Posts tagged with “Proxy” on Mark van Lent’s weblog 2022-05-10T00:00:00+00:00 tag:markvanlent.dev,2010-04-02:/tags/proxy/index.xml Mark van Lent https://markvanlent.dev/about/ Copyright (c) Mark van Lent, Creative Commons Attribution 4.0 International License. https://markvanlent.dev/favicon.ico <![CDATA[Pulling Docker images via a SOCKS5 proxy]]> https://markvanlent.dev/2022/05/10/pulling-docker-images-via-a-socks5-proxy/ map[name:Mark van Lent uri:https://markvanlent.dev/about/] 2022-05-10T20:14:56Z 2022-05-10T00:00:00Z This post describes how you can work around a firewall to pull Docker images from a server that you do not have direct access to, using a SOCKS5 proxy.

Why would you want to do this?

Let us assume you are in a corporate environment. And let us further assume that you want to pull Docker images from a registry that you do not have direct access to from that corporate environment, for instance because the registry is running on a non-standard port and is thus blocked by a firewall.

The direct connection between the laptop and server is not allowed

So for instance the following does not work for you:

docker pull registry.example.com:5678/image

Now let’s make a few more assumptions:

  • You have got SSH access to a machine outside of the corporate environment.
  • You are not violating any policy by bypassing the firewall, or have permission to do so.

Workaround

To work around the issue, you can do the following:

  • Connect to a machine over SSH
  • Tunnel your docker pull command via that SSH connection.

Using a proxy to tunnel your traffic

Setting up the SOCKS5 proxy connection

You are going to use the -D option in your SSH command. This allocates a socket listing on a port. Connections made to this port are forwarded over the (secure) channel.

For example, if you can use host 172.31.10.5 as a proxy, the command would look like this:

ssh -D 8080 172.31.10.5

Every connection to port 8080 on localhost is proxied via host 172.31.10.5.

Configure Docker

To make Docker use the proxy, you will have to configure dockerd. One way to do this is to create the file /etc/systemd/system/docker.service.d/proxy.conf with the following content:

[Service]
Environment="HTTP_PROXY=socks5://127.0.0.1:8080"
Environment="HTTPS_PROXY=socks5://127.0.0.1:8080"

(You most likely do not even need the HTTP_PROXY line, but it also doesn’t hurt. ;-) )

Once this file is in place, you need to restart the Docker service:

systemctl daemon-reload
systemctl restart docker

When you run the following command again, the traffic is tunneled via your proxy.

docker pull registry.example.com:5678/image

Voilà, the firewall is bypassed and you can now pull your Docker image.

]]> <![CDATA[Setting up a temporary HTTP/HTTPS proxy via SSH]]> https://markvanlent.dev/2013/09/19/setting-up-a-temporary-http-https-proxy-via-ssh/ map[name:Mark van Lent uri:https://markvanlent.dev/about/] 2022-05-10T20:18:22Z 2013-09-19T06:32:00Z Currently I’m working on a project where I have the staging environment running on a virtual machine in a vlan. However, the virtual machine cannot directly access the internet for security reasons. This is inconvenient when I want to e.g. run a buildout to update the project.

A colleague told me to use micro_proxy and micro_inetd to proxy traffic via my laptop. This is a description of how you can set things up.

Update (2019-07-15)
I am currently using a Docker to run a proxy on my laptop. I have added a Docker section where I describe my new setup.

Ad hoc

Obviously the first step is to install the relevant packages on the local machine (Ubuntu in my case):

$ sudo apt-get install micro-proxy micro-inetd

The next step is to run the proxy (again: on my laptop) and make sure it accepts connections on port 3128:

$ micro-inetd 3128 /usr/sbin/micro_proxy

Then, when you SSH into the remote machine you will have to forward the right port:

$ ssh box.example.com -R 3128:localhost:3128

Whenever you want to access the internet, you’ll have to use the proxy listening on port 3128. For instance to run wget and buildout, you can set the following environment variables:

$ export http_proxy=http://localhost:3128
$ export https_proxy=http://localhost:3128

(Note that I’m also proxying HTTPS traffic here, which is supported by micro_proxy.)

The following wget command should now succeed:

$ wget http://www.google.com/

Repeatable

Assuming the ad hoc setup works, you may want to configure things so things are a little bit easier the next time you want to use it. This is what I did.

So I don’t have to remember how to start the proxy, I added this line to the ~/.bashrc file on my local machine:

alias start_proxy='echo Running proxy on port 3128 && micro-inetd 3128 /usr/sbin/micro_proxy'

The SSH command is also too much typing for my liking. So I added this to my ~/.ssh/config file:

Host box
    HostName box.example.com
    RemoteForward 3128 localhost:3128

To make sure that the HTTP(S) proxy is used on the remote machine, I added this to my ~/.bashrc file on the remote:

export http_proxy=http://localhost:3128
export https_proxy=http://localhost:3128

End result

So whenever I want to work on the staging environment, I open a terminal and run:

$ start_proxy

In another terminal I type:

$ ssh box

And I’m good to go.

Now, there may be better solutions (especially if you want to permanently setup a proxy), but for my purposes this works great.

Docker

Update (2019-07-15)
I’ve added this section to document an alternative to the micro_inetd/micro_proxy combination.

When I originally wrote this article, I was not yet (or only just) using Docker. But when I was setting up a new laptop a while ago, I wanted to run a proxy in a Docker container.

As a result, I now run the following to start a proxy:

$ docker run --name squid -d -p 3128:3128 datadog/squid

This way I don’t have to install micro_proxy and micro_inetd on my machine.

]]>