lab icon indicating copy to clipboard operation
lab copied to clipboard
verified publisher icon zaquestion

Socks proxy support?

Open stemid opened this issue 5 years ago • 13 comments

Will there ever be socks proxy support?

I tried using export https_proxy=socks5:// with my tunnel that I use with glab, but it can't connect. So I assume it has no such support.

I really like the pipeline view in lab much better than glab. But I can't use it with our on-prem Gitlab which is behind an SSH tunnel at work.

stemid avatar Dec 23 '20 14:12 stemid

I'm not really familiar with https_proxy behavior and never really tested it with lab. It doesn't change the remote URL at all, right? Could you retry but using http.proxy git-config option instead?

$ git config --local http.proxy socks5://...

I believe the URL should follow the same as the one you through in https_proxy. It's also possible to set per-remote: use remote.<name>.proxy instead of http.proxy.

And, in case it still fails, please paste the output here.

bmeneg avatar Dec 23 '20 16:12 bmeneg

Thanks @bmeneguele

No git config --local http.proxy socks5://.. didn't help with lab. If I run lab ci --help it hangs for a few minutes. I can't see a verbose option but eventually it exits with: Error: User authentication failed. This is likely due to a misconfigured Personal Access Token. Verify the token or token_load config settings before attemping to authenticate.

I've setup the same token I use with glab when I executed lab, it created the toml config for me.

stemid avatar Dec 23 '20 16:12 stemid

Hmm, yeah.. it would help only for normal git commands, like lab clone which is a wrapper for git clone. I'm going to investigate it. However, unfortunately, I don't have an environment for testing it. If you're willing to help with some coding... any help is welcome :D.

But anyway, I'll take a look.

bmeneg avatar Dec 28 '20 14:12 bmeneg

At the same time, it should be already supported, since the env vars are being considered:

https://github.com/zaquestion/lab/blob/2e20fc0459551f63edb3d104289e2d433216a057/internal/gitlab/gitlab.go#L86-L103

ProxyFromEnvironment returns the URL of the proxy to use for a given request, as indicated by the
environment variables HTTP_PROXY, HTTPS_PROXY and NO_PROXY (or the lowercase versions thereof).
HTTPS_PROXY takes precedence over HTTP_PROXY for https requests.

Ref: https://golang.org/pkg/net/http/#ProxyFromEnvironment

And:

    // The proxy type is determined by the URL scheme. "http",
    // "https", and "socks5" are supported. If the scheme is empty,
    // "http" is assumed.

Ref: https://golang.org/pkg/net/http/#Transport

Interesting... Did you check if host is correctly set in the config file? Also, is there any need for a specific CA certificate to connect to the SSH tunnel? (it can be set through lab config file [tls] ca_file=.

bmeneg avatar Dec 28 '20 14:12 bmeneg

I have a couple of notes on this.

  1. I had this working about a year ago with something like this: alias lab="https_proxy=socks5h://localhost:8118 lab"
  2. I can successfully curl the user endpoint like so: curl --include -x socks5h://localhost:8118 https://git.myco/api/v4/user\?private_token\=<my-access-token>
  3. The CA file is installed on my system so curl doesn't need it. Even so I tried the suggestion by @bmeneguele above and added the [tls] config to my config file with no luck. My results are the same:
2021/01/01 09:38:18 config.go:194: Get "https://git.myco/api/v4/user": read tcp 192.168.0.162:56704->185.71.230.154:443: read: connection reset by peer
Error: User authentication failed.  This is likely due to a misconfigured Personal Access Token.  Verify the token or token_load config settings before attemping to authenticate.

I'm happy to screen-share to pair on a a merge request on my machine if someone is able to lend a hand. I'm really not very familiar with go, so some help would be great.

Thanks!

counterbeing avatar Jan 01 '21 16:01 counterbeing

I've confirmed that lab v0.15.3 works with socks5 proxy. I'm doing a git bisect to see where the problem occurred. I'll keep you posted.

counterbeing avatar Jan 01 '21 17:01 counterbeing

01e4354c3d4aba0c2d849da71983789a6f6ab154 is the first bad commit commit 01e4354c3d4aba0c2d849da71983789a6f6ab154 Author: Zaq? Wiedmann ***********@gmail.com Date: Mon Dec 16 14:55:52 2019 -0800

Set TLS skip verify when getting user

Also quick fix to skip user lookup when set to avoid the net call

internal/gitlab/gitlab.go | 10 ++-------- main.go | 45 ++++++++++++++++++++++++++++----------------- 2 files changed, 30 insertions(+), 25 deletions(-)

counterbeing avatar Jan 01 '21 17:01 counterbeing

So, the latest release that still works is v0.17.1

For now, I'm just going to use that as I'm not really sure what went wrong. @zaquestion Maybe you have some idea as you wrote the code? I'm happy to build and test anything if you think you have a fix, just mention me.

Thanks for the great library, so nice being able to spin up a new project without jumping through hoops in the UI!

As a note to anyone who wants to get it working with this release: You can just alias lab to https_proxy=socks5://<your proxy address> lab

counterbeing avatar Jan 01 '21 17:01 counterbeing

I'm using lab git version 2.28.0.

Using https_proxy works with glab, same repo, but not with lab. I also use this socks5 proxy for other things like kubectl, they all work.

That's why I created the issue, because I'm only seeing lab not working with this socks tunnel that I use for multiple things.

With lab it hangs for a very long time, several minutes. I abort it because I don't want to wait.

stemid avatar Jan 01 '21 20:01 stemid

@stemid just curious, does it work for you with the previous release of lab?

counterbeing avatar Jan 02 '21 02:01 counterbeing

@counterbeing tyvm for the bisect info! It's indeed really helpful. Could you both test the latest version but using the additional config option:

[tls]
skip_verify = true

?

bmeneg avatar Jan 04 '21 14:01 bmeneg

@bmeneguele I apologize, I saw this a while ago and forgot about it. Here's what I tried:

  1. I am using the latest on master.
  2. This is how my toml config file is formatted.
[core]
  host = "somewhre.com"
  token = "something"
[tls]
  skip_verify=true

This still fails

Error: User authentication failed.  This is likely due to a misconfigured Personal Access Token.  Verify the token or token_load config settings before attempting to authenticate.

counterbeing avatar Jan 28 '21 03:01 counterbeing

Ok, after some time I came back to look at this issue. I've set a SOCKS tunnel with a server I have access and tried to use lab through it. In one terminal:

$ ssh -D 1337 -C -N -4 <user>@<hostname>

In another terminal while SSH was running:

$ https_proxy=socks5://localhost:1337 lab mr list
...

it worked.

To make sure lab was indeed using the tunnel, I decided to trace the network usage of it to see what was the output host:port it was using. While SSH tunnel was running and before execute lab:

# watch 'netstat -np --inet | grep lab'

Then I ran lab exactly as before, and the output from netstat was:

tcp        0      0 127.0.0.1:34186         127.0.0.1:1337          ESTABLISHED 1207148/lab

So... yes, it's using the socks5 tunnel as expected.

@counterbeing I know you said you have the certificates for the proxy server installed in your system, but could you try passing it directly with the following config option?

[tls]
ca_file = <path>

bmeneg avatar Mar 04 '21 18:03 bmeneg