. |
|
@OriginalMoscato I have not tried {'rejectUnauthorized': 'false'} this way. So its working in both INI and JSON format. |
This issue cropped up while trying out the angular2-webpack-starter PatrickJS/PatrickJS-starter#191
Typings install throws errors. This seems to be caused by a corporate proxy which intercepts the SSL certificate. Typings supports a proxy config as of late, shouldn't it have strict-ssl, as well?
The text was updated successfully, but these errors were encountered: