Skip to content

Instantly share code, notes, and snippets.

@slominskir

slominskir/JLabProxy.md

Last active November 20, 2023 15:40
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save slominskir/92c25a033db93a90184a5994e71d0b78 to your computer and use it in GitHub Desktop.
Save slominskir/92c25a033db93a90184a5994e71d0b78 to your computer and use it in GitHub Desktop.
Download ZIP
JLab Intercepting Proxy
Raw
JLabProxy.md

Jefferson Lab uses an interecpting TLS/SSL proxy server with a custom certificate so Internet access from onsite often does not work as expected. Plus, there is a very aggressive firewall on the accelerator network that blocks most everything by default.

For builds to work they often need to (1) connect to Internet and (2) trust SSL certificates. For Accelerator Internet access historically we used a proxy (deprecated, now):

setenv https_proxy jprox.jlab.org:8082 (csh)

OR

export https_proxy=https://jprox.jlab.org:8082 (bash)

The correct approach now is to create an ACE-PR requesting firewalls be updated to allow access. This often is done very narrowly on a specific host.

The fix for the intercepting TLS proxy is often to update the client trust store with the custom JLab certificate, which can be downloaded here: http://pki.jlab.org/JLabCA.crt

Language Specifc Certificate Handling

Java

Import the JLabCA.crt into the trust store of Java (usually at lib/security/cacerts)

keytool -import -alias custom -file JLabCA.crt -storetype JKS -keystore cacerts -storepass changeit

Note: It is also possible to invoke gradle with arguments to override the trust store and proxy server:

gradlew -Dhttps.proxyHost=jprox.jlab.org -Dhttps.proxyPort=8082 -Djavax.net.ssl.trustStore=/etc/pki/ca-trust/extracted/java/cacerts build

Note: Prob should drop the jprox piece now and instead create ACE-PR to update firewall.

Windows Example: Put an enriched cacerts file at C:\cacerts and update your gradle.properties in your ~/.gradle dir to point to the cacerts file:

org.gradle.jvmargs=-Djavax.net.ssl.trustStore=C:\\cacerts

Node.js

Set the NODE_EXTRA_CA_CERTS environment variable to the full path to the JLab.crt file in order for NPM to accept the JLab certificate.

Alternatively use:

npm config set strict-ssl false -g

Or create a file in the user homedir named .npmrc with contents like:

cafile=/etc/ssl/certs/ca-bundle.crt

Or create the file on the command line with:

npm config set cafile /etc/ssl/certs/ca-bundle.crt -g

Python

PIP

Create a file at /etc/pip.conf that contains:

[global]
cert = /etc/pki/tls/certs/ca-bundle.crt

Note: The accelerator network has this certificate available at the path above on all workstations; you can always copy it to your own VM if needed.

Altenatively you can also just set hosts to trust (not as good as cert though).

[global]
trusted-host = pypi.python.org files.pythonhosted.org

Note: On Windows the conf file should be somewhere like C:/Users/<username>/pip/pip.ini.

Twine

(for uploading packages to pypi)

Use the --cert option. It might look like:

py -m twine upload --repository testpypi dist/* --cert C:\JLabCA.crt

Docker

You'll need to customize your Dockerfile to anticipate being built behind the JLab intercepting proxy.

A custom argument can apply this custom certificate conditionally as users outside the network won't need it. The Dockerfile arg could look like:

ARG CUSTOM_CRT_URL
...

A Dockerfile that relies on Java Gradle could include:

...
    && if [ -z "$CUSTOM_CRT_URL" ] ; then echo "No custom cert needed"; else \
          wget -O /usr/local/share/ca-certificates/customcert.crt $CUSTOM_CRT_URL \
          && update-ca-certificates \
          && keytool -import -alias custom -file /usr/local/share/ca-certificates/customcert.crt -storetype JKS -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt \
          && export OPTIONAL_CERT_ARG=-Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts \
          ; fi \
    && gradlew build $OPTIONAL_CERT_ARG
...

A Dockerfile that relies on Python PIP could include:

...
    && if [ -z "$CUSTOM_CRT_URL" ] ; then echo "No custom cert needed"; else \
          wget -O /usr/local/share/ca-certificates/customcert.crt $CUSTOM_CRT_URL \
          && update-ca-certificates \
          && export OPTIONAL_CERT_ARG=--cert=/etc/ssl/certs/ca-certificates.crt \
          ; fi \
    && pip install --no-cache-dir -r ./requirements.txt $OPTIONAL_CERT_ARG \
...

Run the Docker build with:

docker build -t myimage . --build-arg CUSTOM_CRT_URL=http://pki.jlab.org/JLabCA.crt

WSL2

The Windows Subsystem for Linux is nice tool for supporting Docker and brining bash to Windows. The distribution installed in WSL2 will be tripped up by the JLab intercepting proxy though. When using wget or similar you'll likely encounter something like:

wget https://raw.githubusercontent.com/JeffersonLab/wildfly/main/scripts/server-setup.sh
ERROR: cannot verify raw.githubusercontent.com's certificate, issued by ‘CN=border-pa.jlab.org,OU=Computer Center,O=Jefferson Lab,L=Newport News,ST=VA,C=US’:
  Self-signed certificate encountered.

You can work ardound this with wget flag --no-check-certificate, but ideally you update the certificate store, which is distribution dependent. On Ubuntu run:

sudo wget -O /usr/local/share/ca-certificates/customcert.crt http://pki.jlab.org/JLabCA.crt
sudo update-ca-certificates
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment