Chef client with HTTPS proxy settings


#1

Folks,

I am testing out a scenario where a node will be in a “closed” environment and would have selective access to internet via a proxy server. On the proxy server (I am using WinGate for this test), I have configured to block all the traffic for this node except “api.opscode.com”, as this is required by the scenario I am testing. I am using hosted enterprise chef for this test. I configured https_proxy settings in client.rb file for chef-client on the node.

When the runlist for the node is empty, the chef-client completes successfully. I checked proxy server logs and found connection attempts being made to api.opscode.com:443, as expected. Next, I added the community Powershell cookbook (it also downloads Windows cookbook) to the runlist of the node. The chef-client run failed partially. On checking the proxy server logs, I found connection attempts being made to api.opscode.com:443 and s3-external-1.amazonaws.com:443. Once, I configured the proxy server to allow connection attempts to s3-external-1.amazonaws.com, the chef-client run completed successfully.

I would like to know if these are only two URLs that need to be allowed on proxy server or does it depend on the community cookbook that is being used?

Chef-node Configuration : Windows Server 2012 R2, running 11.8.2 chef-client.

Thanks

-Kapil


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


#2

On Mar 10, 2014, at 1:19 PM, Kapil Shardha Kapil.Shardha@SimulationIQ.com wrote:

Folks,

I am testing out a scenario where a node will be in a “closed” environment and would have selective access to internet via a proxy server. On the proxy server (I am using WinGate for this test), I have configured to block all the traffic for this node except “api.opscode.com”, as this is required by the scenario I am testing. I am using hosted enterprise chef for this test. I configured https_proxy settings in client.rb file for chef-client on the node.

When the runlist for the node is empty, the chef-client completes successfully. I checked proxy server logs and found connection attempts being made to api.opscode.com:443, as expected. Next, I added the community Powershell cookbook (it also downloads Windows cookbook) to the runlist of the node. The chef-client run failed partially. On checking the proxy server logs, I found connection attempts being made to api.opscode.com:443 and s3-external-1.amazonaws.com:443. Once, I configured the proxy server to allow connection attempts to s3-external-1.amazonaws.com, the chef-client run completed successfully.

I would like to know if these are only two URLs that need to be allowed on proxy server or does it depend on the community cookbook that is being used?

Hosted Chef stores the actual cookbook data on S3 so both are required. Some cookbooks may make HTTP connections of their own via the remote_file resource (or just using Net:HTTP directly) so you’ll have to evaluate that on a case by case basis.

–Noah