Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR] Add support for no_proxy environment variable #185

Open
eleblebici opened this issue Oct 19, 2024 · 1 comment
Open

[FR] Add support for no_proxy environment variable #185

eleblebici opened this issue Oct 19, 2024 · 1 comment

Comments

@eleblebici
Copy link

It's a feature request.

When we run the "check_ssl_cert" script manually, it seems it's trying to fetch the CA certificate from the URI (CA issuer):

[DBG] ------------------------------------------------------------------------------
[DBG] Checking OCSP status of element 1
[DBG] temporary file /tmp/Qdqv0f created
[DBG] Storing the chain element in /tmp/Qdqv0f
[DBG] Checking revocation via OCSP
[DBG] extracting cert attribute issuer_hash
[DBG] Issuer hash: 22b7e9b1
[DBG] extracting cert attribute issuer_uri
[DBG] Chain element issuer URIs: http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt
[DBG] checking issuer URIs: http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt
[DBG] OCSP: fetching issuer certificate http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt to /tmp/JhwPzk
[DBG] exec_with_timeout /usr/bin/curl    --silent --user-agent 'check_ssl_cert/2.52.0' --location \"http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt\" > /tmp/JhwPzk
[DBG]   TIMEOUT_REASON = OCSP: fetching issuer http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt
[DBG] executing with timeout (120s): /usr/bin/curl    --silent --user-agent 'check_ssl_cert/2.52.0' --location \"http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt\" > /tmp/JhwPzk
[DBG]   start time = 1729321422
[DBG] /usr/bin/timeout 120 /bin/sh -c "/usr/bin/curl    --silent --user-agent 'check_ssl_cert/2.52.0' --location \"http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt\" > /tmp/JhwPzk"
[DBG] CRITICAL ----------------------------------------
[DBG] prepend_critical_message: new message    = Timeout after 120 seconds
[DBG] prepend_critical_message: CRITICAL_MSG   =
[DBG] prepend_critical_message: ALL_MSG 1      =
[DBG] prepend_critical_message: MSG 2          = SSL_CERT CRITICAL *.xxx.yyy.com: Timeout after 120 seconds
[DBG] prepend_critical_message: CRITICAL_MSG 2 = SSL_CERT CRITICAL *.xxx.yyyl.com: Timeout after 120 seconds
[DBG] prepend_critical_message: ALL_MSG 2      =
[DBG]     SSL_CERT CRITICAL *.xxx.yyy.com: Timeout after 120 seconds
[DBG] CRITICAL ----------------------------------------

But the machines in the environment has no internet access. When we set the http_proxy, https_proxy, and no_proxy environment variables, it seems the script does not check the "no_proxy" environment and it always send the requests to the proxy.

[DBG] Proxy settings (before):
[DBG]   http_proxy  = http://<proxy_ip>:3128/
[DBG]   https_proxy = http://<proxy_ip>:3128/
[DBG]   HTTP_PROXY  =
[DBG]   HTTPS_PROXY =
[DBG] Adding --proxy http://<proxy_ip>:3128/ to the curl options
[DBG] Adding -proxy <proxy_ip>:3128 to the s_client options
[DBG] Proxy settings (after):
[DBG]   http_proxy  = http://<proxy_ip>:3128/
[DBG]   https_proxy = http://<proxy_ip>:3128/
[DBG]   HTTP_PROXY  = http://<proxy_ip>:3128/
[DBG]   HTTPS_PROXY = http://<proxy_ip>:3128/
[DBG]   s_client    = -proxy <proxy_ip>:3128
[DBG]   curl        = --proxy http://<proxy_ip>:3128/
[DBG] A proxy is specified: nmap disabled

It forwards the requests to the proxy even though the host we are checking is an internal one (which has private ip):

[DBG] ' | /usr/bin/openssl s_client    -crlf  -connect xxx.yyy.com:8776 -servername xxx.yyy.com -proxy <proxy_ip>:3128 -showcerts -verify 6        2> /tmp/Uj7Jkw 1> /tmp/O7cIa9
[DBG]   TIMEOUT_REASON = fetching certificate
[DBG] executing with timeout (120s): printf 'HEAD /healthcheck HTTP/1.1
[DBG] Host: xxx.yyy.com
[DBG] User-Agent: check_ssl_cert/2.52.0
[DBG] Connection: close

In the usage information, it seems we have the following options:

    echo "      --no-proxy                   Ignore the http_proxy and https_proxy"
    echo "                                   environment variables"
    echo "      --no-proxy-curl              Ignore the http_proxy and https_proxy"
    echo "                                   environment variables for curl"
    echo "      --no-proxy-s_client          Ignore the http_proxy and https_proxy"
    echo "                                   environment variables for openssl s_client"

Bu they can not be configured via a Juju option. It would be nice to have this opportunity.

Thanks.
@syncronize-issues-to-jira Syncronize issues to Jira
Copy link

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/SOLENG-799.

This message was autogenerated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eleblebici