Proxy mirroring¶
This topic provides guidance on the following actions:
- Single proxy with upgrade connection
- Multiple proxies (or users) for mirror jobs
- Terminating SSL Proxy
There are a few common setups for situations where mirrors should go through a proxy server, each with their own specific requirements and considerations.
These methods can be compounded, meaning you can have an environment that employs any combination of the following setups:
Single proxy¶
A single proxy is used for all outgoing HTTP/HTTPS connections to the internet.
Requirements
- Proxy address/port
- Network access from Anaconda Server to the proxy server
- Ensuring proper name resolution (if needed)
Implementation
Follow these steps to set up a single proxy:
Open your
docker-compose.yml
file.Add
HTTP_PROXY
and/orHTTPS_PROXY
environment variables to therepo_worker
andrepo_api
containers. For example:repo_worker: environment: - HTTP_PROXY=http://<PROXY_USER>:<PROXY_PW>@proxypy:8899 - HTTPS_PROXY=http://<PROXY_USER>:<PROXY_PW>@proxypy:8899 repo_api: environment: - HTTP_PROXY=http://<PROXY_USER>:<PROXY_PW>@proxypy:8899 - HTTPS_PROXY=http://<PROXY_USER>:<PROXY_PW>@proxypy:8899
Restart the containers by running the following command:
docker-compose up -d repo_api docker-compose up -d repo_worker docker restart $(docker ps|grep repo_worker|cut -d' ' -f1) docker restart $(docker ps|grep repo_api|cut -d' ' -f1) docker-compose restart
Multiple proxies (or users) for mirror jobs¶
When mirroring through different proxies—whether this is because you’re using a different proxy server or an entirely different user is mirroring—you must apply the correct settings to each respective mirror.
Requirements
The requirements for multiple proxies are the same as the requirements for single proxies; however, you must modify the settings for each respective proxy.
For example, the proxy URI two users could be named the following:
http://user1:pw1@proxy:8899
and
http://user2:pw2@proxy:8899
Implementation
Note
All updates to the mirror must go through the CLI/PAI, not through the GUI (the proxy setting will be removed if you update from the GUI).
Establish the mirror using conda repo mirror
in the cli, or /channel/mirrors
via the REST API. This will
allow you to specify the proxy address to be used for the specific mirror:
The following example shows multiple mirrors with different proxy users. It assumes a proxy is available at http://proxy:8899 with basic auth.
If you are using a terminating SSL proxy, see the Terminating SSL proxy section.
Here is a second mirror with a different user. You can also use multiple
proxies in the same manner, for example @another.proxy.server
instead of @proxy
.
Terminating SSL Proxy¶
For a proxy server that terminates the SSL connection, you’ll typically need to distribute the root ca certificate used by the proxy to TE so it can verify the certs.
Requirements
- Same requirements as those for single proxies
- The ca cert from the proxy server
- All certs for proxies (if multiple proxies are used)
Implementation
For this setup, you must append all required ca certs to the TE repo_api
and repo_worker
containers.
Certs are stored in /conda/ssl/cacert.pem
.
Use the following bash function to update existing containers with the root CA for the proxy:
update_proxy_ca() {
# usage: update_proxy_ca <path-to-cert>
if [[ -f $1 ]]; then
ca="$1"
else
echo please provide a path to cert file
return
fi
for c in $(docker ps | awk '/repo_[a,w]/ {print $1}') ; do
docker cp $ca ${c}:/usr/share/pki/ca-trust-source/anchors/proxy.pem
docker exec -ti ${c} sh -c "cat /usr/share/pki/ca-trust-source/anchors/proxy.pem >> /conda/ssl/cacert.pem"
docker exec $c update-ca-trust
done
}