[SOLVED] How to set HTTP_PROXY variable in order to use external proxy?

Hi,
I have using mattermost team edition 4.4.2 on centos 7 behind squid proxy. This config seems to be supported (https://github.com/mattermost/mattermost-server/issues/6469) but how could I tell mattermost to use the proxy? I have tried to set the HTTP_PROXY variable in /etc/systemd/system/mattermost.service and then to restart the service, but the HTTP_PROXY variable seems to be ignored. I have tried with and without proxy authentication (does Mattermost support proxy requiring authentication?)
Thanks in advance for your help,

…
[Service]
Environment="HTTP_PROXY=http://user:pass@proxy.domain.org:3128/"
Type=simple
WorkingDirectory=/opt/mattermost/bin
User=mattermost
Group=mattermost
ExecStart=/opt/mattermost/bin/platform
PIDFile=/var/spool/mattermost/pid/master.pid
LimitNOFILE=49152
…

1 Like

I use EnvironmentFile:

[root@matterhost ~]# cat /usr/lib/systemd/system/mattermost.service
[Unit]
Description=Mattermost
After=syslog.target network.target postgresql-9.4.service

[Service]
Type=simple
WorkingDirectory=/opt/mattermost/bin
User=mattermost
EnvironmentFile=/opt/mattermost/config/mm.environment
ExecStart=/opt/mattermost/bin/platform
PIDFile=/var/spool/mattermost/pid/master.pid
LimitNOFILE=49152

[Install]
WantedBy=multi-user.target
[root@matterhost ~]# cat /opt/mattermost/config/mm.environment
HTTP_PROXY=http://mm:password@192.168.1.2:3128
HTTPS_PROXY=http://mm:password@192.168.1.2:3128

make sure you tell systemd to reload before restarting your MM service: systemctl daemon-reload

-R

Hi,
Thanks I confirm that my server takes now the env variables into account (if the password contains special characters, make sure to encode them): the server seems to be able for example to check the security updates. However, I still get this error triggered by the link previews feature:

[2017/12/12 14:56:49 CET] [EROR] GetOpenGraphMetadata request failed for url=http://www.google.fr/ with err=Get http://www.google.fr/: proxyconnect tcp: address forbidden

Most likely something is wrong in the squid config? I have tried to allow connect (http_access allow CONNECT) but it does not work.
Mathieu

I’d check out your squid logs if possible - they may be able to help you diagnose why squid is denying the request.

Does the proxy work for other uses? If you export it can you curl the same URL through it?

EDIT: I’ve just noticed I’m getting the same message. (I updated to 4.5.0 this morning - not sure if that is related). I’m taking a look at my settings/config, will let you know what I find…
Out of interest - a curl goes through the proxy OK, but any of these GetOpenGraphMetadata requests don’t even hit the proxy. Definitely on the mattermost host end of things. :frowning:

Found the issue. It seems the allow untrusted internal setting affects connection to a proxy (which is almost certainly going to be an internal host) (details here)
Adding your proxy to the list of hosts allowed here seems to fix the issue. Please understand the caveats that the setting highlights before enabling the setting.

3 Likes

Hi,
I confirm that the “Link preview” feature is now working through proxy after setting AllowedUntrustedInternalConnections parameter.
Many thanks,
Mathieu

1 Like