[REVIEW ONLY] PP-438 Add node.js proxy module #57
Conversation
…uth0 which will need to go via an egress proxy
| @@ -1,4 +1,6 @@ | |||
| if(process.env.ENABLE_NEWRELIC == 'yes') require('newrelic'); | |||
| if (process.env.ENABLE_NEWRELIC == 'yes') require('newrelic'); | |||
| if (process.env.HTTP_PROXY) require('global-tunnel').initialize(); | |||
There was a problem hiding this comment.
Don't we need to pass in the proxy details to initialise() here?
|
You may find https://github.com/alphagov/pay-ansible/pull/137 useful, specifically https://github.com/alphagov/pay-ansible/commit/7488942de7aa121e3570a67fb996d127ea2dcce3 which is written to be as friendly to https://www.npmjs.com/package/global-tunnel as I think is sensible to be. Note: proto is |
|
global-tunnel doesn't work with Node 0.12.X I think https://github.com/TooTallNate/node-https-proxy-agent should do what we want? |
|
We only need to be using proxies to be getting to the Interwebs - if this affects all connections made by selfservice when doing HTTP/HTTPS requests, then this isn't going to work. The egress proxies only pass traffic from the VPC to the internet - the security groups deliberately do not permit the proxies to pass traffic between all the different zones, so any HTTP/HTTPS clients must be either separately configurable with regards to proxies, or must be capable of honouring This isn't (at least as far as I've observed) an issue for the connector, as it's at the bottom of the stack and so its only HTTP client interactions should be out to the gateways. For selfservice it's making connections back to publicauth and connector (which should be unproxied) and out to auth0 (which should be proxied). |
|
Closing for now, we need to consider our approach here. |
Passport makes outgoing calls to Auth0 which will need to go via an egress proxy