Setting proxy servers#

There are a few common setups for situations where mirrors should go through a proxy server, each with their own specific requirements and considerations.

These methods can be compounded, meaning you can have an environment that employs any combination of the following setups:

Single proxy#

A single proxy is used for all outgoing HTTP/HTTPS connections to the internet.

Requirements

  • Proxy address/port

  • Network access from Package Security Manager (On-prem) to the proxy server

  • Ensuring proper name resolution (if needed)

Implementation

Follow these steps to set up a single proxy:

  1. Open your docker-compose.yml file.

  2. Add the HTTP_PROXY and/or HTTPS_PROXY as well as the NO_PROXY environment variables to the repo_worker and repo_api containers. For example:

    repo_worker:
      environment:
        - HTTP_PROXY=http://<PROXY_USER>:<PROXY_PW>@proxypy:8899
        - HTTPS_PROXY=http://<PROXY_USER>:<PROXY_PW>@proxypy:8899
        - NO_PROXY=localhost
    repo_api:
      environment:
        - HTTP_PROXY=http://<PROXY_USER>:<PROXY_PW>@proxypy:8899
        - HTTPS_PROXY=http://<PROXY_USER>:<PROXY_PW>@proxypy:8899
        - NO_PROXY=localhost
    

    Note

    The NO_PROXY environment variable specifies domains, IP addresses, or networks that should bypass the proxy server for connections.

  3. Copy the root CA certificate to the /opt/anaconda/repo/config/ca_certs/ directory using the following command:

    # Replace <PROXY_ROOT_CA.pem> with the root CA certificate
    cp <PROXY_ROOT_CA.pem> /opt/anaconda/repo/config/ca_certs/ca_cert.pem
    
  4. Using your preferred file editor, open your .env file and add the following path:

    REPO_CUSTOM_CA_CERT=/etc/repo/ca_certs/ca_cert.pem
    
  5. Restart the containers by running the following command:

    docker compose up -d repo_api
    docker compose up -d repo_worker
    docker restart $(docker ps|grep repo_worker|cut -d' ' -f1)
    docker restart $(docker ps|grep repo_api|cut -d' ' -f1)
    docker compose restart
    

Multiple proxies (or users) for mirror jobs#

When mirroring through different proxies—whether this is because you’re using a different proxy server or an entirely different user is mirroring—you must apply the correct settings to each respective mirror.

Requirements

The requirements for multiple proxies are the same as the requirements for single proxies; however, you must modify the settings for each respective proxy.

For example, the proxy URI two users could be named the following:

http://user1:pw1@proxy:8899
and
http://user2:pw2@proxy:8899

Implementation

Note

All updates to the mirror must go through the CLI/PAI, not through the GUI (the proxy setting will be removed if you update from the GUI).

Establish the mirror using conda repo mirror in the cli, or /channel/mirrors via the REST API. This will allow you to specify the proxy address to be used for the specific mirror.

The following example shows multiple mirrors with different proxy users. It assumes a proxy is available at http://proxy:8899 with basic auth.

If you are using a terminating SSL proxy, see the Terminating SSL proxy section.

# Replace user1/pw1 and user2/pw2 with valid credentials.
repo channel --create proxy-example
conda repo mirror --create proxy-mirror1 \
                --channel proxy-example \
                --source https://repo.anaconda.com/pkgs/main \
                --only_spec python \
                --proxy http://user2:pw2@proxy:8899

Here is a second mirror with a different user. You can also use multiple proxies in the same manner, for example @another.proxy.server instead of @proxy.

conda repo mirror --create proxy-mirror2 \
                --channel proxy-example \
                --source https://repo.anaconda.com/pkgs/main \
                --only_spec pandas \
                --proxy http://user1:pw1@proxy:8899

Terminating SSL Proxy#

For a proxy server that terminates the SSL connection, you’ll typically need to distribute the root CA certificate used by the proxy to TE so it can verify the certs.

Requirements

  • Same requirements as those for single proxies

  • The ca cert from the proxy server

  • All certs for proxies (if multiple proxies are used)

Implementation

For this setup, you must append all required ca certs to the TE repo_api and repo_worker containers. Certs are stored in /conda/ssl/cacert.pem.

Use the following bash function to update existing containers with the root CA for the proxy:

update_proxy_ca() {
  # usage: update_proxy_ca <path-to-cert>
  if [[ -f $1 ]]; then
    ca="$1"
  else
    echo please provide a path to cert file
    return
  fi
  for c in $(docker ps | awk '/repo_[a,w]/ {print $1}') ; do
    docker cp $ca ${c}:/usr/share/pki/ca-trust-source/anchors/proxy.pem
    docker exec -ti ${c} sh -c "cat /usr/share/pki/ca-trust-source/anchors/proxy.pem >> /conda/ssl/cacert.pem"
    docker exec $c update-ca-trust
  done
}