Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

tsh does not appear to respect HTTPS_PROXY #9072

Closed
russjones opened this issue Nov 19, 2021 · 10 comments
Closed

tsh does not appear to respect HTTPS_PROXY #9072

russjones opened this issue Nov 19, 2021 · 10 comments
Assignees
@atburke
Labels
bug tsh tsh - Teleport's command line tool for logging into nodes running Teleport.

Comments

@russjones
Copy link
Contributor

No description provided.

@russjones russjones added the bug label Nov 19, 2021
@russjones
Copy link
Contributor Author

@stevenGravy Can you provide reproduction steps?

@stevenGravy
Copy link
Contributor

@programmerq has a detailed example here https://gist.github.com/programmerq/d053ae8acde4c7e467b44a32817750ef

@evilmog
Copy link

evilmog commented Feb 14, 2022

Confirmed TELEPORT is not honouring HTTPS_PROXY, this is causing some operational problems

@stevenGravy stevenGravy added the tsh tsh - Teleport's command line tool for logging into nodes running Teleport. label Feb 15, 2022
@zmb3
Copy link
Collaborator

zmb3 commented Jun 24, 2022

@r0mant is there anything left to be done for HTTPS_PROXY?

@zmb3
Copy link
Collaborator

zmb3 commented Feb 20, 2023
edited
Loading

My understanding is that this was supposed to be fixed by #10209, but I just tried Jeff's example from above on 12.0.2 and noticed an issue.

When I don't specify the proxy port, tsh's attempts to guess the port seem to bypass the proxy handling code:

[root@680588a42d63 ~]# tsh -d login --user admin --proxy teleport --insecure
DEBU [TSH]       Web proxy port was not set. Attempting to detect port number to use. tsh/tsh.go:3543
DEBU [TSH]       Resolving default proxy port (insecure: true) tsh/resolve_default_addr.go:110
DEBU [TSH]       Trying teleport:3080... tsh/resolve_default_addr.go:98
DEBU [TSH]       Trying teleport:443... tsh/resolve_default_addr.go:98
DEBU [TSH]       Proxy address test failed error:[Get "https://teleport:3080/webapi/ping": context deadline exceeded] tsh/resolve_default_addr.go:62
DEBU [TSH]       Waiting for all in-flight proxy address tests to finish tsh/resolve_default_addr.go:136
DEBU [TSH]       Proxy address test failed error:[Get "https://teleport:443/webapi/ping": context deadline exceeded] tsh/resolve_default_addr.go:62

ERROR REPORT:
Original Error: context.deadlineExceededError context deadline exceeded
Stack Trace:
	github.com/gravitational/teleport/tool/tsh/tsh.go:3550 main.setClientWebProxyAddr
	github.com/gravitational/teleport/tool/tsh/tsh.go:3224 main.makeClientForProxy
	github.com/gravitational/teleport/tool/tsh/tsh.go:3116 main.makeClient
	github.com/gravitational/teleport/tool/tsh/tsh.go:1496 main.onLogin
	github.com/gravitational/teleport/tool/tsh/tsh.go:1086 main.Run
	github.com/gravitational/teleport/tool/tsh/tsh.go:480 main.main
	runtime/proc.go:250 runtime.main
	runtime/asm_arm64.s:1172 runtime.goexit
User Message: context deadline exceeded

When I do specify the port, I am able to log in via the proxy:

[root@680588a42d63 ~]# tsh -d login --user admin --proxy teleport:3080 --insecure
INFO [CLIENT]    no host login given. defaulting to root client/api.go:945
ERRO [CLIENT]    [KEY AGENT] Unable to connect to SSH agent on socket: "". client/api.go:3870
DEBU [TSH]       Pinging the proxy to fetch listening addresses for non-web ports. tsh/tsh.go:3378
DEBU [CLIENT]    not using loopback pool for remote proxy addr: teleport:3080 client/api.go:3829
DEBU             Attempting GET teleport:3080/webapi/ping webclient/webclient.go:129
DEBU [CLIENT]    Attempting to login with a new RSA private key. client/api.go:3254
Enter password for Teleport user admin:
DEBU [CLIENT]    not using loopback pool for remote proxy addr: teleport:3080 client/api.go:3829
DEBU [CLIENT]    HTTPS client init(proxyAddr=teleport:3080, insecure=true, extraHeaders=map[]) client/weblogin.go:259
WARNING: You are using insecure connection to Teleport proxy https://teleport:3080

@atburke is this the behavior you'd expect?

@evilmog
Copy link

evilmog commented Feb 20, 2023 via email

@zmb3
Copy link
Collaborator

zmb3 commented Feb 20, 2023

This particular issue is specifically about tsh.

@evilmog
Copy link

evilmog commented Feb 21, 2023 via email

@russjones
Copy link
Contributor Author

@evilmog We're looking into it right now, we'll update you soon.

cc @r0mant

@atburke
Copy link
Contributor

atburke commented Feb 22, 2023

@zmb3 The port guessing issue you found is a bug. #22161 should fix it.

@atburke atburke mentioned this issue Feb 22, 2023
Merged
@r0mant r0mant closed this as completed Apr 5, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@atburke atburke

Labels
bug tsh tsh - Teleport's command line tool for logging into nodes running Teleport.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@r0mant @evilmog @russjones @zmb3 @atburke @stevenGravy