cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon devcontainers

Unable to open devcontainer in VSCode on local machine behind Cloudflare Zero Trust proxy

Open husterk opened this issue 2 years ago • 4 comments

My local network is behind a Cloudflare Zero Trust proxy. Typically, I would need to install the Cloudflare CA certificate on any container running on my local M1 Macbook Pro that needs external internet access.

However, I am unsure how to do this for devcontainers that install "features" such as the devcontainer in this template repository. I have attempted to define my own Dockerfile that installs the necessary cert but the feature installation still fails. When I attempt to start the devcontainer, I receive the following error.

[2024-01-07T23:37:20.400Z] Resolving Feature dependencies for 'ghcr.io/devcontainers/features/docker-in-docker:2'...
[2024-01-07T23:37:20.400Z] * Processing feature: ghcr.io/devcontainers/features/docker-in-docker:2
[2024-01-07T23:37:20.474Z] Error: unable to get local issuer certificate
[2024-01-07T23:37:20.474Z]     at TLSSocket.onConnectSecure (node:_tls_wrap:1543:34)
[2024-01-07T23:37:20.475Z]     at TLSSocket.emit (node:events:513:28)
[2024-01-07T23:37:20.475Z]     at TLSSocket._finishInit (node:_tls_wrap:962:8)
[2024-01-07T23:37:20.475Z]     at ssl.onhandshakedone (node:_tls_wrap:746:12)

Would you happen to have a recommendation for resolving this issue? I can't seem to get past this on my own.

husterk avatar Jan 07 '24 23:01 husterk

Update: While this is technically still an issue, I was able to implement a workaround.

Workaround: In Cloudflare Zero Trust, I had to define a Gateway -> Firewall policies -> HTTP policy to "Do Not Inspect" each of the URLs that were being impacted by this issue. This includes Docker container registries, NPM registries, VSCode extension registries, etc.

While a bit tedious to determine and implement, this workaround does bypass the reported issue. However, it would still be nice to find a way to not have to manually identify each URL that needs to effectively be allow-listed.

husterk avatar Jan 09 '24 03:01 husterk

@joshspicer / @chrmarti do you have any suggestions on getting features to work behind a network proxy?

eljog avatar Jan 16 '24 23:01 eljog

This may not be exactly what you're looking for, but you may be able to leverage some tips from the discussion here and utilize the NODE_EXTRA_CA_CERTS environment variable to feed your Cloudflare CA certificate into the CLI

joshspicer avatar Jun 17 '24 23:06 joshspicer

"Resolving Feature dependencies" runs as part of the CLI on the local machine. The Dev Containers extension for VS Code now uses NODE_EXTRA_CA_CERTS to let the CLI use additional certificates registered in the OS. The CLI itself does not have a way to read these yet.

chrmarti avatar Jan 04 '25 21:01 chrmarti