Standalone Signal-Desktop has problems connecting through a proxy

[janLo]

• [x] I have searched open and closed issues for duplicates

---

Bug description

I've set the http_proxy and https_proxy variables on my system. Sognal-Desktop however seems to ignore them. I cannot get a connection to get the QR code. An strace says:

[pid 17437] 01:57:05.094195 connect(36, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("52.206.164.16")}, 16) = -1 EINPROGRESS (Operation now in progress)

Which is clearly not the proxy.

Steps to reproduce

• Install Signal-Desktop behind a proxy
• Try to follow the steps to set it up.

Actual result: No QR code, Server not reachable Expected result: QR Code, normal operation.

Platform info

Operating System: GNU/Linux Browser: Chrome

Signal version: v1.0.34

Link to debug log

https://gist.github.com/0bbe048ee23480d58dae34f0b07e16fe

[NipponBill]

Same here. Environment variables set for my company proxy in Windows 8.1, also proxy set in Internet Options.

No QR Code: fails to connect.

[cboehm-it]

I also configured a proxy and Signal Desktop does not connect.

[delight]

Confirmation, no signal desktop behind the proxy ... tried linux and windows v1.0.34

You shouldn't have disabled the chrome-app before fixing this ... anyways hope to see a working version soon.

[scottnonnenberg]

Signal Desktop on Chrome is absolutely still useable. If you've already exported and imported to Signal Desktop Standalone, you can remove the Chrome version and reinstall from scratch.

This issue is on my list.

[pieceofsoul]

Same issue on Windows 10.

[mattismyname]

Happy to be guinea pig tester on this

[bseibold]

Still valid for v1.0.38

[gfairchild]

Experiencing this on macOS 10.12.6.

[scottnonnenberg]

The beta build installed today has support for using a proxy specified in environment variables - please try it out! https://github.com/WhisperSystems/Signal-Desktop/releases/tag/v1.1.0-beta.3. The environment variables consulted are discussed here: https://github.com/WhisperSystems/Signal-Desktop/pull/1855

[je-vv]

This is great news... There 2 new dependencies to take into account when using next release, or when testing the beta release:

https://github.com/Rob--W/proxy-from-env https://github.com/TooTallNate/node-proxy-agent

Which can be confirmed on package.json, the commit added:

• "proxy-agent": "^2.1.0",
• "proxy-from-env": "^1.0.0",

Is it possible to somehow publish those new requirements? Just so people and/or distribution developers take that into account... Thanks a lot !

[gfairchild]

@scottnonnenberg, I saw your comment on the PR:

My understanding is that most proxies on MacOS are system-wide and transparent, so it's not so urgent.

I'm on macOS Sierra, and while the proxies generally are system-wide and transparent, each program still needs to have built-in support for reading them. Signal does not currently work for me when I'm behind a proxy. I do have environment variables set in my terminal, but those are only available within a terminal session.

[scottnonnenberg]

@gfairchild for now it would be useful to determine whether those environment variables work for you, by running from the command line. Just gotta reach into that app to find the executable. :0)

[gfairchild]

Yeah, that'll certainly be a start. That should work. I'm not in a place where I can compile/test the beta. Is there by chance a pre-built beta for macs that I could use to test?

[scottnonnenberg]

You can find the latest prebuilt beta windows install here: https://updates.signal.org/desktop/beta.yml and the latest beta mac install here: https://updates.signal.org/desktop/beta-mac.yml

[gfairchild]

Just tried the current beta, and it doesn't appear to be working. I see this when I try to setup a new install:

I tried both launching the app natively and from the command line, where I have an HTTPS_PROXY environment variable set. I just tossed Signal Beta.app onto my desktop. Here's the debugging output from the command line launch:

gfairchild@meow ~/Desktop/Signal Beta.app/Contents/MacOS> env | grep -i proxy
HTTP_PROXY=http://proxyout.xxx.xxx:8080
https_proxy=http://proxyout.xxx.xxx:8080
http_proxy=http://proxyout.xxx.xxx:8080
no_proxy=localhost,127.0.0.1,xxx.xxx
NO_PROXY=localhost,127.0.0.1,xxx.xxx
HTTPS_PROXY=http://proxyout.xxx.xxx:8080
gfairchild@meow ~/Desktop/Signal Beta.app/Contents/MacOS> ./Signal\ Beta
NODE_ENV production
NODE_CONFIG_DIR /Users/gfairchild/Desktop/Signal Beta.app/Contents/Resources/app.asar/config
NODE_CONFIG {}
ALLOW_CONFIG_MUTATIONS undefined
HOSTNAME undefined
NODE_APP_INSTANCE undefined
SUPPRESS_NO_CONFIG_WARNING undefined
setting AUMID to org.whispersystems.signal-desktop-beta
userData: /Users/gfairchild/Library/Application Support/Signal Beta
making app single instance
{"name":"log","hostname":"meow.xxx.xxx","pid":51986,"level":30,"msg":"OS Release: 16.7.0 - notifications polyfill? false","time":"2017-12-05T21:57:39.854Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":51986,"level":30,"msg":"app ready","time":"2017-12-05T21:57:39.900Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":51986,"level":30,"msg":"Initializing BrowserWindow config: {\"show\":true,\"width\":800,\"height\":610,\"minWidth\":700,\"minHeight\":360,\"autoHideMenuBar\":false,\"webPreferences\":{\"nodeIntegration\":false,\"preload\":\"/Users/gfairchild/Desktop/Signal Beta.app/Contents/Resources/app.asar/preload.js\"},\"icon\":\"/Users/gfairchild/Desktop/Signal Beta.app/Contents/Resources/app.asar/images/icon_256.png\",\"maximized\":false,\"x\":320,\"y\":123}","time":"2017-12-05T21:57:39.913Z","v":0}
Checking for update
Update for version 1.1.0-beta.3 is not available (latest version: 1.1.0-beta.3, downgrade is disallowed.
{"name":"log","hostname":"meow.xxx.xxx","pid":51986,"level":30,"msg":"Using OS-level spell check API with locale en_US.UTF-8","time":"2017-12-05T21:57:40.930Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":51986,"level":30,"msg":"pre-main prep time: 2 ms","time":"2017-12-05T21:57:41.132Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":51986,"level":30,"msg":"Build expires:  2018-03-05T01:27:01.000Z","time":"2017-12-05T21:57:41.159Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":51986,"level":30,"msg":"background page reloaded","time":"2017-12-05T21:57:41.185Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":51986,"level":30,"msg":"environment: production","time":"2017-12-05T21:57:41.185Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":51986,"level":30,"msg":"ConversationController: starting initial fetch","time":"2017-12-05T21:57:41.257Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":51986,"level":30,"msg":"ConversationController: done with initial fetch","time":"2017-12-05T21:57:41.259Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":51986,"level":30,"msg":"listening for registration events","time":"2017-12-05T21:57:41.275Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":51986,"level":30,"msg":"Updating BrowserWindow config: {\"maximized\":false,\"autoHideMenuBar\":false,\"width\":800,\"height\":610,\"x\":320,\"y\":122}","time":"2017-12-05T21:57:42.195Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":51986,"level":30,"msg":"opening provisioning socket https://textsecure-service.whispersystems.org","time":"2017-12-05T21:57:42.520Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":51986,"level":30,"msg":"provisioning socket closed 1006","time":"2017-12-05T21:57:42.537Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":51986,"level":30,"msg":"provisioning failed Error: websocket closed\n    at W3CWebSocket.socket.onclose (file:///Users/gfairchild/Desktop/Signal%20Beta.app/Contents/Resources/app.asar/js/libtextsecure.js:37941:36)\n    at W3CWebSocket._dispatchEvent [as dispatchEvent] (/Users/gfairchild/Desktop/Signal Beta.app/Contents/Resources/app.asar/node_modules/yaeti/lib/EventTarget.js:107:17)\n    at W3CWebSocket.onConnectFailed (/Users/gfairchild/Desktop/Signal Beta.app/Contents/Resources/app.asar/node_modules/websocket/lib/W3CWebSocket.js:219:14)\n    at WebSocketClient.<anonymous> (/Users/gfairchild/Desktop/Signal Beta.app/Contents/Resources/app.asar/node_modules/websocket/lib/W3CWebSocket.js:59:25)\n    at emitOne (events.js:96:13)\n    at WebSocketClient.emit (events.js:191:7)\n    at ClientRequest.handleRequestError (/Users/gfairchild/Desktop/Signal Beta.app/Contents/Resources/app.asar/node_modules/websocket/lib/WebSocketClient.js:215:14)\n    at emitOne (events.js:96:13)\n    at ClientRequest.emit (events.js:191:7)\n    at TLSSocket.socketErrorListener (_http_client.js:358:9)","time":"2017-12-05T21:57:42.540Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":51986,"level":30,"msg":"Updating BrowserWindow config: {\"maximized\":false,\"autoHideMenuBar\":false,\"width\":800,\"height\":610,\"x\":320,\"y\":122}","time":"2017-12-05T21:57:47.226Z","v":0}

[scottnonnenberg]

@gfairchild Glad to see that you're trying out the beta. You can either provide HTTPS_PROXY (for our REST calls) and WSS_PROXY (for websocket) or ALL_PROXY to provide one proxy URL for both.

[gfairchild]

You mean provide one of those as an argument when launching? So something like this?:

gfairchild@meow ~/Desktop/Signal Beta.app/Contents/MacOS> ./Signal\ Beta HTTPS_PROXY=http://proxyout.xxx.xxx:8080

?

[scottnonnenberg]

They're environment variables, so you can set them with export HTTPS_PROXY=blah on a previous line in that session. Or you can put it before the executable right inline like that. https://en.wikipedia.org/wiki/Environment_variable#Unix

[gfairchild]

Ah, sorry, I didn't make it clear, but I do have those set. If you look at the very first line of my big blob, I'm outputting my current proxy environment variables. So HTTPS_PROXY is set, but I still see a "Failed to connect to server." error when trying to setup a new install.

[scottnonnenberg]

Yes, and you need to add either WSS_PROXY to cover the websocket cases, or change over to using just ALL_PROXY to capture all cases.

[gfairchild]

Ahhhhhh, gotcha. I'll try that....

[gfairchild]

Adding WSS_PROXY doesn't seem to fix it:

