docker-alpine
docker-alpine copied to clipboard
gliderlabs
Proxy authentication with HTTP_PROXY_AUTH?
Hi, thanks for the great docker images. I am hoping to get some help with a proxy problem, or some direction. Here is the message I am getting.:
UPDATE/EDIT: It looks like this is reproducible only if I have a bang (!) in my password. I tried encoded (%21) and just the character (!) and both fail out with the same error below when in HTTP_PROXY.
fetch http://dl-cdn.alpinelinux.org/alpine/v3.4/main/x86_64/APKINDEX.tar.gz
WARNING: Ignoring http://dl-cdn.alpinelinux.org/alpine/v3.4/main/x86_64/APKINDEX.tar.gz: Permission denied
fetch http://dl-cdn.alpinelinux.org/alpine/v3.4/community/x86_64/APKINDEX.tar.gz
WARNING: Ignoring http://dl-cdn.alpinelinux.org/alpine/v3.4/community/x86_64/APKINDEX.tar.gz: Permission denied
This seems to have started this week on some docker containers we use for PHP development (based on alpine). We are behind a proxy that requires authentication. We have been using the http_proxy environment variables with our user name and password inline. This is set when we build the images (docker build --build-arg HTTPS_PROXY=$$HTTP_PROXY). i.e.:
HTTP_PROXY=http://user:pass@proxyserver:port
HTTPS_PROXY=http://user:pass@proxyserver:port
http_proxy=http://user:pass@proxyserver:port
https_proxy=http://user:pass@proxyserver:port
This has worked for the last couple months without issues. However, now it seems we need to use HTTP_PROXY_AUTH ? I noticed this in : https://github.com/gliderlabs/docker-alpine/issues/191#issuecomment-246944011
Here is an excerpt of our Dockerfile where it is failing (specifically on docker-php-ext-install xdebug as it needs to apk add).:
# Xdebug.
RUN git clone https://github.com/xdebug/xdebug.git /tmp/xdebug \
&& mkdir -p /usr/src/php/ext \
&& mv /tmp/xdebug /usr/src/php/ext/ \
&& docker-php-ext-install xdebug
To work around this I changed the code to:
# Xdebug.
RUN git clone https://github.com/xdebug/xdebug.git /tmp/xdebug
RUN mkdir -p /usr/src/php/ext
RUN mv /tmp/xdebug /usr/src/php/ext/
ENV HTTP_PROXY=http://proxy:port
ENV HTTP_PROXY_AUTH=basic:*:user:pass
RUN docker-php-ext-install xdebug
If I do this for https the clone fails with message:
Cloning into '/tmp/xdebug'...
fatal: unable to access 'https://github.com/xdebug/xdebug.git/': Received HTTP code 407 from proxy after CONNECT
ERROR: Service 'web' failed to build: The command '/bin/sh -c git clone https://github.com/xdebug/xdebug.git /tmp/xdebug && mkdir -p /usr/src/php/ext && mv /tmp/xdebug /usr/src/php/ext/ && docker-php-ext-install xdebug' returned a non-zero code: 128
In troubleshooting I was also able to use curl and wget without setting HTTP_PROXY_AUTH...
Looking at the man for libfetch I think this maybe an issue there? Maybe this was updated recently in alpine?
http://rpm.pbone.net/index.php3/stat/45/idpl/33638817/numer/3/nazwa/fetchHTTP_PROXY_AUTH
Specifies authorization parameters for the HTTP proxy in the sameformat as the HTTP_AUTHvariable.
This variable is used if and only if connected to an HTTP proxy, andis ignored if a user and/or a password were specified in the proxyURL.
Have you tried quoting the variables?
ENV HTTP_PROXY_AUTH="basic:*:user:pass"
@andyshinn , I tried quoting the value in http_proxy and HTTP_PROXY and got varied results. It looks like the problem is limited to a password that contains a bang (!) followed by one or more numbers (I don't have an account with alpha after the bang to verify this). I have another account that has a bang as the last character and don't see the problem, nor do I see the problem if the password is alpha numeric.
Here is the "modified" code I was running to troubleshoot.:
RUN export HTTP_PROXY=username:password@proxy:80 && export http_proxy=http://username:password@proxy:80 && \
git clone https://github.com/xdebug/xdebug.git /tmp/xdebug \
&& mkdir -p /usr/src/php/ext \
&& mv /tmp/xdebug /usr/src/php/ext/ \
&& docker-php-ext-install xdebug
These are the results with different ways of setting the proxy environment variables.:
- Fails with encoded ! (%21) in password i.e.: HTTP_PROXY=http://username:password%211234@proxy:80
- Works with ! in password i.e.: HTTP_PROXY=http://username:password!1234@proxy:80
- Fails with single quoted encoded !(%21) in password i.e.: HTTP_PROXY='http://username:password%211234@proxy:80'
- Fails with different error (Couldn't resolve proxy '(nil)') with single quoted ! i.e.: HTTP_PROXY='http://username:password!1234@proxy:80'
- Fails with double quoted encoded ! (%21) i.e.: HTTP_PROXY="http://username:password%211234@proxy:80"
- Works with double quoted ! i.e.: HTTP_PROXY="http://username:password!1234@proxy:80"
- Works with ! as last character in password i.e.: HTTP_PROXY=http://username:password!@proxy:80
- Works with encoded ! (%21) as last character i.e.: HTTP_PROXY=http://username:password%21@proxy:80
- Works with alpha numeric password i.e.: HTTP_PROXY=http://username:password123@proxy:80
In my test, I don't see git using those environment variables at all. Can you provide more of your Dockerfile so I can reproduce? I am assuming it is FROM php:alpine?
Those environment variables are needed because I have to go through a proxy to get internet access. Here is a Dockerfile, almost identical to what I am using.: https://github.com/drupalwxt/site-wxt/blob/8.x/docker/images/dev/Dockerfile
The way I understand the problem is that when going through a proxy (and configuring it with the environment variables) with a password that has a bang. Git and apk don't handle this the same as other linux commands (like wget or curl).
I'm experiencing this issue and its super frustrating; this is the first Linux distro where this has been a problem. Our proxy requires authentication credentials, and our service account passwords often have @ signs in them, thus making it impossible to use if we cannot encode the special characters. Every other tool we've used has had no problem with encoded characters in the proxy var.
Having the same issues as @brettjacobson with different apps handling proxy encoding differently, more specifically apk not supporting encoded characters.
I haven't seen this problem recently, I am assuming this got fixed (probably upstream) sometime over the last few years.
I faced this issue. dockerfile:
FROM golang:alpine as builder
...
ENV http_proxy "$http_proxy"
ENV https_proxy "$https_proxy"
ENV HTTP_PROXY "$http_proxy"
ENV HTTPS_PROXY "$https_proxy"
RUN apk add --update --virtual build-dependencies build-base linux-headers
...
error log:
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: No such file or directory
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: No such file or directory
hi, to run the command make it work,
sed -i -e 's/https/http/' /etc/apk/repositories
I have the same problem and was not able to fix it. This is not really a fix, but using GNU wget works as expected, so it seems to be an issue with busy box wget: https://github.com/mirror/busybox/issues/21
