puppet: Allow routing camo requests through an outgoing proxy.

Because Camo includes logic to deny access to private subnets, routing its requests through Smokescreen is generally not necessary. However, it may be necessary if Zulip has configured a non-Smokescreen exit proxy. Default Camo to using the proxy only if it is not Smokescreen, with a new `proxy.enable_for_camo` setting to override this behaviour if need be. Note that that setting is in `zulip.conf` on the host with Camo installed -- not the Zulip frontend host, if they are different. Fixes: #20550. (cherry picked from commit d328d3dd4d)
2025-11-03 21:43:21 +00:00 · 2022-01-05 11:04:21 -08:00
parent cb24f93bba
commit 1d559bbffa
3 changed files with 31 additions and 0 deletions
--- a/docs/production/deployment.md
+++ b/docs/production/deployment.md
@@ -672,3 +672,10 @@ Defaults to `4750` if unspecified.

 The IP address that Smokescreen should bind to and listen on.
 Defaults to `127.0.0.1`.
+
+#### `enable_for_camo`
+
+Because Camo includes logic to deny access to private subnets, routing
+its requests through Smokescreen is generally not necessary. Set to
+'true' or 'false' to override the default, which uses the proxy only if
+it is not the default of Smokescreen on a local host.
--- a/puppet/zulip/manifests/camo.pp
+++ b/puppet/zulip/manifests/camo.pp
@@ -18,6 +18,29 @@ class zulip::camo (String $listen_address = '0.0.0.0') {
    bin            => 'bin/go-camo',
  }

+  # We would like to not waste resources by going through Smokescreen,
+  # as go-camo already prohibits private-IP access; but a
+  # non-Smokescreen exit proxy may be required to access the public
+  # Internet.  The `enable_for_camo` flag, if it exists, can override
+  # our guess, in either direction.
+  $proxy_host = zulipconf('http_proxy', 'host', 'localhost')
+  $proxy_port = zulipconf('http_proxy', 'port', '4750')
+  $proxy_is_smokescreen = ($proxy_host in ['localhost', '127.0.0.1', '::1']) and ($proxy_port == '4750')
+  $camo_use_proxy = zulipconf('http_proxy', 'enable_for_camo', !$proxy_is_smokescreen)
+  if $camo_use_proxy {
+    if $proxy_is_smokescreen {
+      include zulip::smokescreen
+    }
+
+    if $proxy_host != '' and $proxy_port != '' {
+      $proxy = "http://${proxy_host}:${proxy_port}"
+    } else {
+      $proxy = ''
+    }
+  } else {
+    $proxy = ''
+  }
+
  file { "${zulip::common::supervisor_conf_dir}/go-camo.conf":
    ensure  => file,
    require => [
--- a/puppet/zulip/templates/supervisor/go-camo.conf.erb
+++ b/puppet/zulip/templates/supervisor/go-camo.conf.erb
@@ -1,5 +1,6 @@
 [program:go-camo]
 command=/usr/local/bin/secret-env-wrapper GOCAMO_HMAC=camo_key <%= @bin %> --listen=<%= @listen_address %>:9292 -H "Strict-Transport-Security: max-age=15768000" -H "X-Frame-Options: DENY" --verbose
+environment=HTTP_PROXY="<%= @proxy %>",HTTPS_PROXY="<%= @proxy %>"
 priority=15
 autostart=true
 autorestart=true