gfairchild@meow ~/Desktop/Signal Beta.app/Contents/MacOS> export WSS_PROXY=http://proxyout.xxx.xxx:8080
gfairchild@meow ~/Desktop/Signal Beta.app/Contents/MacOS> env | grep -i proxy
HTTP_PROXY=http://proxyout.xxx.xxx:8080
WSS_PROXY=http://proxyout.xxx.xxx:8080
https_proxy=http://proxyout.xxx.xxx:8080
http_proxy=http://proxyout.xxx.xxx:8080
no_proxy=localhost,127.0.0.1,xxx.xxx
NO_PROXY=localhost,127.0.0.1,xxx.xxx
HTTPS_PROXY=http://proxyout.xxx.xxx:8080
gfairchild@meow ~/Desktop/Signal Beta.app/Contents/MacOS> ./Signal\ Beta
NODE_ENV production
NODE_CONFIG_DIR /Users/gfairchild/.Trash/Signal Beta.app/Contents/Resources/app.asar/config
NODE_CONFIG {}
ALLOW_CONFIG_MUTATIONS undefined
HOSTNAME undefined
NODE_APP_INSTANCE undefined
SUPPRESS_NO_CONFIG_WARNING undefined
setting AUMID to org.whispersystems.signal-desktop-beta
userData: /Users/gfairchild/Library/Application Support/Signal Beta
making app single instance
{"name":"log","hostname":"meow.xxx.xxx","pid":56837,"level":30,"msg":"OS Release: 16.7.0 - notifications polyfill? false","time":"2017-12-05T22:27:20.518Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":56837,"level":30,"msg":"app ready","time":"2017-12-05T22:27:20.587Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":56837,"level":30,"msg":"Initializing BrowserWindow config: {\"show\":true,\"width\":800,\"height\":610,\"minWidth\":700,\"minHeight\":360,\"autoHideMenuBar\":false,\"webPreferences\":{\"nodeIntegration\":false,\"preload\":\"/Users/gfairchild/.Trash/Signal Beta.app/Contents/Resources/app.asar/preload.js\"},\"icon\":\"/Users/gfairchild/.Trash/Signal Beta.app/Contents/Resources/app.asar/images/icon_256.png\",\"maximized\":false,\"x\":320,\"y\":122}","time":"2017-12-05T22:27:20.603Z","v":0}
Checking for update
{"name":"log","hostname":"meow.xxx.xxx","pid":56837,"level":30,"msg":"Using OS-level spell check API with locale en_US.UTF-8","time":"2017-12-05T22:27:21.694Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":56837,"level":30,"msg":"pre-main prep time: 2 ms","time":"2017-12-05T22:27:21.924Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":56837,"level":30,"msg":"Build expires:  2018-03-05T01:27:01.000Z","time":"2017-12-05T22:27:21.951Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":56837,"level":30,"msg":"background page reloaded","time":"2017-12-05T22:27:21.976Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":56837,"level":30,"msg":"environment: production","time":"2017-12-05T22:27:21.976Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":56837,"level":30,"msg":"ConversationController: starting initial fetch","time":"2017-12-05T22:27:22.114Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":56837,"level":30,"msg":"ConversationController: done with initial fetch","time":"2017-12-05T22:27:22.116Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":56837,"level":30,"msg":"listening for registration events","time":"2017-12-05T22:27:22.133Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":56837,"level":30,"msg":"opening provisioning socket https://textsecure-service.whispersystems.org","time":"2017-12-05T22:27:23.229Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":56837,"level":30,"msg":"createSocket: using proxy url http://proxyout.xxx.xxx:8080","time":"2017-12-05T22:27:23.230Z","v":0}
Update for version 1.1.0-beta.3 is not available (latest version: 1.1.0-beta.3, downgrade is disallowed.
{"name":"log","hostname":"meow.xxx.xxx","pid":56837,"level":30,"msg":"provisioning socket closed 1006","time":"2017-12-05T22:27:23.750Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":56837,"level":30,"msg":"provisioning failed Error: websocket closed\n    at W3CWebSocket.socket.onclose (file:///Users/gfairchild/.Trash/Signal%20Beta.app/Contents/Resources/app.asar/js/libtextsecure.js:37941:36)\n    at W3CWebSocket._dispatchEvent [as dispatchEvent] (/Users/gfairchild/.Trash/Signal Beta.app/Contents/Resources/app.asar/node_modules/yaeti/lib/EventTarget.js:107:17)\n    at W3CWebSocket.onConnectFailed (/Users/gfairchild/.Trash/Signal Beta.app/Contents/Resources/app.asar/node_modules/websocket/lib/W3CWebSocket.js:219:14)\n    at WebSocketClient.<anonymous> (/Users/gfairchild/.Trash/Signal Beta.app/Contents/Resources/app.asar/node_modules/websocket/lib/W3CWebSocket.js:59:25)\n    at emitOne (events.js:96:13)\n    at WebSocketClient.emit (events.js:191:7)\n    at ClientRequest.handleRequestError (/Users/gfairchild/.Trash/Signal Beta.app/Contents/Resources/app.asar/node_modules/websocket/lib/WebSocketClient.js:215:14)\n    at emitOne (events.js:96:13)\n    at ClientRequest.emit (events.js:191:7)\n    at TLSSocket.socketErrorListener (_http_client.js:358:9)","time":"2017-12-05T22:27:23.753Z","v":0}
{"name":"log","hostname":"meow.xxx.xxx","pid":56837,"level":30,"msg":"Updating BrowserWindow config: {\"maximized\":false,\"autoHideMenuBar\":false,\"width\":800,\"height\":610,\"x\":320,\"y\":122}","time":"2017-12-05T22:27:30.557Z","v":0}

And I see similar results even if I specify ALL_PROXY.

[scottnonnenberg]

@gfairchild Well, the good news is that we're attempting to use the proxy. Maybe the right thing is to take this offline - feel free to contact me directly.

[gfairchild]

Sounds good. Just pinged you on Twitter.

[TurkeyMan]

+1 ... Signal doesn't work on my work PC because the company proxies all our traffic.

[scottnonnenberg]

v1.1.0-beta.5 has just been released, and it supports a single HTTPS_PROXY environment variable. Check it out! Do note that we do not support any proxy which does man-in-the-middle SSL termination, since we are using self-signed certificates to be sure we're talking to our own servers.

[scottnonnenberg]

All: Please let me know if this new environment variable is enabling proxy support for you. I want to get confirmation on that before starting to work on more advanced Windows/Mac configuration.

[gfairchild]

The latest beta appears to work for me! If I launch it from a command line that has the HTTPS_PROXY variable set, it makes it to the QR code phase of the setup, but if I launch it normally from the MacOS GUI, it fails.

[TurkeyMan]

I don't know what settings to try... I just need it to behave the same way as my browsers do, which seem to auto-detect the proxy environment.

[gfairchild]

Basically, @scottnonnenberg is asking us to run it from a command line terminal that has an active HTTPS_PROXY environment variable set. This is a useful first step to getting this to work natively with the system-wide proxy.

[scottnonnenberg]

@TurkeyMan My spider-sense is telling me it's not going to work for you anyway, because your https traffic is man-in-the-middled. But yes, @gfairchild is right. Set the HTTPS_PROXY environment variable with your proxy information. We're looking for URLs like these in that environment variable:

http://proxy-server-over-tcp.com:3128
socks://username:password@some-socks-proxy.com:9050
socks4://some-socks-proxy.com:9050
socks5://username:password@some-socks-proxy.com:9050
pac+http://www.example.com/proxy.pac

I haven't tested SOCKS proxies or PAC-based auto-setup, so I especially interested in word from folks who are using those kinds of systems.

[je-vv]

BTW, when trying to build beta-5 from within a firewall, under proxy:

[2/5] Fetching packages... error An unexpected error occurred: "https://registry.yarnpkg.com/source-map-support/-/source-map-support-0.5.0.tgz: write EPROTO 139746482731904:error:14077419:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert access denied:s23_clnt.c:772:\n".

I'll try again from home later, :(

[scottnonnenberg]

@je-vv You can build yourself but you'll have to set up proxy support for a whole host of developer tools. It's easier to download it - you can find the latest beta builds here:

• https://updates.signal.org/desktop/beta.yml (windows)
• https://updates.signal.org/desktop/beta-mac.yml (mac)
• Or just install with apt-get install signal-desktop-beta

[je-vv]

I've been building all along, :) I use Arch GNU/Linux, and though I can decompress the *.deb, I'd rather build it, given the libraries and their versions might differ... However it seems I'll have to follow your advise, since at home, though without the proxy issues (I didn't have problems with proxy while building stable releases before), I'm stuck at:

gyp: Call to 'node -e "require('nan')"' returned exit status 0 while in binding.gyp. while trying to load binding.gyp

And that even noticing that "node_modules/node-gyp/package.json" includes already:

"nan": "^2.0.0",

Any ways, I just want to test the proxy solution through HTTPS_PROXY (which I always set anyways behind proxy) for now. I'll deal with the building issues later, :)

[ilpssun]

For my work environment the signal chat is working again using https_proxy env variable under Windows 7 professional. Haven't tested calls or video, though, but chat is the main functionality for me anyway.

