Setting proxy servers#
There are a few common setups for situations where mirrors should go through a proxy server, each with their own specific requirements and considerations.
These methods can be compounded, meaning you can have an environment that employs any combination of the following setups:
Single proxy#
A single proxy is used for all outgoing HTTP/HTTPS connections to the internet.
Requirements
Proxy address/port
Network access from Package Security Manager (On-prem) to the proxy server
Ensuring proper name resolution (if needed)
Implementation
Follow these steps to set up a single proxy:
Open your
docker-compose.yml
file.Add the
HTTP_PROXY
and/orHTTPS_PROXY
as well as theNO_PROXY
environment variables to therepo_worker
andrepo_api
containers. For example:repo_worker: environment: - HTTP_PROXY=http://<PROXY_USER>:<PROXY_PW>@proxypy:8899 - HTTPS_PROXY=http://<PROXY_USER>:<PROXY_PW>@proxypy:8899 - NO_PROXY=localhost repo_api: environment: - HTTP_PROXY=http://<PROXY_USER>:<PROXY_PW>@proxypy:8899 - HTTPS_PROXY=http://<PROXY_USER>:<PROXY_PW>@proxypy:8899 - NO_PROXY=localhost
Note
The
NO_PROXY
environment variable specifies domains, IP addresses, or networks that should bypass the proxy server for connections.Copy the root CA certificate to the
/opt/anaconda/repo/config/ca_certs/
directory using the following command:# Replace <PROXY_ROOT_CA.pem> with the root CA certificate cp <PROXY_ROOT_CA.pem> /opt/anaconda/repo/config/ca_certs/ca_cert.pem
Using your preferred file editor, open your
.env
file and add the following path:REPO_CUSTOM_CA_CERT=/etc/repo/ca_certs/ca_cert.pem
Restart the containers by running the following command:
docker compose up -d repo_api docker compose up -d repo_worker docker restart $(docker ps|grep repo_worker|cut -d' ' -f1) docker restart $(docker ps|grep repo_api|cut -d' ' -f1) docker compose restart
Multiple proxies (or users) for mirror jobs#
When mirroring through different proxies—whether this is because you’re using a different proxy server or an entirely different user is mirroring—you must apply the correct settings to each respective mirror.
Requirements
The requirements for multiple proxies are the same as the requirements for single proxies; however, you must modify the settings for each respective proxy.
For example, the proxy URI two users could be named the following:
http://user1:pw1@proxy:8899
and
http://user2:pw2@proxy:8899
Implementation
Note
All updates to the mirror must go through the CLI/API, not through the GUI (the proxy setting will be removed if you update from the GUI).
Establish the mirror using conda repo mirror
in the CLI, or /channel/mirrors
via the REST API. This allows you to specify the proxy address to be used for the specified mirror.
The following example shows multiple mirrors with different proxy users. It assumes a proxy is available at http://proxy:8899 with basic auth.
If you are using a terminating SSL proxy, see the Terminating SSL proxy section.
# Replace user1/pw1 and user2/pw2 with valid credentials.
repo channel --create proxy-example
conda repo mirror --create proxy-mirror1 \
--channel proxy-example \
--source https://repo.anaconda.com/pkgs/main \
--only_spec python \
--proxy http://user2:pw2@proxy:8899
Here is a second mirror with a different user. You can also use multiple
proxies in the same manner, for example @another.proxy.server
instead of @proxy
.
conda repo mirror --create proxy-mirror2 \
--channel proxy-example \
--source https://repo.anaconda.com/pkgs/main \
--only_spec pandas \
--proxy http://user1:pw1@proxy:8899
Terminating SSL Proxy#
For a proxy server that terminates the SSL connection, you’ll typically need to distribute the root CA certificate used by the proxy to TE so it can verify the certs.
Requirements
Same requirements as those for single proxies
The ca cert from the proxy server
All certs for proxies (if multiple proxies are used)
Implementation
For this setup, you must append all required ca certs to the TE repo_api
and repo_worker
containers.
Certs are stored in /conda/ssl/cacert.pem
.
Use the following bash function to update existing containers with the root CA for the proxy:
update_proxy_ca() {
# usage: update_proxy_ca <path-to-cert>
if [[ -f $1 ]]; then
ca="$1"
else
echo please provide a path to cert file
return
fi
for c in $(docker ps | awk '/repo_[a,w]/ {print $1}') ; do
docker cp $ca ${c}:/usr/share/pki/ca-trust-source/anchors/proxy.pem
docker exec -ti ${c} sh -c "cat /usr/share/pki/ca-trust-source/anchors/proxy.pem >> /conda/ssl/cacert.pem"
docker exec $c update-ca-trust
done
}