| I'm re-opening this ticket, because I believe the severity of the problem hasn't been fully appreciated. Any security-competent site that requires outbound HTTP[S] traffic to use a network proxy will have configured the proxy to deny all requests for internal resources. (Otherwise, internal users can bypass internal network ACLs by routing requests through the proxy.) This means that any application that is proxy-aware must implement an exception list for the proxy. Without this exception list, the application is essentially offering its users two choices:
- You can access foreign resources, but not local resources.
- You can access local resources, but not foreign resources.
We see this in the applications that rely on the curl-style (http_proxy, https_proxy, and no_proxy) environment variables. E.g.:
The no_proxy setting is not optional: without this, applications will not be able to access local resources. As a real-world example of just how critical the no_proxy list is, consider this example:
package { 'r10k': |
ensure => present, |
provider => puppet_gem, |
}
|
This cannot be implemented with sites that use a proxy. If I do not configure the agent to use the proxy, then the agent will fail to install the gem:
But if I configure the agent to use the proxy, the agent will attempt to use the proxy to connect to the Puppet server, which fails:
Warning: Unable to fetch my node definition, but the agent run will continue: |
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetserver.example.org]
|
To put it as bluntly as possible: without the ability to add exception lists, Puppet's proxy handling is fundamentally broken, and for Puppet users who have to use a (properly-configured) proxy server, Puppet's broken proxy handling breaks core features of Puppet. (The only reason why Puppet has been usable for us until now is because up to this point, we have haven't needed to set proxy settings for Puppet, because we have only used package resources to install RPM packages, and we mirror all yum repositories locally. But we have customers who want to use Puppet package resources with other providers, and mirroring all of rubygems.org, pypi.python.org, et. al. locally just to work around Puppet's broken proxy handling is a really tough sell.) |
