Docker Community Forums

Share and learn in the Docker community.

Proxy server - Domain authentication

docker

(Mikeduckett) #1

Working with docker on Windows 2016 the support for a corporate proxy server seems to be fairly limiting. I rtead through the documents and added the environment variables HTTP_PROXY & HTTPS_PROXY but I cannot get authentication to work.

I’m working with a proxy that uses domain authentication & supports NTLM or Kerberos and I’ve tried running the docker engine service a user account that has proxy access as well as embedding the username/password in the variable (which seems a pretty bad way to do it!)

Anyone had any success with this?


(Amanda Debler) #2

The most important thing to remember is that in Docker for Windows, Docker is really running on a virtual machine in Hyper-V. On my Win10 machine, it’s called MobyLinux. You cannot connect to the console in Hyper-V the way you usually can to Windows or Linux machines you make yourself.

The Windows HTTP_PROXY and HTTPS_PROXY environment variables have absolutely no effect on this VM, and therefore on docker commands you issue in cmd.exe or PowerShell. The only place to set them is in the Docker GUI, which reads and writes them from the MobyLinux VM. If you try accessing Docker settings before the MobyLinux VM has started, you won’t see anything in the proxy settings.

Unfortunately, the only thing that I’ve gotten to work is CNTLM, which is a Windows exe that has not been updated in five years and is primarily available via SourceForge. There is a Python-based NTLM proxy project, but development appears to have stopped on that one, and I wasn’t able to get it working.

If you’ve found something better in the past year, or a programmatic way to set the proxy in Docker for Windows, please tell me - there are a lot of us who have the same problem.


(Amanda Debler) #3

Update: you can use your pc host name if you set a DNS server in daemon.json, but will still need to add --add-host:pcname:currentip when running docker build. Blog post explaining how to do this to come :slight_smile:


(Andreajeka) #4

can you elaborate more :tired_face:
im also facing this issue!!!


(Amanda Debler) #5

Caveats before I start:

  • This works on Windows 10, Docker for Windows, Version 17.06.0-ce-win19 (this did NOT work for a colleague with 17.03-ce-win12)
  • Only tested in an environment with an NTLMv2-authenticating proxy that CNTLM was able to connect to.
  • CNTLM is a binary downloaded from SourceForge and has not been updated in over five years!

If the DummyDesperatePoitras virtual switch is available, use that IP address for CNTLM’s listening AND as the proxy address for Docker:

(in PowerShell, don’t need to be admin):

(get-netipaddress -InterfaceAlias "vEthernet (DummyDesperatePoitras)*" -AddressFamily IPv4).IPAddress

(something like 169.254.10.12)

Use that IP address in your cntlm config:

Listen 169.254.10.12 3128

Then set your http_proxy and https_proxy environment variables in Windows to the following in order for other command line tools to work:

http://169.254.10.12:3128

Finally, change your Docker settings:
Proxy:
Web Server (HTTP): http://169.254.10.12:3128
check the box “Use same for both”.

Daemon:
Switch from “Basic” to “Advanced” to get the daemon.json for editing. Add your company’s internal domains and one or more DNS servers to the daemon.json (watch the curly braces and commas!)

Your result should look like this, where 10.0.0.2 is an internal DNS server, and myawesomecompany.com is your internal domain:

{
      "registry-mirrors": [],
      "insecure-registries": [],
      "debug": true,
      "experimental": true,
      "dns": [
        "10.0.0.2"
      ],
      "dns-search": [
        "myawesomecompany.com"
      ]
}

(Amanda Debler) #6

And here is the blog post I finally finished: http://mandie.net/2017/12/10/docker-for-windows-behind-a-corporate-web-proxy-tips-and-tricks/

Let me know how that works out for you - I have no idea if it works for anyone else’s corporate web proxy…