[feature] https out of the box?

[uandco]

Hi,

Pygmy proxies https requests out of the box. It seems like pygmy-go doesn't, unless I missed something?

Thanks

[fubarhouse]

I'll open up port 443 by default to haproxy. Seeing as the port is open on the original pygmy - even with virtually no support, it's not a big ask.

I would be interested in how you use https with pygmy - if you were prepared to share. In the meantime I'll organise this.

[uandco]

Well, I've been directed here by the amazee team when I asked about how to get pygmy to set an extra subjectAltName field in the self signed certificate you get when using https, so you can trust it on the system and Chrome doesn't complain about it still missing subjectAltName, and you have to re-enable the exception every few days (after each Chrome update?).

So, if the haproxy version pygmy-go uses doesn't do that yet, that would be a great addition too!

[fubarhouse]

The containers are like for like - so it wouldn't support anything new. There's a lot of interesting things that the haproxy container could be doing and I get the feeling it will be updated in the future. I've been rather curious about this mechanism myself so I might go back down the rabbit hole.

I'm just getting the tests to pass again and I should be good to submit a PR. Could probably swing a release as well...

[uandco]

Thanks! re subjectAltName, it turns out the cert is not generated on the fly like I thought, but stored in the amazee haproxy image: https://github.com/amazeeio/docker-haproxy/blob/master/server.pem

So, to get that extra field and make it Chrome friendly, I guess the image should be updated.

[fubarhouse]

I guess the image should be updated.

There's so much awesome that can come from updates and changes to that image, but because this project is made to replicate pygmy like for like - despite the infinite amount of complexity you can add onto it, official support needs to come from upstream (amazee). I'm guessing there will need to be new logic for architectural differences as the Apple M1 architecture has complicated possible support. This tool is designed for universal support - and having such differences can complicate things.

All of that said, you can however provide your own custom image to use instead of amazeeio/haproxy, you could load up the changes and just make use of that image with minimal effort. I could write something up quickly if that sounds more appealing to you.

[fubarhouse]

Release v0.7.0 is now out, I hope it helps you somewhat :+1:

[uandco]

Using a custom image would be the last resort, but I appreciate the offer to add the option to specify such an image. I'll check with Amazee, I don't see the addition of this cert field as a deal breaker, more keeping it up to date with standards, which seems to be arround since 2003 ;-) https://www.digicert.com/faq/subject-alternative-name-compatibility.htm

[fubarhouse]

Everything that pygmy-go runs is all in configuration, it passes Docker-native API objects directly to Docker's API. So, changing the image is literally baked into the support here - it's just changing the configuration is probably not what most people want to do. It's one of the founding reasons I made this project - I wanted it to be customisable.

Happy you're using it!

If you are curious, I wrote a whole heap of documentation that never got finished that is all still relevant: https://github.com/fubarhouse/pygmy-go/blob/issue/203/docs/customisation/examples_simple.md#image-replacement

[uandco]

Thanks for releasing v0.7.0! I just had a go and https now works!

I'm getting some weird stdout when launching it tho:

Successfully started amazeeio-dnsmasq
Successfully started amazeeio-haproxy
Successfully started amazeeio-mailhog
Successfully started amazeeio-ssh-agent
Successfully connected amazeeio-haproxy to amazeeio-network
Successfully connected amazeeio-mailhog to amazeeio-network
Successfully connected amazeeio-ssh-agent to amazeeio-network
exit status 1
exit status 1
/bin/sh -c cat /etc/resolver/
exit status 1
`Identity added: /Users/xxxx/.ssh/id_rsa (xxxx@xxxxx)
 ! http://docker.amazee.io/stats (amazeeio-haproxy)

[fubarhouse]

Glad it works! :)

I'll have to have a think about this one... it appears too much of the ssh-add logs are coming through. I'll open a new ticket and work on that tomorrow night.