Skip to content

Installing behind an internet Proxy (Optional)

If the corporate intranet is protected by an internet proxy, both Management Server and the Middle Tier server need to be configured to tunnel all http and https traffic to the company outbound proxy. In turn the proxy needs to have full read permission on the site ifscloud.jfrog.io where all IFS artifacts are stored and fetched, both during installation by the Management server and in runtime by the Middle Tier server(s). The Middle Tier server makes a lot of internal calls within the kubernetes cluster and might also do request to servers located inside the intranet. These internal calls should not be routed to the internet proxy. All internal and intranet networks must therefor be added in the no_proxy parameter.

Steps for Installing behind an internet proxy

  1. The Management Server by default will NOT use the Windows Proxy Setting. Run the following command first to make it work:

    ps> $env:HTTP_PROXY="<proxy server>"
ps> $env:HTTPS_PROXY="<proxy server>"
ps> $env:NO_PROXY="<local ip range>"

to persist the setting use syntax like e.g.:
ps> [Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxyhostname:3128", "YourUserName")

  2. The following configurations in the Linux Middle-Tier Server VM are required.

  3. Test if proxy is accessible and working from both Management Server and the Middle Tier server:

    curl -k -x http://proxyhostname:3128 https://ifscloud.jfrog.io

  4. Edit the /etc/environment file and set the outbound proxy in http_proxy, but just as important we need to specify where the internet proxy should not be used. That is done in the no_proxy parameter. Examples of networks to exclude from proxy:

    • The PodCidrRange and LocalNetworkIpRange defined in main_config.json

    • 10.152.183.0/24 need to be added as it is the default network cidr for mk8s services

    • the internal mk8s domain endings should be added .svc and .cluster.local

    • Localhost ip and hostname

    • Demand Server

    • Crystal Server

    • Integration points in the intranet

    • If a local intranet DNS server is used

    • All subnets what could be used by the IFS Cloud Middle Tier

    Set both http and https and all combinations of letter capitalization like the example below:

    sudo vim /etc/environment

    HTTPS_PROXY=http://proxyhostname:3128
HTTP_PROXY=http://proxyhostname:3128
NO_PROXY=10.16.0.0/16,10.1.0.0/16,10.152.183.0/24,127.0.0.1,.svc,.cluster.local,myhostname
https_proxy=http://proxyhostname:3128
http_proxy=http://proxyhostname:3128
no_proxy=10.16.0.0/16,10.1.0.0/16,10.152.183.0/24,127.0.0.1,.svc,.cluster.local,myhostname

  5. After a change of /etc/environment the server need to reboot to populate the changes into all processes.

  6. Now test that the same curl above works without the -x parameter - note open a new bash instance to get the new values from the /etc/environment:

Verify the proxy setting are there as env
$ env | grep -i _proxy 
curl -k https://ifscloud.jfrog.io

  1. Now a normal Remote middle tier infrastructure can be installed as described here.

  2. There are ifscloud-values.yaml parameters for configuring internet proxy to be used from within each pod. Remember a pod is a very autonomous server that require its own network configuration.

  3. Some pods might still not use the general e.g. global.internetHttpProxy parameter, but has it's own configuration properties e.g. ifsapp-connect has a CustomJVMparam parameter.

Note: nonproxyHosts string is very different from the linux no_proxy parameter - it need to be quoted and each host/domain need to be separated by pipe signs and * are used to wildcard domains etc.

   ifsapp-connect:
      CustomJVMParams: "-Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=3128 -Dhttp.nonproxyHosts='anyhost.domain.com|*.anydomain.com|myhostname'"