Http_proxy: forward not reverse

ingestbot · November 27, 2023, 6:05pm

Trying to set a forward proxy for HA in a restricted network.

HA is a docker container on ubuntu. In my environment, which includes restricted networks, many requests use the system-wide env vars http_proxy, https_proxy without issue. For docker I have a systemd drop-in which sets proxy vars. Again, this configuration has been working with a diversity of applications.

HA seems to be very special in this regard. That is, it doesn’t seem to respect the usual parameters for forward proxying so there are some default integrations which come out of the box failing (namely: Meteorologisk institutt (Met.no) and Radio Browser).

I’ve tried passing env vars to the container:

    environment:
      - http_proxy=${http_proxy}
      - https_proxy=${https_proxy}
      - HTTP_PROXY=${http_proxy}
      - HTTPS_PROXY=${https_proxy}

Which allows me to make requests from the container:

# docker exec -it homeassistant bash
# curl -v https://news.google.com
 * Uses proxy env variable https_proxy == 'http://proxy.somewhere.io:8118'
 > CONNECT news.google.com:443 HTTP/1.1
 < HTTP/1.1 200 OK

Yet sadly, I continue to see requests dropped at the firewall because they’re not recognizing the parameters for the proxy.

Nov 27 17:43:33 ubnt kernel: [VLAN_50_IN-default-D]IN=switch0.50 OUT=eth0 MAC=f0:9f:ba:ba:f0:br:e0:e0:h4:h4:00:00:3c SRC=192.168.50.100 DST=65.109.136.86 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=21946 DF PROTO=TCP SPT=43358 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Nov 27 17:43:34 ubnt kernel: [VLAN_50_IN-default-D]IN=switch0.50 OUT=eth0 MAC=f0:9f:ba:ba:f0:br:e0:e0:h4:h4:00:00:3c SRC=192.168.50.100 DST=157.249.81.141 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53238 DF PROTO=TCP SPT=39234 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Nov 27 17:44:16 ubnt kernel: [VLAN_50_IN-default-D]IN=switch0.50 OUT=eth0 MAC=f0:9f:ba:ba:f0:br:e0:e0:h4:h4:00:00:3c SRC=192.168.50.100 DST=91.132.145.114 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32921 DF PROTO=TCP SPT=39392 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0

Regarding this issue, I’ve read through threads on this forum, issues on the github repo, and general search. Unless I’m overlooking something embarrassingly obvious, it looks like there is no conventional, straightforward means of accomplishing this.

I’m about to try a NAT rule on the firewall to cover these cases. Yet I’m hoping someone here might suggest a more sound strategy, or have some comments on the issue.