Page MenuHomePhabricator
Create Task
Maniphest T278315

global http_proxy setting
Closed, ResolvedPublic
Actions

Description

In the admin module we currently have a bunch of users who set some form of the following in the login profile http_proxy-http://webproxy:8080. The most complete of which comes from alex (updated slightly to make use of the dns search path)

function set_proxy {
        export HTTP_PROXY=http://webproxy:8080
        export HTTPS_PROXY=http://webproxy:8080
        export http_proxy=http://webproxy:8080
        export https_proxy=http://webproxy:8080
        export NO_PROXY=127.0.0.1,::1,localhost,.wmnet,.wikimedia.org,.wikipedia.org
        export no_proxy=127.0.0.1,::1,localhost,.wmnet,.wikimedia.org,.wikipedia.org
}

function clear_proxy {
        unset HTTP_PROXY
        unset HTTPS_PROXY
        unset http_proxy
        unset https_proxy
        unset NO_PROXY
        unset no_proxy
}

This ticket is to discuss if we should have this capability globally or at least every all locations required to use the proxy and if we do how should that look.

The first question to ask is What are the use cases for using the proxy manually on a production host? It possible we can fix theses use cases else where

however if we decide theses are useful for production:

do we need to add theses settings as a function so users explicitly set/unset the parameters (as above) or can we just set theses values in explicitly in /etc/profile.d/ and /etc/zsh/zshenv

If we think we should have theses as functions would it be make senses to automaticity call set_proxy on an interactive login?

Looking at this from a different side perhaps we should just add the config to the tools that most often need theses settings e.g.

/etc/wgetrc
http_proxy = http://webproxy:8080
https_proxy = http://webproxy:8080

I don't think curl has this option global so we would probably have to set up some global alias (which dosn't sound good)

finally i have noticed that some users add wikimedia.org to the list of no_proxy domains and some don't. Both methods work however depending on expectations one may be preferred over the other. There are likley also some edge cases for instance including wikimedia.org in the no_proxy list will me that some of the externally hosts sites e.g. https://wikitech-static.wikimedia.org wouldn't be available. however the amount of theses sites is i believe quite small and the benefit of having a direct connection may be preferred in this case?

Details

SubjectRepoBranchLines +/-
Add helper functions to setup proxy env varoperations/puppetproduction+35 -0
environment: add no_proxy config directly to environmentoperations/puppetproduction+32 -5
P:environment: Add ablilty to inject environment variablesoperations/puppetproduction+24 -12
P:environment: Add support for environment.d to zsh and bashoperations/puppetproduction+27 -9
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 OpenNoneT300977 Maybe restrict domains accessible by webproxy
 ResolvedayounsiT278315 global http_proxy setting

Event Timeline

jbond triaged this task as Medium priority.Mar 24 2021, 1:18 PM
jbond created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 24 2021, 1:18 PM
Volans subscribed.Mar 24 2021, 1:40 PM

Let me play the devil's advocate here, I hope to not have misunderstood your intentions, correct me if I'm wrong.

What are the use cases for using the proxy manually on a production host?
Isn't the whole purpose of having internet access blocked by default exactly to prevent the habit of downloading untrusted files from the internet on production hosts, manually and outside of our configuration management system?

I totally see that this might be needed in some cases, but IMHO those cases should come up rarely and be treated as exceptions and we should try to fix any other common use case that might exist.
Having the proxy settings already set by default all the time seems to go in the wrong direction.

AFAIK we currently don't even have any proper auditing at the proxy layer, so setting the proxies as a default for all users upon login seems even dangerous to me.
I like the fact that if I try to download something from the internet on a host it actually fails. That should make me think that I might be trying to do something the wrong way.

Kormat added a comment.Mar 24 2021, 1:50 PM

I'm in favour of not having the env have internet access by default, for safety reasons.

I'm one of the users that has a similar bash function defined for this purpose. The usecase is that sometimes i need to install something like wmfmariadbpy + its dependencies on a prod host (usually cumin1001) to test something. This requires using pip, which then requires net access.

jbond updated the task description. (Show Details)Mar 24 2021, 1:54 PM
akosiaris added a comment.Mar 24 2021, 1:54 PM

I have it as a shortcut function on my home dir and not set somewhere globally and easily accessible by everyone for more or less the same reason, that is to not encourage it's ab(use). If everyone resolves to something similar, we can go around and perhaps make life a tad easier for newcomers by putting it in /etc/profile.d/ but it should always remain a conscious choice to use it IMHO.

Ottomata added a comment.Mar 24 2021, 1:55 PM

FWIW, users of analytics would love this, but I understand the reasons not to enable it automatically.

fgiunchedi added a comment.Mar 24 2021, 2:10 PM

I also have a shell alias (proxy-on / proxy-off) for convenience and use it in a few cases when building packages require internet. +1 to have a shared alias available (since in practice we already have that, just sprinkled in a few places) (and -1 to have proxy enabled by default, for reasons already mentioned)

jbond added a comment.EditedMar 24 2021, 2:11 PM

thanks all

What are the use cases for using the proxy manually on a production host?

I have added this to the description

Isn't the whole purpose of having internet access blocked by default

Im unsure what the motivations where here however been picky...

I'm in favour of not having the env have internet access by default

I would argue its not blocked by default and im not even sure we could argue obfuscation considering https://wikitech.wikimedia.org/wiki/HTTP_proxy and grep -iE 'https?_proxy' /home/*/.bashrc. normally using a proxy is more about audit and finer grade filtering capabilities as oppose to completely blocking access. however

AFAIK we currently don't even have any proper auditing at the proxy layer,

We should probably fix this

not set somewhere globally and easily accessible by everyone

i feel that's already available with https://wikitech.wikimedia.org/wiki/HTTP_proxy

and -1 to have proxy enabled by default, for reasons already mentioned)
I like the fact that if I try to download something from the internet on a host it actually fails.
but it should always remain a conscious choice to use it IMHO.

Ack this makes senses to me and if agreed would probably just but something similar to functions in the description in /etc/profile.d/proxy.sh

nshahquinn-wmf subscribed.Mar 24 2021, 2:15 PM
aborrero unsubscribed.Mar 24 2021, 4:38 PM
jbond moved this task from Unsorted 💣 to Friday tasks on the User-jbond board.May 27 2021, 4:36 PM
Aklapper added a project: Infrastructure-Foundations.Jun 21 2021, 8:59 PM
jbond updated the task description. (Show Details)Mar 15 2022, 10:37 AM
jbond updated the task description. (Show Details)
ayounsi added a parent task: T300977: Maybe restrict domains accessible by webproxy.Mar 15 2022, 10:42 AM
ayounsi subscribed.Mar 15 2022, 11:24 AM

Thanks for looking into that @jbond!
As we now have better auditability, and an ongoing conversation about Squid ACLs (T300977) this is something we should look into.

Right now we don't seem to have much coherence between hosts, and I agree the proxies (and internal hosts ) are supposed to be an extra layer of defense.

(and let's not discuss a NAT firewall as this would bring its own can of worms, complicating the existing setup).

Public hosts
Those don't need to use the proxies as they have direct internet access (FERM rules permitting).
The case could be made that it would be beneficial to bring global consistency (HTTP across the infra) and auditability.
However, the downsides are too high: significant change, additional service dependency, local inconsistency (HTTP vs. other protocols)

Private hosts
Those don't have the choice, they need the proxies to reach external resources (over HTTP).
Here I tend to agree that proxies should not be configured by default for the reasons mentioned in previous comments. This could potentially change in the future, especially if they are tied to a whitelist.
That said, if a user makes the conscious choice to use the proxies, we should make it easy (and consistent) for them to use it.
That's where I like @jbond's idea to have script available for users to run (especially if less familiar with our infra, eg. analytics people). This should go hand in hand with an updated/cleaned up documentation.

In addition, and if possible, we should push an authoritative no_proxy options across all the hosts, for consistency, that would only be used when http_proxy is set.
Looking at the dashboard, a lot of proxy traffic is for destinations that don't need proxy access. If that's possible it should be carefully rolled out to analytics hosts only when the analytics ACLs are opened up (T298087), as the proxies are involuntarily a way to workaround those ACLs.

ayounsi mentioned this in T300977: Maybe restrict domains accessible by webproxy.Mar 15 2022, 4:46 PM
gerritbot added a comment.Mar 16 2022, 5:31 PM

Change 771411 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] P:environment: Add no_proxy values to the default environment

https://gerrit.wikimedia.org/r/771411

gerritbot added a project: Patch-For-Review.Mar 16 2022, 5:31 PM
gerritbot added a comment.Mar 17 2022, 11:26 AM

Change 771568 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] P:environment: Add support for environment.d to zsh and bash

https://gerrit.wikimedia.org/r/771568

gerritbot added a comment.Mar 17 2022, 5:25 PM

Change 771568 merged by Jbond:

[operations/puppet@production] P:environment: Add support for environment.d to zsh and bash

https://gerrit.wikimedia.org/r/771568

gerritbot added a comment.Mar 24 2022, 12:11 PM

Change 771411 merged by Jbond:

[operations/puppet@production] P:environment: Add ablilty to inject environment variables

https://gerrit.wikimedia.org/r/771411

Maintenance_bot removed a project: Patch-For-Review.Mar 24 2022, 1:10 PM
gerritbot added a comment.Jan 11 2023, 12:24 PM

Change 878884 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] environment: add no_proxy config directly to environment

https://gerrit.wikimedia.org/r/878884

gerritbot added a project: Patch-For-Review.Jan 11 2023, 12:24 PM
gerritbot added a comment.Jan 12 2023, 2:13 PM

Change 878884 merged by Jbond:

[operations/puppet@production] environment: add no_proxy config directly to environment

https://gerrit.wikimedia.org/r/878884

Maintenance_bot removed a project: Patch-For-Review.Jan 12 2023, 2:31 PM
jbond edited projects, added Puppet-Core; removed Puppet.Jun 12 2023, 5:32 PM
nshahquinn-wmf updated the task description. (Show Details)Jul 6 2023, 11:35 PM
gerritbot added a comment.Oct 25 2023, 3:51 PM

Change 968716 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/puppet@production] Add helper bash function to setup proxy env var

https://gerrit.wikimedia.org/r/968716

gerritbot added a project: Patch-For-Review.Oct 25 2023, 3:52 PM
ayounsi added a comment.Oct 25 2023, 4:04 PM

Going though this task after discussing proxies in another group.

The side of this task about forcing sane no_proxy settings is done thanks to the few patches from @jbond above.

The remaining side, probably just "nice to have" is to add a helper script users can use to quickly and correctly set the proxies in their session. A bit like what's described in the task description. Hopefully https://gerrit.wikimedia.org/r/968716 does it well.

gerritbot added a comment.Oct 26 2023, 9:34 AM

Change 968716 merged by Ayounsi:

[operations/puppet@production] Add helper functions to setup proxy env var

https://gerrit.wikimedia.org/r/968716

ayounsi closed this task as Resolved.Oct 26 2023, 9:47 AM
ayounsi claimed this task.

Updated the doc https://wikitech.wikimedia.org/wiki/HTTP_proxy
I think everything here is done. Please re-open if not.

Maintenance_bot removed a project: Patch-For-Review.Oct 26 2023, 10:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL