Docker Behind Proxy That Changes Ssl Certificate

Docker behind proxy that changes ssl certificate

To configure docker to work with a proxy system you first need to add the HTTPS_PROXY / HTTP_PROXY environment variable to the docker sysconfig file. However depending on if you use init.d or the services tool you need to add the "export" statement. As a workaround you can simply add both variants in the sysconfig file of docker:

/etc/sysconfig/docker

HTTPS_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"
HTTP_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"
export HTTP_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"
export HTTPS_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"

To get docker working with ssl intercepting proxies you have to add the proxy root certificate to the systems trust store.

For CentOS copy the file to /etc/pki/ca-trust/source/anchors/ and update the ca trust store. Restart the docker service afterwards.
If your proxy uses NTLM authentication - it's necessary to use intermediate proxies like cntlm.
This blog post explains it in detail

Docker on Mac behind proxy that changes ssl certificate

According to the boot2docker README

Insecure Registry

As of Docker version 1.3.1, if your registry doesn't support HTTPS, you must add it as an insecure registry.

$ boot2docker init
$ boot2docker up
$ boot2docker ssh
$ echo 'EXTRA_ARGS="--insecure-registry <YOUR INSECURE HOST>"' | sudo tee -a /var/lib/boot2docker/profile
$ sudo /etc/init.d/docker restart
then you should be able to do a docker push/pull.

Reverse proxy cannot load ssl certificates

I ran into the same issue when trying to build a Nexus deployment with Nginx. The container can't traverse the symlinks in the ssl.conf since your pointers to your letencrypt keys point from live --> archive.

To resolve this you can't just change the pointer to archive since files like

chain.pem -> ../../archive/site.tld/chain1.pem

The only way I could get this to work was to point not to the symlink but the actual file on disk. Note the 1 in the filename which matches whats on disk.

My /etc/ssl/private

ssl_certificate /etc/ssl/private/fullchain1.pem;
ssl_certificate_key /etc/ssl/private/privkey1.pem;
ssl_trusted_certificate /etc/ssl/private/chain1.pem;
ssl_dhparam /etc/nginx/dhparams.pem;

So in my docker-compose.yml You can see me mount the volume

    volumes:
      - /etc/letsencrypt/archive/example.site.com:/etc/ssl/private

I am sure there is a more elegant way but this is the only way I could get this to work.

Installing SSL CA certificates for docker container on Windows

Turns out company proxies can swap SSL certificates in a Man-in-the-middle manner.
The standard certificates from apt-get install ca-certificates or python's certifi package are not going to include these company certificates. Additionally, this is not specifically a Docker related question but a question of "How to install a root certificate on Linux". Debian to be more precise, because thats what Docker containers run by default.

This was not as straight-forward as expected. Here's what worked in the end:

1. Use the company's certificates in .pem format to begin with.

2. Rename them so they end with .crt. Do NOT use any openssl .pem to .crt transformation. In my case, every .crt file I found online was encoded in a way that made it unreadable for Notepad++, Vim and alike. .pem files on the other hand looked fine.

3. Copy the renamed certificates to the proper ca-certificate location on your OS.

4. Install the certificates via update-ca-certificates.

Translated into a Dockerfile, here's the important part:

COPY root.pem /usr/local/share/ca-certificates/root.crt
COPY proxy.pem /usr/local/share/ca-certificates/proxy.crt
RUN update-ca-certificates

Cannot download Docker images behind a proxy

Here is a link to the official Docker documentation for proxy HTTP:
https://docs.docker.com/config/daemon/systemd/#httphttps-proxy

A quick outline:

First, create a systemd drop-in directory for the Docker service:

mkdir /etc/systemd/system/docker.service.d

Now create a file called /etc/systemd/system/docker.service.d/http-proxy.conf that adds the HTTP_PROXY and HTTPS_PROXY environment variables:

[Service]
Environment="HTTP_PROXY=http://proxy.example.com:80/"
Environment="HTTPS_PROXY=http://proxy.example.com:80/"

If you have internal Docker registries that you need to contact without proxying you can specify them via the NO_PROXY environment variable:

Environment="HTTP_PROXY=http://proxy.example.com:80/"
Environment="HTTPS_PROXY=http://proxy.example.com:80/"
Environment="NO_PROXY=localhost,127.0.0.0/8,docker-registry.somecorporation.com"

Flush changes:

$ sudo systemctl daemon-reload

Verify that the configuration has been loaded:

$ sudo systemctl show --property Environment docker
Environment=HTTP_PROXY=http://proxy.example.com:80/
Environment=HTTPS_PROXY=http://proxy.example.com:80/

Restart Docker:

$ sudo systemctl restart docker

---

Footnote regarding HTTP_PROXY vs. HTTPS_PROXY: for a long time, setting HTTP_PROXY alone has been good enough. But with version 20.10.8, Docker has moved on to Go 1.16, which changes the semantics of this variable:
https://golang.org/doc/go1.16#net/http

For https:// URLs, the proxy is now determined by the HTTPS_PROXY variable, with no fallback on HTTP_PROXY.

Can proxy change SSL certificate?

It probably goes like this: you have your IT department's certificate as a trusted root certificate on your computer. When you browse to an HTTPS address, the proxy generates a certificate for that site on the fly, signed by the certificate that's trusted by your browser. You then communicate with your proxy, and the proxy communicates with the real site. Both "legs" of the travel are over SSL/TLS, so you're safe from a random man in the middle, but your IT department can theoretically view all the communication.

---

Related Topics