forked from pivotal-cf/docs-ops-guide
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig-proxy.html.md.erb
97 lines (73 loc) · 6.66 KB
/
config-proxy.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
---
title: Configuring Proxy Settings for All Applications
owner: Routing
---
This topic describes how to globally configure proxy settings for all applications in your Pivotal Cloud Foundry (PCF) deployment.
Some environments restrict access to the Internet by requiring traffic to pass through an HTTP or HTTPS proxy.
PCF operators can use the Cloud Foundry Command Line Interface (cf CLI) to provide the proxy settings to all applications, including system applications and service brokers.
<p class="note"><strong>Note</strong>: Incorrectly configuring proxy settings can prevent applications from connecting to the Internet or accessing required resources.
They can also cause errands to fail and break system applications and service brokers.
Although errands, system applications, and service brokers do not need to connect to the Internet,
they often need to access other resources on PCF. Incorrect proxy settings can break these connections.</p>
##<a id='set-env-variables'></a> Set Environment Variables ##
To globally configure proxy settings for PCF applications, perform the following steps to set three environment variables for both
the staging environment variable group and the running environment variable group.
For more information about variable groups, see the [Environment Variable Groups](../devguide/deploy-apps/environment-variable.html#evgroups) section in
the _Cloud Foundry Environment Variables_ topic.
This procedure explains how to set proxy information for both staging and running applications. However, you can set proxy settings for only staging or only running applications.
1. Target your Cloud Controller with the cf CLI.
If you have not installed the cf CLI, see the [Installing the cf CLI](../cf-cli/install-go-cli.html) topic.
<pre class="terminal">
$ cf api api.YOUR-SYSTEM-DOMAIN
Setting api endpoint to api.YOUR-SYSTEM-DOMAIN...
OK
API endpoint: <span>https:</span>//api.YOUR-SYSTEM-DOMAIN (API version: 2.54.0)
Not logged in. Use 'cf login' to log in.
</pre>
1. Log in with your UAA administrator credentials. To retrieve these credentials, navigate to the **Pivotal Elastic Runtime** tile in
the Ops Manager Installation Dashboard and click **Credentials**. Under **UAA**, click **Link to Credential** next to **Admin Credentials** and record the password.
<pre class="terminal">
$ cf login
API endpoint: <span>https:</span>//api.YOUR-SYSTEM-DOMAIN
Email> admin
Password>
Authenticating...
OK
</pre>
1. To configure proxy access for applications that are staging, run the following command, replacing the placeholder values:
<pre class="terminal">$ cf set-staging-environment-variable-group '{"http\_proxy": "<span>http:</span>//YOUR-PROXY:8080/", "https\_proxy": "<span>http:</span>//YOUR-PROXY:8080/", "no\_proxy": "NO-PROXY.EXAMPLE.COM"}'</pre>
* `http_proxy`: Set this value to the proxy to use for HTTP requests.
* `https_proxy`: Set this value to the proxy to use for HTTPS requests. In most cases, this will be the same as `http_proxy`.
* `no_proxy`: Set this value to a comma-separated list of DNS names or IP addresses that can be accessed without passing through the proxy.
This value may not be needed, because it depends on your proxy configuration.
From now on, the proxy settings are applied to staging applications.
1. To configure proxy access for applications that are running, run the following command, replacing the placeholder values as above:
<pre class="terminal">$ cf set-running-environment-variable-group '{"http\_proxy": "<span>http:</span>//YOUR-PROXY:8080/", "https\_proxy": "<span>http:</span>//YOUR-PROXY:8080/", "no\_proxy": "NO-PROXY.EXAMPLE.COM"}'</pre>
To configure proxy settings for Java-based applications, use the following command instead, replacing the placeholder values.
For `http.nonProxyHosts`, use a pipe-delimited list rather than a comma-separated list.
<pre class="terminal">$ cf set-running-environment-variable-group '{"JAVA\_OPTS": "-Dhttp.proxyHost=YOUR-PROXY -Dhttp.proxyPort=8080 -Dhttp.nonProxyHosts=NO-PROXY.EXAMPLE.COM"}'</pre>
For more information about these Java proxy settings, see [Java Networking and Proxies](http://docs.oracle.com/javase/8/docs/technotes/guides/net/proxies.html).
1. To apply the proxy configuration for the running environment variable group, you must restart each application that you want to use the new configuration.
##<a id='troubleshooting'></a> Troubleshooting ##
If an application fails after you apply the global proxy settings, try the following solutions.
### Exclude an App From Global Proxy Settings
If your application fails, try instructing the application to ignore the global proxy settings.
Perform the following commands to manually unset the proxy environment variables for the failing application:
1. Set the proxy environment variables for `http_proxy` to an empty value:
<pre class="terminal">$ cf set-env YOUR-APP http_proxy ''</pre>
1. Set the proxy environment variables for `https_proxy` to an empty value:
<pre class="terminal">$ cf set-env YOUR-APP https_proxy ''</pre>
1. Set the proxy environment variables for `no_proxy` to an empty value:
<pre class="terminal">$ cf set-env YOUR-APP no_proxy ''</pre>
### Change Case of HTTP
Your application and language runtime may be case-sensitive.
Try performing the steps in the [Set Environment Variables](#set-env-variables) section using uppercase for `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` instead of lowercase.
Refer to the following example.
<pre class="terminal">$ cf set-staging-environment-variable-group '{"HTTP\_PROXY": "<span>http:</span>//YOUR-PROXY:8080/", "HTTPS\_PROXY": "<span>http:</span>//YOUR-PROXY:8080/"}'.</pre>
### Check Proxy Settings
If you have set up your proxy so that it can only send traffic to the Internet, then a request to an internal resource like PCF fails. You must set `no_proxy` so that traffic destined for PCF and other internal resources is sent directly and does not go through the proxy. For instance, setting `no_proxy` to include your system and application domains will ensure that requests destined for those domains are sent directly.
### Verify Interpretation
The interpretation of `no_proxy` depends on the application and the language runtime. Most support `no_proxy`, but the specific implementation may vary.
For example, some match DNS names that end with the value set in `no_proxy`: `example.com` would match `test.example.com`.
Others support the use of the asterisk as a wildcard to provide basic pattern matching in DNS names: `*.example.com` would match `test.example.com`.
Most applications and language runtimes do not support pattern matching and wildcards for IP addresses.