Docker behind proxy that changes ssl certificate
To configure docker to work with a proxy system you first need to add the HTTPS_PROXY / HTTP_PROXY environment variable to the docker sysconfig file. However depending on if you use init.d or the services tool you need to add the "export" statement. As a workaround you can simply add both variants in the sysconfig file of docker:
/etc/sysconfig/docker
HTTPS_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"
HTTP_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"
export HTTP_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"
export HTTPS_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"
To get docker working with ssl intercepting proxies you have to add the proxy root certificate to the systems trust store.
For CentOS copy the file to /etc/pki/ca-trust/source/anchors/ and update the ca trust store. Restart the docker service afterwards.
If your proxy uses NTLM authentication - it's necessary to use intermediate proxies like cntlm.
This blog post explains it in detail
Docker on Mac behind proxy that changes ssl certificate
According to the boot2docker README
Insecure Registry
As of Docker version 1.3.1, if your registry doesn't support HTTPS, you must add it as an insecure registry.
$ boot2docker init
$ boot2docker up
$ boot2docker ssh
$ echo 'EXTRA_ARGS="--insecure-registry <YOUR INSECURE HOST>"' | sudo tee -a /var/lib/boot2docker/profile
$ sudo /etc/init.d/docker restart
then you should be able to do a docker push/pull.
Reverse proxy cannot load ssl certificates
I ran into the same issue when trying to build a Nexus deployment with Nginx. The container can't traverse the symlinks in the ssl.conf since your pointers to your letencrypt keys point from live --> archive.
To resolve this you can't just change the pointer to archive since files like
chain.pem -> ../../archive/site.tld/chain1.pem
The only way I could get this to work was to point not to the symlink but the actual file on disk. Note the 1
in the filename which matches whats on disk.
My /etc/ssl/private
ssl_certificate /etc/ssl/private/fullchain1.pem;
ssl_certificate_key /etc/ssl/private/privkey1.pem;
ssl_trusted_certificate /etc/ssl/private/chain1.pem;
ssl_dhparam /etc/nginx/dhparams.pem;
So in my docker-compose.yml
You can see me mount the volume
volumes:
- /etc/letsencrypt/archive/example.site.com:/etc/ssl/private
I am sure there is a more elegant way but this is the only way I could get this to work.
Installing SSL CA certificates for docker container on Windows
Turns out company proxies can swap SSL certificates in a Man-in-the-middle manner.
The standard certificates from apt-get install ca-certificates
or python's certifi package are not going to include these company certificates. Additionally, this is not specifically a Docker related question but a question of "How to install a root certificate on Linux". Debian to be more precise, because thats what Docker containers run by default.
This was not as straight-forward as expected. Here's what worked in the end:
Use the company's certificates in .pem format to begin with.
Rename them so they end with .crt. Do NOT use any openssl .pem to .crt transformation. In my case, every .crt file I found online was encoded in a way that made it unreadable for Notepad++, Vim and alike. .pem files on the other hand looked fine.
Copy the renamed certificates to the proper ca-certificate location on your OS.
Install the certificates via
update-ca-certificates
.
Translated into a Dockerfile, here's the important part:
COPY root.pem /usr/local/share/ca-certificates/root.crt
COPY proxy.pem /usr/local/share/ca-certificates/proxy.crt
RUN update-ca-certificates
Cannot download Docker images behind a proxy
Here is a link to the official Docker documentation for proxy HTTP:
https://docs.docker.com/config/daemon/systemd/#httphttps-proxy
A quick outline:
First, create a systemd drop-in directory for the Docker service:
mkdir /etc/systemd/system/docker.service.d
Now create a file called /etc/systemd/system/docker.service.d/http-proxy.conf
that adds the HTTP_PROXY
and HTTPS_PROXY
environment variables:
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:80/"
Environment="HTTPS_PROXY=http://proxy.example.com:80/"
If you have internal Docker registries that you need to contact without proxying you can specify them via the NO_PROXY
environment variable:
Environment="HTTP_PROXY=http://proxy.example.com:80/"
Environment="HTTPS_PROXY=http://proxy.example.com:80/"
Environment="NO_PROXY=localhost,127.0.0.0/8,docker-registry.somecorporation.com"
Flush changes:
$ sudo systemctl daemon-reload
Verify that the configuration has been loaded:
$ sudo systemctl show --property Environment docker
Environment=HTTP_PROXY=http://proxy.example.com:80/
Environment=HTTPS_PROXY=http://proxy.example.com:80/
Restart Docker:
$ sudo systemctl restart docker
Footnote regarding HTTP_PROXY
vs. HTTPS_PROXY
: for a long time, setting HTTP_PROXY
alone has been good enough. But with version 20.10.8, Docker has moved on to Go 1.16, which changes the semantics of this variable:
https://golang.org/doc/go1.16#net/http
For https://
URLs, the proxy is now determined by the HTTPS_PROXY
variable, with no fallback on HTTP_PROXY
.
Can proxy change SSL certificate?
It probably goes like this: you have your IT department's certificate as a trusted root certificate on your computer. When you browse to an HTTPS address, the proxy generates a certificate for that site on the fly, signed by the certificate that's trusted by your browser. You then communicate with your proxy, and the proxy communicates with the real site. Both "legs" of the travel are over SSL/TLS, so you're safe from a random man in the middle, but your IT department can theoretically view all the communication.
Related Topics
Which Jdk's Distributions Can Run 'Javac -Source 1.6 -Target 1.5'
How to Display Only Files from Aws S3 Ls Command
Docker Behind Proxy That Changes Ssl Certificate
Gdb Does Not Hit Any Breakpoints When I Run It from Inside Docker Container
How to Install R 3.1.2 on Linux Mint 17.1
How to Generate Plain-Text Source-Code PDF Examples That Work in a Document Viewer
Have 5 Scripts Running at Any Given Time
Docker Alpine Executable Binary Not Found Even If in Path
Makefile Command Substitution Problem
What Scheduling Algorithms Does Linux Kernel Use
What Is Terminal Escape Sequence for Ctrl + Arrow (Left, Right,...) in Term=Linux
How to Setup a Periodic Timer Callback in a Linux Kernel Module
How to Do Foreach *.Mp3 File Recursively in a Bash Script