Thanks! 👍

[je-vv]

Just confirming that on Arch GNU/Linux with:

% env | 'grep' -i proxy | sed 's/=.*//' | sort -u ftp_proxy FTP_PROXY http_proxy HTTP_PROXY https_proxy HTTPS_PROXY no_proxy NO_PROXY rsync_proxy RSYNC_PROXY soap_use_proxy SOAP_USE_PROXY use_proxy USE_PROXY

Which includes HTTPS_PROXY, works fine, 👍 Thanks a lot !!!

I'll see about the build issues in a different thread...

[majkinetor]

Confirming it works on Windows. Using powershell module I executed:

proxyc -FromSystem -Register

which uses IE proxy settings and adds env vars to system registry. After that signal worked.

[majkinetor]

Drag and drop this cmd launcher to Desktop (Windows):

set HTTP_PROXY=http://<YOUR PROXY HERE>
set HTTPS_PROXY=%HTTP_PROXY%
start %LOCALAPPDATA%\Programs\signal-desktop\Signal.exe

[rbclark]

It seems the chrome application had support for MITM'd networks somehow, for someone on a MITM'd network does this mean the new version of Signal will never work with such a network?

[scottnonnenberg]

@rbclark Correct. The Chrome App, because it was a Chrome App, was required to use standard certificate authorities to connect to the Signal servers. In the new world of our Standalone app, we use self-signed certificates for greater assurance of privacy.

[rbclark]

@scottnonnenberg Would you at least consider a way to override the certificate? I understand that certificate pinning is important however as the end user I do not have control of the company network to change their policies :/

[TurkeyMan]

+1, I'm really upset I can't use signal at work anymore... picking up my phone and scribbling on the screen every few minutes is annoying and time consuming.

[scottnonnenberg]

@rbclark @TurkeyMan Please consider reaching out to me directly. I'd like to know more about your perspective, given the corporate firewalls you find yourselves behind.

[TurkeyMan]

Did send email to the address published on your GH profile.

[ghost]

@scottnonnenberg ALL_PROXY/all_proxy with socks:// is not working here.

[hillbicks]

Ok, setting the http_proxy and https_proxy variables manually works for me with the direct proxy address. But what is the syntax for the pac file? set HTTP_PROXY=pac+http://www.example.com/proxy.pac doesn't seem to work.

[scottnonnenberg]

@gnumdk @hillbicks Thank you so much for testing - we don't have easy access to those kinds of environments. Please try those proxy urls with the HTTPS_PROXY environment variable. The library we're using claims to support both.

[ghost]

@scottnonnenberg You have access to such environnment ;) $ ssh -D 8080 user@any_ssh_server $ export all_proxy=socks://localhost:8080 $ export ALL_PROXY=socks://localhost:8080 $ signal-desktop

;)

[hillbicks]

Ok, I've created a bat file looking like this:

set HTTP_PROXY=http://.internal/proxy.pac
set HTTPS_PROXY=%HTTP_PROXY%
start %LOCALAPPDATA%\Programs\signal-desktop\Signal.exe

The pac file contains the proxy addresses. Starting signal in this way, there is no connection. Replacing the pac file with the actual proxy address from the pac file, signal connects just fine. Like I said before, would be nice to know if the syntax for the pac is different with the library you're using.

Thanks

[scottnonnenberg]

@gnumdk Sorry, I'm not following. Again, we only look at the url provided by the the HTTPS_PROXY variable. Does that work for you?

@hillbicks The url format our library is looking for for PAC urls is like this: pac+http://www.example.com/proxy.pac.