Filter results by

Dealing with Proxy Servers

Are you blocked from installing packages using dnf or downloading files using the curl command because of the proxy server in your organization?

In the corporate environment, IT departments rely on proxy servers to bolster the security of communications with the outside world. Dealing with this inner protocol can be a difficult task. You'll need to:

  • Set system-wide or local environment variables to specify not only your proxy address and port, but also your own user name and password.
  • Append the proxy server certificate to the certificate bundle that each particular program is using.
  • Put in certain program-specific keywords to tell the program it is going through a proxy server.

Here we may not have all the answers, but we'll try to point you in the right direction. You'll first want to refer to AN100 – Enabling ARTIK Internet Access Through Firewalls – for an overview of typical firewall environments.

Determining the Proxy Server Address

Your corporate IT department will be able to provide you with the address of your company's proxy server, but you can also find it in your desktop PC network configuration.

For a Windows® system, it can be found under:
  Start > Control Panel > Network and Internet > Internet Options
where you'll select the Connections tab and click LAN settings. You'll see the "Use automatic configuration script" file name that the IT department has specified.

Copy the full line (make sure you have the hidden parts highlighted too), paste it into your browser, and download the proxy.pac file. Open this text file, and you'll find the same "default" address over and over – that's the address you'll use below.

Specifying the Proxy Server

Our information here provides tested instructions only regarding http and https traffic through the proxy server; other traffic may require additional considerations.

Standard Proxy Variables

Linux has standardized the http_proxy and https_proxy environment variables to specify the proxy server address; ftp_proxy is also used. You can enter these on the command line:

 export http_proxy="http://username:password@123.456.789.200:8080/"
 export https_proxy="http://username:password@123.456.789.200:8080/"
 export ftp_proxy="http://username:password@123.456.789.200:8080/"

before starting wpa_supplicant, or you could copy them into your /etc/profile, ~/.bashrc, or other start-up script to make them a permanent part of your boot procedure. Type export at the Linux command prompt to see them echoed and verify that they are correct.

Do you have any special characters like "!" in your password? Prefix each with a backslash (\), or substitute its ASCII code (e.g. replace "@" by "%40"). Still getting rejected? Reset your password to use underscores instead (since they do not require the backslash prefix).

Non-Standard Proxy Variables

Not every program recognizes the Linux standard environment variable proxy names. Some programs use an association specified in their configuration file, and it may not be the same variable name. For example, npmuses this syntax:

npm config set https-proxy http://proxy.company.com:8080

(https-proxy instead of https_proxy) to set the variable. Refer to the sections below for more information.

Connection Manager (connman)

ARTIK images released February 2016 and later rely on Connection Manager to set up network services. connman can have a side effect when working through proxy servers, disrupting service ("host unreachable" or "no route to host" errors) within a minute or so after boot. To disable connman:

  1. systemctl disable connman.service
  2. reboot

On subsequent booting you need to manually enter the following commands:

  1. systemctl start wpa_supplicant
  2. dhclient wlan0

Refer to the Wi-Fi article for more details on connman.

Certificates

An SSL/TLS-secured network connection requires each client to have a local copy of the server certificate that can be compared to the certificate that the server transmits to establish the connection (as happened here when we set up our own private server).

With an intermediate proxy server involved, the situation is more complicated, as the client must also have a copy of the proxy server certificate. You'll need to append this "local" certificate to the end of your existing certificate bundle

You can obtain this certificate from your IT department, or possibly just export it from your PC's certificate store.

If you see an error message about a "local issuer certificate" not being found, "local" usually refers to a missing or incorrect proxy server certificate.

Where to Find the Certificate Bundle

If you set up your own independent server-client link (as we did in the tutorials), you may have placed your mini-CA certificate in /etc/pki/tls/ .

However, different programs look for a certificate bundle in various locations. if you look under /etc/ssl/certs for example, you'll find a certificate bundle, but when you look closer by listing with ls -al, you'll see that the bundle is actually a symbolic link back to the /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem file.

The variations are too extensive to cover them all here – search online for your specific needs. If all else fails, add your proxy certificate to every bundle you find in any location.

Program-Specific Syntax

DNF

dnf uses the Linux standard proxy export variables. You'll find the configuration file at /etc/dnf/dnf.conf if you need to specify a unique proxy server for dnf. It uses the same names that the Linux standard does.

NPM

Early versions of npm required the proxy to be specified in the local configuration file .npmrc. Later versions accept the Linux standard proxy export variables. You can also use the configuration file to specify it, but it uses a different naming convention: note the use of a hyphen instead of an underscore.

npm config set https-proxy http://proxy.company.com:8080

The command sets the related value in the .npmrc file.

Certain packages loaded through npm are notoriously difficult to send through a proxy server because their dependencies do not follow the standard. Sometimes it's easier (although not recommended) to just configure npm to not demand secure transfers:

npm config set strict-ssl false

and then set it to pull from its unsecure http registry, instead of https:

npm config set registry "http://registry.npmjs.org/"

After the commands above, the .npmrc file contents are now:

  https-proxy=http://proxy.company.com:8080/:
  registry=http://registry.npmjs.org/
  strict-ssl=false

If you are getting node-gyp folder access errors, try putting --unsafe-perm on the command line. You can also specify --verbose for troubleshooting, -g for global.

Even with all these workarounds, some older npm packages you might want to use may still not install correctly. At a certain point, you may have to just give up and install them outside of a proxy server environment.

CURL and WGET

The curl and wget commands have their own unique syntax for specifying proxy address/username/password information separately from that of the remote site. Search online for more information.

curl --proxy <[protocol://][user:password@]proxyhost[:port]> -L <http...>

The configuration for wget is found in the /etc/wgetrc file, but is usually not needed as it uses the same environment variable names found in /etc/profile. It may be necessary to add --no-check-certificate to the wget command line to bypass a proxy (that way you will get a WARNING instead of an ERROR for 'unable to get issuer certificate').

Updating curl ca-bundle.crt

Go to the /etc/pki/ca-trust/certs directory, back up your old ca-bundle.crt file, and run this command.

curl https://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt

The crt file is saved in standard PEM encoding.

Eclipse Che / Docker

When using Docker containers, the container itself must have the correct proxy setting as noted here.

Arduino IDE

The Arduino IDE (running on your host PC) needs to be set to allow it to download libraries and updates. Under File > Preferences you'll find the Network tab to enter the proxy.pac location name that you found earlier (you don't need to enter the numeric proxy address itself, just the path and file name as shown above).

On your ARTIK board: The Arduino communications setup routine (the curl command shown here) properly accesses the Linux standard proxy export variables when present.

Once you have that software installed, you can go through the proxy using the Arduino IDE to send files to the ARTIK board for execution (as shown here).

If you are using Arduino sketches to communicate with ARTIK Cloud, use Web REST protocols instead of MQTT. The currently available Arduino network drivers are unable to connect through an authenticated proxy server to ARTIK Cloud over MQTT.

Mosquitto and Node-RED

It is relatively easy to set up Mosquitto and/or Node-RED for SSL/TLS operation. Refer to the Secure Links article for details.

Node-RED running on an ARTIK module connects through an authenticated proxy server to ARTIK Cloud over MQTT without any issues, once properly configured.

Mozilla Firefox

You may be using an X11 GUI as discussed in the Displays article. You will need to use the Firefox GUI to add the local proxy address and server certificate. It will not take this information automatically from the Linux environment.

Last updated on: