Can't activate license behind a proxy

paulo.jncc · September 11, 2023, 8:43am

Please complete the below template with details of the problem reported on your Web-UI. Be as detailed as possible. Community members, including developers, shall try and help. Thanks for your time in reporting this issue! We recommend purchasing [commercial support]

Brief description of the problem

Detailed step by step instructions to reproduce the problem

I configure the My company doesn’t allow to access HTTPS services that are running in non standard ports, without manually configuring proxies OS file /etc/sysconfig/proxy to reflect what I need in my network, and I can see that with curl that I can reach it

Web-UI screenshot

[Drag and drop the image here]

Error Traceback provided on the Web-UI


Traceback (most recent call last):

File “/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.py”, line 41, in _handle_exception

yield

File “/opt/rockstor/src/rockstor/storageadmin/views/update_subscription.py”, line 93, in post

stableo = self._toggle_repos(password=password)

File “/opt/rockstor/src/rockstor/storageadmin/views/update_subscription.py”, line 63, in _toggle_repos

status, text = repo_status(ono)

File “/opt/rockstor/src/rockstor/system/pkg_mgmt.py”, line 316, in repo_status

raise Exception(e_msg)

Exception: Failed to connect to updates.rockstor.com:8999/rockstor-stable. Is the Rockstor system connected to the internet?. Lower level exception: HTTPConnectionPool(host=‘updates.rockstor.com’, port=8999): Max retries exceeded with url: /rockstor-stable (Caused by NewConnectionError(‘<urllib3.connection.HTTPConnection object at 0x7effc5393e10>: Failed to establish a new connection: [Errno 113] No route to host’,))

phillxnet · September 11, 2023, 11:44am

@paulo.jncc Welcome to the Rockstor community.

Private Message (PM) here on the forum to double check your stable update subscription credentials, as our updates, from the error message, are over http not https. So it may be this is not a proxy issue at all but just an issue at our end regarding conflicting orders or the like.

But yes we do use port 8999, but with http auth, not https. Could it be your /etc/sysconfig/proxy modifications are not actually required in this case. Especially give the curl response looks to be from updates server, not your proxy.

Let me know in the PM the system details. You will have to use the forum web interface however as response via email is disabled.

Hope that helps.

paulo.jncc · September 12, 2023, 6:12pm

without the proxy I couldn’t reach at all the service in port 8999, to be honest I’m a little bit lost.

I bought the subscription to get support and updates, but can’t make it working.

where do you think I can get support to make it work?

The traffic coming out of Cisco network (my company) is really follow strict rules, and something is been block.

Thank you,
Paulo

Hooverdan · September 12, 2023, 8:27pm

@paulo.jncc to see whether you can get to the page, you could try to run curl with the simple authentication of Appliance ID and Activation Code.
curl -u "login:password" [URL]
so it would be something similar like:

curl -u "<appliance ID>:<Activation code>" http://updates.rockstor.com:8999/rockstor-stable/

NOTE !!!
If you post anything back here, make sure you’re NOT including your appliance ID or activation code!!!

If everything works, it should return you something like this:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /rockstor-stable</title>
 </head>
 <body>
<h1>Index of /rockstor-stable</h1>
<ul><li><a href="/"> Parent Directory</a></li>
<li><a href="ROCKSTOR-STABLE.txt"> ROCKSTOR-STABLE.txt</a></li>
<li><a href="docker-ce-17.09.0.ce-1.el7.centos.x86_64.rpm"> docker-ce-17.09.0.ce-1.el7.centos.x86_64.rpm</a></li>
<li><a href="leap/"> leap/</a></li>
<li><a href="repodata/"> repodata/</a></li>
<li><a href="rockstor-3.8-1.x86_64.rpm"> rockstor-3.8-1.x86_64.rpm</a></li>
<li><a href="rockstor-3.8-10.x86_64.rpm"> rockstor-3.8-10.x86_64.rpm</a></li>
<li><a href="rockstor-3.8-11.x86_64.rpm"> rockstor-3.8-11.x86_64.rpm</a></li>
<li><a href="rockstor-3.8-12.x86_64.rpm"> rockstor-3.8-12.x86_64.rpm</a></li>
<li><a href="rockstor-3.8-13.x86_64.rpm"> rockstor-3.8-13.x86_64.rpm</a></li>
<li><a href="rockstor-3.8-14.x86_64.rpm"> rockstor-3.8-14.x86_64.rpm</a></li>
<li><a href="rockstor-3.8-2.x86_64.rpm"> rockstor-3.8-2.x86_64.rpm</a></li>
<li><a href="rockstor-3.8-7.x86_64.rpm"> rockstor-3.8-7.x86_64.rpm</a></li>
... many more lines ...

NOTE !!!
If you post anything back here, make sure you’re NOT including your appliance ID or activation code!!!

