paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-03 21:43:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

puppet: Allow routing camo requests through an outgoing proxy.

Browse Source 
Because Camo includes logic to deny access to private subnets, routing
its requests through Smokescreen is generally not necessary.  However,
it may be necessary if Zulip has configured a non-Smokescreen exit
proxy.

Default Camo to using the proxy only if it is not Smokescreen, with a
new `proxy.enable_for_camo` setting to override this behaviour if need
be.  Note that that setting is in `zulip.conf` on the host with Camo
installed -- not the Zulip frontend host, if they are different.

Fixes: #20550.
This commit is contained in:
Alex Vandiver
2022-01-05 11:04:21 -08:00
committed by Alex Vandiver
parent 2c5fc1827c
commit d328d3dd4d
3 changed files with 31 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/production/deployment.md
View File

@@ -759,3 +759,10 @@ Defaults to `4750` if unspecified.
The IP address that Smokescreen should bind to and listen on. The IP address that Smokescreen should bind to and listen on.
Defaults to `127.0.0.1`. Defaults to `127.0.0.1`.
#### `enable_for_camo`
Because Camo includes logic to deny access to private subnets, routing
its requests through Smokescreen is generally not necessary. Set to
true or false to override the default, which uses the proxy only if
it is not the default of Smokescreen on a local host.

23
puppet/zulip/manifests/camo.pp
View File

@@ -16,6 +16,29 @@ class zulip::camo (String $listen_address = '0.0.0.0') {
tarball_prefix => "go-camo-${version}", tarball_prefix => "go-camo-${version}",
} }
# We would like to not waste resources by going through Smokescreen,
# as go-camo already prohibits private-IP access; but a
# non-Smokescreen exit proxy may be required to access the public
# Internet. The `enable_for_camo` flag, if it exists, can override
# our guess, in either direction.
$proxy_host = zulipconf('http_proxy', 'host', 'localhost')
$proxy_port = zulipconf('http_proxy', 'port', '4750')
$proxy_is_smokescreen = ($proxy_host in ['localhost', '127.0.0.1', '::1']) and ($proxy_port == '4750')
$camo_use_proxy = zulipconf('http_proxy', 'enable_for_camo', !$proxy_is_smokescreen)
if $camo_use_proxy {
if $proxy_is_smokescreen {
include zulip::smokescreen
}
if $proxy_host != '' and $proxy_port != '' {
$proxy = "http://${proxy_host}:${proxy_port}"
} else {
$proxy = ''
}
} else {
$proxy = ''
}
file { "${zulip::common::supervisor_conf_dir}/go-camo.conf": file { "${zulip::common::supervisor_conf_dir}/go-camo.conf":
ensure => file, ensure => file,
require => [ require => [

1
puppet/zulip/templates/supervisor/go-camo.conf.erb
View File

@@ -1,5 +1,6 @@
[program:go-camo] [program:go-camo]
command=/usr/local/bin/secret-env-wrapper GOCAMO_HMAC=camo_key <%= @bin %> --listen=<%= @listen_address %>:9292 -H "Strict-Transport-Security: max-age=15768000" -H "X-Frame-Options: DENY" --verbose command=/usr/local/bin/secret-env-wrapper GOCAMO_HMAC=camo_key <%= @bin %> --listen=<%= @listen_address %>:9292 -H "Strict-Transport-Security: max-age=15768000" -H "X-Frame-Options: DENY" --verbose
environment=HTTP_PROXY="<%= @proxy %>",HTTPS_PROXY="<%= @proxy %>"
priority=15 priority=15
autostart=true autostart=true
autorestart=true autorestart=true