Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Properly authenticate at proxy server #652

Merged
merged 4 commits into from
Feb 26, 2019

Conversation

danielmitterdorfer
Copy link
Member

With this commit Rally will set the proper authentication header for
proxies that require it.

Closes #636

With this commit Rally will set the proper authentication header for
proxies that require it.

Closes elastic#636
@danielmitterdorfer danielmitterdorfer added bug Something's wrong :Config Config file format changes, new properties, ... labels Feb 22, 2019
@danielmitterdorfer danielmitterdorfer added this to the 1.1.0 milestone Feb 22, 2019
@dliappis
Copy link
Contributor

dliappis commented Feb 22, 2019

I am documenting how I tested this, in case we want to add an integration test later on for similar stuff:

cat >squid.conf <<EOF
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squidpasswords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_port 3128
EOF

Created a squidpasswords file using htpasswd -c squidpasswords testuser username testuser and password testuser with the following content:

cat >squidpasswords <<EOF
testuser:$apr1$WQMVypS2$vUzNTPn6tKhTrRZP16/li.
EOF

and run:

docker run --rm --name squid -d -v $PWD/squidpasswords:/etc/squid/squidpasswords -v $PWD/squid.conf:/etc/squid/squid.conf -p 3128:3128 datadog/squid

and to see access logs:

docker exec -ti squid tail -f /var/log/squid/access.log

On the Rally side I first set:

export http_proxy=http://testuser:testuser@127.0.0.1:3128

Using current Rally master commit:

esrally --distribution-version=6.6.0 --track="geonames" --track-params="ingest_percentage:15" --challenge="append-no-conflicts-index-only"

shows on the squid log:

1550851149.662      0 172.17.0.1 TCP_DENIED/407 3871 CONNECT github.com:443 - HIER_NONE/- text/html
1550851149.665      0 172.17.0.1 TCP_DENIED/407 3871 CONNECT github.com:443 - HIER_NONE/- text/html
1550851149.667      0 172.17.0.1 TCP_DENIED/407 3871 CONNECT github.com:443 - HIER_NONE/- text/html
1550851149.668      0 172.17.0.1 TCP_DENIED/407 3871 CONNECT github.com:443 - HIER_NONE/- text/html

plus of course Rally itself reports:

[WARNING] No Internet connection detected. Automatic download of track data sets etc. is disabled.

Using this PR with the same Rally command, squid log shows:

1550851566.691  60860 172.17.0.1 TCP_TUNNEL/200 86897 CONNECT github.com:443 testuser HIER_DIRECT/192.30.253.112 -

and the warning is gone from the Rally output.

Copy link
Contributor

@dliappis dliappis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM also based on #652 (comment)

@danielmitterdorfer
Copy link
Member Author

@dliappis great writeup! I have added integration tests now in 421f07c based on your comment. Can you please have another look?

if docker ps > /dev/null; then
info "Docker is available. Proxy-related tests will be run"
# Portably create a temporary config directory for Squid on Linux or MacOS
local config_dir=$(mktemp -d 2>/dev/null || mktemp -d -t 'tmp_squid_cfg')
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For Docker on MacOS this requires to (manually) add /var/folders to the list of allowed paths (otherwise Docker will complain that it can't bind-mount the directory). /var/folders is actually symlinked to /private/var/folders and /private is already configured (recursively) for Docker but not /var/folders is not. I think we should add this to our developer docs. Wdyt?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed via another channel we'll instead use an already existing directory tree that we use for integration tests anyway. I'll push a new commit addressing this.

Copy link
Contributor

@dliappis dliappis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for adding the integration test!

@dliappis dliappis merged commit d1f45a4 into elastic:master Feb 26, 2019
@danielmitterdorfer danielmitterdorfer deleted the proxy-auth branch February 26, 2019 10:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something's wrong :Config Config file format changes, new properties, ...
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants