customization installation proxy

Working Through a Proxy

Docker

If docker.mitigator.ru is accessed through a proxy, you need to configure Docker.

On systems running systemd, you need to:

  1. Create a drop-in to the Docker service, specifying the proxy in the environment (replace the details of connecting to the proxy with the current ones):

    mkdir -p /etc/systemd/system/docker.service.d && \
cat >/etc/systemd/system/docker.service.d/proxy.conf <<END
[Service]
Environment=HTTP_PROXY=http://user:password@proxy.local:1234
Environment=HTTPS_PROXY=http://user:password@proxy.local:1234
Environment=NO_PROXY=docker.local
END

  2. Add proxy certificate to Docker’s trusted ones (/path/to/proxy.crt replace with the path to the proxy certificate):

    mkdir -p /etc/docker/certs.d/docker.mitigator.ru && \
cp /path/to/proxy.crt /etc/docker/certs.d/docker.mitigator.ru/ca.crt

  3. Update the description of the Docker service and restart it:

    systemctl daemon-reload && \
systemctl restart docker

MITIGATOR

If MITIGATOR will communicate with the license server (ls.mitigator.ru), the mail server and the Vestochka service through a proxy, you need to specify environment variables:

  1. Create a YML file named docker-compose.proxy.yml with the following content:

    services:
  backend:
    environment:
      HTTP_PROXY: "http://user:password@proxy.local:3128"
      HTTPS_PROXY: "http://user:password@proxy.local:3128"

  2. Add docker-compose.proxy.yml to the COMPOSE_FILE list in the .env file:

    sed -i 's/^COMPOSE_FILE=\(.*\)$/COMPOSE_FILE=\1:docker-compose.proxy.yml/' .env

  3. If necessary, also set NO_PROXY (addresses that need to be accessed without a proxy), you need to include .mitigator, localhost, 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16 and 172.16.0.0/12 in it:

    NO_PROXY: "<new servers>,.mitigator,localhost,127.0.0.0/8,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12"

  4. Restart the backend service:

    docker-compose up -d backend

Do not use proxy settings in ~/.docker/config.json configuration file. If these settings are required for non-MITIGATOR containers, specify them only for such containers.

HTTPS-proxy

  1. Install proxy certificate system-wide:
cp proxy.crt /usr/local/share/ca-certificates/ && update-ca-certificates
cp proxy.crt /etc/pki/ca-trust/source/anchors/ && update-ca-trust
cp proxy.crt /etc/pki/ca-trust/source/anchors/ && update-ca-trust && update-ca-trust extract
  1. Bind system certificates to a backend service. To do this, add bind settings in the docker-compose.proxy.yml:
services:
  backend:
    volumes:
      - /usr/local/share/ca-certificates:/usr/local/share/ca-certificates:ro
      - /etc/ssl/certs:/etc/ssl/certs:ro
services:
  backend:
    volumes:
      - /etc/pki/ca-trust/extracted/pem/:/etc/ssl/certs:ro
      - /etc/pki/ca-trust/source/anchors/:/usr/local/share/ca-certificates:ro
services:
  backend:
    volumes:
      - /etc/pki/ca-trust/extracted/pem/:/etc/ssl/certs:ro
      - /etc/pki/ca-trust/source/anchors/:/usr/local/share/ca-certificates:ro

  1. Restart the backend service:

    docker-compose up -d backend