BusyBox wget does not correctly handle SSL over HTTPS proxy

[dmak]

It seems that build-in BusyBox wget (v1.27.2 2017-12-12 10:41:50 GMT) is not capable to handle SSL traffic via proxy (10.1.2.3:8080 in my case). Example:

+ rm /tmp/download-kafka.sh
+ wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.27-r0/glibc-2.27-r0.apk
Connecting to 10.1.2.3:8080 (10.1.2.3:8080)
wget: tls error at line 803 cipher:0000
wget: error getting response: Connection reset by peer 

The advise to apk add --ca-certificates openssl && update-ca-certificates didn't help (probably because BusyBox wget is not GNU wget):

(20/22) Installing libcrypto1.0 (1.0.2r-r0)
(21/22) Installing libssl1.0 (1.0.2r-r0)
(22/22) Installing openssl (1.0.2r-r0)
Executing busybox-1.27.2-r7.trigger
Executing ca-certificates-20171114-r0.trigger
OK: 235 MiB in 72 packages
+ update-ca-certificates
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
...
+ rm /tmp/download-kafka.sh
+ wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.27-r0/glibc-2.27-r0.apk
Connecting to 10.1.2.3:8080 (10.1.2.3:8080)
wget: error getting response: Connection reset by peer

Solution

Use curl instead of wget in Dockerfile:

 && curl -s -L -O https://github.com/sgerrand/alpine-pkg-glibc/releases/download/${GLIBC_VERSION}/glibc-${GLIBC_VERSION}

[sscaling]

In general - the image does not support proxying. See related ticket such as #465

I'm not sure of your particular configuration as it looks like the resolution is resolving to your local proxy (have you change the Dockerfile or is there a proxy configured externally in your network perimeter?)

Fundamentally I see no issue with changing wget to curl, but i'd like to understand why it is failing. I suspect it's more to do with the omitting the -Y|--proxy on option.

However, i still don't think it addresses the general proxy use case and ideally we'd support something like the https_proxy / http_proxy environment var so this can be controlled explicitly by the user.

[dmak]

I have modified Dockerfile but in principle it's about setting https_proxy / http_proxy environment variables, as you have mentioned.
As you can see from logs, wget tries to connect to proxy, but something goes wrong. Needless to say, that:

• It is not possible to download anything from Internet without using proxy in my network.
• Kafka artifact (as well as base docker images) were downloaded correctly just few lines above in console output:

+ url=http://mirror.koddos.net/apache/kafka/2.2.0/kafka_2.12-2.2.0.tgz
+ wget -q http://mirror.koddos.net/apache/kafka/2.2.0/kafka_2.12-2.2.0.tgz -O /tmp/kafka_2.12-2.2.0.tgz

hence proxy was setup correctly and wget correctly identifies and uses it. The issue is about this very combination: TLS over proxy.

In general it would be nice to generalize the issue to something like "Support proxy", but in this particular case it was easier for me to go minor replacement of wget with curl. Probably GNU wget would work just fine – I haven't tested that.

[sscaling]

Thanks for the response. I believe from my investigation of #465 - wget works fine with https_proxy environment variable and the -Y option.

[rgarzari]

My setup is behind a corporate proxy and I was able to get it to work with wget by making the following change in the Dockerfile

From:

RUN apk add --no-cache bash curl jq docker \
 ....

To:

RUN apk update \
 && apk add ca-certificates wget \
 && apk add --no-cache bash curl jq docker \
 ....

and adding the following proxy config to the ~/.docker/config.json file as indicated in https://docs.docker.com/network/proxy/

sudo vim ~/.docker/config.json

{
  "proxies": {
    "default": {
      "httpsProxy": "https://<proxy IP address>:<proxy port>"
    }
  }
}