Jira (PUP-2172) Add exceptions to http_proxy_{port,host}
Title: Message Title
Josh Cooper updated an issue
Puppet / PUP-2172
Add exceptions to http_proxy_{port,host}
Change By:
Josh Cooper
Fix Version/s:
PUP 6.8.0
Fix Version/s:
PUP 6.4.4
Fix Version/s:
PUP 6.0.11
Fix Version/s:
PUP 5.5.17
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To view this discussion on the web visit
Jira (PUP-2172) Add exceptions to http_proxy_{port,host}
Title: Message Title
Josh Cooper commented on PUP-2172
Re: Add exceptions to http_proxy_{port,host}
Tickets PUP-9942 and PUP-9316 allow a proxy exception list to be specified via NO_PROXY environment variable or Puppet[:no_proxy] puppet setting respectively, which I think addresses most of the concerns in this ticket. Ticket PUP-8027 covers the gem provider issue. The remaining issue is whether puppet should not use a proxy for some hosts by default. Skipping localhost is easy enough, but I don't think we should skip hosts in the same domain by default. That could be a breaking change for some, and be highly dependent on the network environment. For this ticket, I'm thinking we should just skip localhost by default.
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.31144.1396893516000.47687.1565223960305%40Atlassian.JIRA.
Jira (PUP-2172) Add exceptions to http_proxy_{port,host}
Title: Message Title
Josh Cooper assigned an issue to Josh Cooper
Puppet / PUP-2172
Add exceptions to http_proxy_{port,host}
Change By:
Josh Cooper
Assignee:
Josh Cooper
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.31144.1396893516000.47664.1565222402721%40Atlassian.JIRA.
Jira (PUP-2172) Add exceptions to http_proxy_{port,host}
Title: Message Title
Josh Cooper updated an issue
Puppet / PUP-2172
Add exceptions to http_proxy_{port,host}
Change By:
Josh Cooper
Sprint:
Platform Core KANBAN
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.31144.1396893516000.47649.1565222340705%40Atlassian.JIRA.
Jira (PUP-2172) Add exceptions to http_proxy_{port,host}
Title: Message Title
Josh Cooper updated an issue
Puppet / PUP-2172
Add exceptions to http_proxy_{port,host}
Change By:
Josh Cooper
Team:
Coremunity
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2172) Add exceptions to http_proxy_{port,host}
Title: Message Title
James Ralston commented on PUP-2172
Re: Add exceptions to http_proxy_{port,host}
I'm re-opening this ticket, because I believe the severity of the problem hasn't been fully appreciated. Any security-competent site that requires outbound HTTP[S] traffic to use a network proxy will have configured the proxy to deny all requests for internal resources. (Otherwise, internal users can bypass internal network ACLs by routing requests through the proxy.) This means that any application that is proxy-aware must implement an exception list for the proxy. Without this exception list, the application is essentially offering its users two choices:
You can access foreign resources, but not local resources.
You can access local resources, but not foreign resources.
We see this in the applications that rely on the curl-style (http_proxy, https_proxy, and no_proxy) environment variables. E.g.:
$ set | grep proxy
http_proxy=http://proxy.example.org:8080
https_proxy=http://proxy.example.org:8080
no_proxy=localhost,.example.org
The no_proxy setting is not optional: without this, applications will not be able to access local resources. As a real-world example of just how critical the no_proxy list is, consider this example:
package { 'r10k':
ensure => present,
provider => puppet_gem,
Jira (PUP-2172) Add exceptions to http_proxy_{port,host}
Title: Message Title
James Ralston updated an issue
Puppet / PUP-2172
Add exceptions to http_proxy_{port,host}
Change By:
James Ralston
Affects Version/s:
PUP 5.4.0
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2172) Add exceptions to http_proxy_{port,host}
Title: Message Title
Moses Mendoza updated an issue
Puppet / PUP-2172
Add exceptions to http_proxy_{port,host}
Change By:
Moses Mendoza
Labels:
triaged
Add Comment
This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2172) Add exceptions to http_proxy_{port,host}
Title: Message Title
Aaron Armstrong updated an issue
Puppet / PUP-2172
Add exceptions to http_proxy_{port,host}
Change By:
Aaron Armstrong
Component/s:
NetworkingServices
Add Comment
This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a)
--
You received this message because you are subscribed to the Google Groups Puppet Bugs group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2172) Add exceptions to http_proxy_{port,host}
Title: Message Title
Andy Parker updated an issue
Puppet / PUP-2172
Add exceptions to http_proxy_{port,host}
Change By:
Andy Parker
Affects Version/s:
3.5.0
Affects Version/s:
3.4.3
Add Comment
This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede)
--
You received this message because you are subscribed to the Google Groups Puppet Bugs group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2172) Add exceptions to http_proxy_{port,host}
Title: Message Title
Andy Parker commented on an issue
Re: Add exceptions to http_proxy_{port,host}
I think adding a configurable list of excludes makes sense. There are a couple things to keep in mind:
The proxy exclusion needs to be reevaluated whenever a redirect is followed (I think this should trivially happen from the existing code)
As Josh points out, we aren't consistent everywhere. We should do a check of the code and make sure everything is consistently making HTTP requests
Right now some parts respect the http_proxy (or HTTP_PROXY) environment variable, but not everything. We need to combine those code paths so that everything respects the same proxy settings in the same way.
Add Comment
Puppet / PUP-2172
Add exceptions to http_proxy_{port,host}
We had a PE site which had set the http_proxy_\{port,host\} settings for PMT usage, which had the unintended consequence that all puppet master http connections went through the proxy, including those to the dashboard for node lookups. When something (not yet identified) changed in the network/proxy configuration, these lookups failed causing all agent ru...
Jira (PUP-2172) Add exceptions to http_proxy_{port,host}
Title: Message Title
Kylo Ginsberg created an issue
Puppet / PUP-2172
Add exceptions to http_proxy_{port,host}
Issue Type:
Bug
Affects Versions:
3.5.0
Assignee:
Andy Parker
Components:
Networking Services
Created:
07/Apr/14 10:58 AM
Priority:
Normal
Reporter:
Kylo Ginsberg
We had a PE site which had set the http_proxy_ {port,host}
settings for PMT usage, which had the unintended consequence that all puppet master http connections went through the proxy, including those to the dashboard for node lookups. When something (not yet identified) changed in the network/proxy configuration, these lookups failed causing all agent runs to fail.
This raises the question about whether it ever makes sense for the master to use a proxy for connections to localhost.
We've considered two approaches here: 1) add a new setting for http proxy exclusions. This could be set to, e.g. localhost;*.internal.lan, etc. 2) never using the proxy settings when talking to localhost
There may be some other approaches that would work as well.
Jira (PUP-2172) Add exceptions to http_proxy_{port,host}
Title: Message Title
Joshua Cooper commented on an issue
Re: Add exceptions to http_proxy_{port,host}
One fun fact is that the PMT uses two different code paths when making network connections. One path uses open-uri, which relies on environment specific proxy settings. The other path uses puppet's networking code. I think the former is used when searching, the latter when downloading, though I may have those backwards. So we need to make sure that this PR accounts for both scenarios.
This is based off of my recollection from the open source PMT circa 3.3 in the puppet repo. Things may have changed in pe-puppet or in PMT itself that this is no longer an issue.
Add Comment
Puppet / PUP-2172
Add exceptions to http_proxy_{port,host}
We had a PE site which had set the http_proxy_{port,host} settings for PMT usage, which had the unintended consequence that all puppet master http connections went through the proxy, including those to the dashboard for node lookups. When something (not yet identified) changed in the network/proxy configuration, these lookups failed causing all agent runs...
This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede)
Jira (PUP-2172) Add exceptions to http_proxy_{port,host}
Title: Message Title
Joshua Partlow updated an issue
Puppet / PUP-2172
Add exceptions to http_proxy_{port,host}
Change By:
Joshua Partlow
WehadaPEsitewhichhadsetthehttp_proxy_ \ {port,host \ }settingsforPMTusage,whichhadtheunintendedconsequencethatallpuppetmasterhttpconnectionswentthroughtheproxy,includingthosetothedashboardfornodelookups.Whensomething(notyetidentified)changedinthenetwork/proxyconfiguration,theselookupsfailedcausingallagentrunstofail.Thisraisesthequestionaboutwhetherit*ever*makessenseforthemastertouseaproxyforconnectionstolocalhost.We'veconsideredtwoapproacheshere:1)addanewsettingforhttpproxyexclusions.Thiscouldbesetto,e.g.{{localhost;*.internal.lan}},etc.2)neverusingtheproxysettingswhentalkingtolocalhostTheremaybesomeotherapproachesthatwouldworkaswell.
Add Comment
This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede)
--
You received this message because you are subscribed to the Google Groups Puppet Bugs group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.