This way you can at least test whether your proxy settings are letting you through. Not sure whether on your network the Rockstor server has to have any other type of “trust” established within your network before you can call externally, etc.

paulo.jncc · September 13, 2023, 11:00am

It seems to be working, why doesn’t it work in the gui ?

attaching a picture, because can’t send the debug text, it says that

I have too many links

paulo.jncc · September 15, 2023, 2:23pm

any feedback or guidance, it is really a petty that I bought the license and can’t activate it.

Hooverdan · September 15, 2023, 6:53pm

I am wondering whether Rockstor’s reverse proxy setup, etc. needs to have some settings added to take the traffic through the proxy server? When searching around I found examples like this where the proxy server needs to be “made known” to nginx so it treats it as a forward proxy.

But I clearly have no idea how settings in /etc/sysconfig/proxy play (or not) into this.

Obviously, when using the command line with curl none of the web server or other components from Rockstor come into play. This could explain that the command line get works, but it doesn’t through the Rockstor infrastructure.

@phillxnet, @Flox you’re way more knowledgeable in that area (nginx, gunicorn, etc.), maybe you have some additional hints on the “where to look”

Edit:
I looked a bit further, and maybe an alternative (albeit not an immediate solution) could be to check for global proxy settings before making calls to, say, the update repositories, licensing related calls and the Rockon repo) by using this python construct to get the global proxy settings maintained in the /etc/sysconfig/proxy file:

import urllib.request
urllib.request.getproxies()

@paulo.jncc, since I don’t have any proxy server setup, maybe you could run this in a python3 command line, and see what you get back (without showing the actual proxy server info):
at the Rockstor command prompt (assuming you might not be familiar with python, if you are, apologies):

Select <Enter> after each command

rockstor:/ # python3
Python 3.6.15 (default, Sep 23 2021, 15:41:43) [GCC] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import urllib.request
>>> urllib.request.getproxies()

The output will be either () for no proxies maintained or hopefully information on what you actually maintained in the configuration file.

To quit the Python interpreter just type quit() and select <Enter> which will drop you back to the command line.

Again, this is more for educational purposes rather than giving you a solution right away… if this is indeed a path that should be pursued and can’t be solved via a nginx or other configuration …

paulo.jncc · September 18, 2023, 5:27pm

I’m seeing exactly what I configure in /etc/sysconfig/proxy

Hooverdan · September 18, 2023, 11:35pm

@phillxnet, @Flox based on @paulo.jncc’s global proxy requirement could this be addressed by augmenting the repo_status method with a proxies attribute?

github.com

rockstor/rockstor-core/blob/4d60a2c683140aaa10a8e5b201157163cc9a898b/src/rockstor/system/pkg_mgmt.py#L296-L316


      
          def repo_status(subscription):
              if subscription.password is None:
                  return "active", "public repo"
              try:
                  res = requests.get(
                      "http://{}".format(subscription.url),
                      auth=(subscription.appliance.uuid, subscription.password),
                  )
                  if res.status_code == 401:
                      return "inactive", res.text
                  elif res.status_code == 200:
                      return "active", res.text
                  return res.status_code, res.text
              except requests.ConnectionError as e:
                  e_msg = (
                      "Failed to connect to {}. Is the Rockstor system connected "
                      "to the internet?. Lower level exception: {}".format(
                          subscription.url, e.__str__()
                      )
                  )
                  raise Exception(e_msg)

        res = requests.get(
            "http://{}".format(subscription.url),
            auth=(subscription.appliance.uuid, subscription.password),
            proxies=glb_proxies,
        )

where glb_proxies would be something like this (using @paulo.jncc setting from above):

glb_proxies = {
  'http': 'http://proxy.esl.cisco.com:80',
  'https': 'http://proxy.esl.cisco.com:80',
}

which in turn could be determined using the earlier mentioned approach using the urllib.request.getproxies method. I don’t know, whether having a “blank” proxies argument leads to issues, or whether it has to be established and only be added to the get when it’s actually non-empty (or contains an http/https entry, respectively).

I am not sure if this also applies to the Rock-on refresh/update as well as being able to run the software update via the WebUI.

@paulo.jncc, does the software update from the WebUI work (this does not update the rockstor package, just everything else, if there is anything new available)?

Hooverdan · September 19, 2023, 3:27pm

I have created a new issue for this topic on github.

github.com/rockstor/rockstor-core

Running Rockstor through forward proxy

opened 03:07PM - 19 Sep 23 UTC

Hooverdan96

Forum member [paulo.jncc](https://forum.rockstor.com/u/paulo.jncc) raised this s…cenario here, where Rockstor does not respect global proxy settings, impacting the ability to activate a valid license and possibly other update scenarios (OS package and Rockon updates, which is still TBD). https://forum.rockstor.com/t/cant-activate-license-behind-a-proxy/9011 If there is additional nginx configuration possible, this might be proposed as a configuration option via the Rockstor documentation (unless we find more users requiring a solve for this scenario), otherwise some other option (as described in the forum post could be explored.

Though for immediate help, if anyone else has an additional one-off nginx config solution for this scenario, let’s hear it.

paulo.jncc · September 20, 2023, 12:50pm

indeed I can update packages, but can’t activate the license or access to Rock-ons