Closed Cyukou-Ko closed 1 year ago
Our company has encountered issues with this as well. Since no_proxy isn't being honored, our ZIP uploads hit our internal proxy server, which results in a scan for 'files of concern' which includes files like .js and .ps1, etc - when the scanner sees those files, it kills the transfer.
Can you help us understand the problem that your proxy solves for you in the first place? Conditionally using your proxy only for requests to certain domains defeats much of the purpose of HTTP proxies.
@mwjones-aws If you are looking for an explanation on how proxy servers and firewalls work in a corporate internal network environment, I would suggest google :-)
In the case of how my employer's environment (a major defense contractor) is configured - requests that hit the proxy server are processed by firewall software which does deep packet inspection. As mentioned above, packets containing files of concern are blocked, If NO_PROXY is honored, which the AWS Code Deploy agent does not, requests remain within the corporate intranet, and take specially configured paths to the AWS Pub/Gov servers that do not take them through the standard corporate proxy and the global Internet. One could argue that our corporate proxy/firewall configuration could be more aware of domains such as these and redirect packets for them to the bypass routes without applying the firewall rules. But, if you've ever interacted with the teams that support these environments, you likely already understand the... shall I say single mindedness, that those teams often have. Their focus is more often than not on 'protecting the corporate intranet' than 'enabling employee productivity'.
Why not just omit HTTP_Proxy setting? There is no such NO_PROXY setting, the original poster was making a feature request.
@philstrong Our work around was exactly that, to remove the http_proxy settings within our build pipeline. Still, the standard for proxy settings is the existance of no_proxy, which is why the original poster (and I, although perhaps not as clearly) have requested that support of no_proxy be added to the code deploy implementation.
Still, the standard for proxy settings is the existance of no_proxy ooooooh https://about.gitlab.com/blog/2021/01/27/we-need-to-talk-no-proxy/ Looks like Ruby does support NO_PROXY
After using HTTP_Proxy, S3 requests will not be accessed through VPC Gateway Endpoint and the bundle will not be downloaded properly. Consider to add the no_proxy option or enforce S3 request to bypass the proxy setting.