Configuring proxy authentication

You can configure the Kubernetes k3s environment, App Host instance, and apps to use a proxy server to reach external sites, such as quay.io.

You need to log in as appadmin to configure the proxy settings.

To configure proxy settings, configure the following components separately. Configuring a connection to a proxy server for one component does not configure it for any other component.
  • Kubernetes k3s environment.
  • Each instance of App Host.
  • Each app that requires a connection to a proxy server.

To set authentication, you need to know your proxy server settings, such as DNS name, IP address, and account name.

Kubernetes k3s environment

Configure the Kubernetes k3s environment.
  1. At the system that hosts the App Host, edit the file /etc/systemd/system/k3s.service.env and set the following environment variables:
    HTTP_PROXY=<proxy> 
HTTPS_PROXY=<proxy info> 
NO_PROXY=<localhost and other IPs that do not need proxy>
    For example:
    HTTP_PROXY=http://proxy.corp.com:8080 
HTTPS_PROXY=http://proxy.corp.com:8080 
NO_PROXY=localhost,127.0.0.1,localaddress,corp.com,10.0.0.0/8
    The following example shows proxy authentication assuming the user name is user1 and password is p@ssword:
    HTTP_PROXY=http://user1:p%40ssword@proxy.corp.com:8080
HTTPS_PROXY=http://user1:p%40ssword@proxy.corp.com:8080
NO_PROXY=localhost,127.0.0.1,localaddress,corp.com,10.0.0.0/8
    Note: The HTTP_PROXY and HTTPS_PROXY are redirects, so you can have the HTTPS_PROXY redirect HTTPS traffic to an HTTP URL. Using TLS over a TLS connection (setting https:// in the proxy URL) is not necessary and is not currently supported.
  2. Update the system's cacerts to trust the CA certificate from the proxy itself by adding the certificate in PEM encoding to /etc/pki/ca-trust/source/anchors and then run the following command:
    sudo update-ca-trust
  3. Restart the Kubernetes k3s:
    sudo systemctl restart k3s
  4. When done, enter the following command to list all system containers. Verify that their status is Running or Completed.
    sudo kubectl get pods -n kube-system

App Host

Important: If you use a proxy server between the App Host and SOAR Platform, use the --https-proxy-url option. You can use --https-from-http with --http-proxy-url if the HTTP and HTTPS proxy are the same. The --http-proxy-url by itself is not supported.

If you use the --no-proxy option between the App Host and SOAR Platform, specify the fully qualified domain name (FQDN) or the IP address that is specified as the host in the app.config file. Wildcard and IP address ranges are not supported only between the App Host and SOAR Platform.

Configure the proxy settings for each instance of the App Host. If the App Host is not installed, use the manageAppHost install command instead of the manageAppHost proxy command.
  • If all the App Hosts are using the same proxy server as their host system, you can pull the proxy information from the system's environment with the following command. 
    sudo manageAppHost proxy --environment
  • Configure the App Host to connect through the proxy using an HTTPS or HTTP connection, or both.
    sudo manageAppHost proxy --https-proxy-url <http://URL:port# of proxy>
    sudo manageAppHost proxy --http-proxy-url <http://URL:port# of proxy>
    sudo manageAppHost proxy --https-proxy-url <http://URL:port# of proxy> --http-proxy-url <http://URL:port# of proxy>
    To configure the proxy connection with a user account for authentication, add --http-proxy-user <user> or --https-proxy-user <user>. You are prompted for the proxy password. The following command is an example of enabling authentication.
    sudo manageAppHost proxy --https-proxy-url <http://URL:port# of proxy> --https-proxy-user <user>

    If you have multiple paired App Hosts on the system, you are prompted to select the App Host to configure.

If you need to clear the proxy setting, use the following command: 
sudo manageAppHost proxy --clear

Apps

If an app requires a different or separate external internet connection, add the following section to its app.config file, which is accessible from the app in the Apps tab of the SOAR Platform. Refer to the app's documentation and the System Administrator Guide for the detailed procedure. 
[integrations] 
# To override, add any parameter to your specific integration section 
http_proxy=<PROXY URL> 
https_proxy=<PROXY URL> 
timeout=120