[chef] Re: Chef client with HTTPS proxy settings

[Noah Kantrowitz < >]

On Mar 10, 2014, at 1:19 PM, Kapil Shardha 
<
 >
 wrote:

> Folks,
>  
> I am testing out a scenario where a node will be in a “closed” environment 
> and would have selective access to internet via a proxy server. On the 
> proxy server (I am using WinGate for this test), I have configured to block 
> all the traffic for this node except “api.opscode.com”, as this is required 
> by the scenario I am testing. I am using hosted enterprise chef for this 
> test. I configured https_proxy settings in client.rb file for chef-client 
> on the node.
>  
> When the runlist for the node is empty, the chef-client completes 
> successfully. I checked proxy server logs and found connection attempts 
> being made to api.opscode.com:443, as expected. Next, I added the community 
> Powershell cookbook (it also downloads Windows cookbook) to the runlist of 
> the node. The chef-client run failed partially. On checking the proxy 
> server logs, I found connection attempts being made to api.opscode.com:443 
> and s3-external-1.amazonaws.com:443. Once, I configured the proxy server to 
> allow connection attempts to s3-external-1.amazonaws.com, the chef-client 
> run completed successfully.
>  
> I would like to know if these are only two URLs that need to be allowed on 
> proxy server or does it depend on the community cookbook that is being used?

Hosted Chef stores the actual cookbook data on S3 so both are required. Some 
cookbooks may make HTTP connections of their own via the remote_file resource 
(or just using Net:HTTP directly) so you'll have to evaluate that on a case 
by case basis.

--Noah

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail