[SERVER-54045] Enable Free Monitoring behind a corporate SSL proxy Created: 26/Jan/21  Updated: 31/Mar/21  Resolved: 31/Mar/21

Status: Closed
Project: Core Server
Component/s: Internal Code
Affects Version/s: None
Fix Version/s: None

Type: Question Priority: Major - P3
Reporter: evandrix none Assignee: Edwin Zhou
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:

 Description   

Is there a documented way of setting some option to do this?

I noticed the FreeMon HTTP client is deprecated.



 Comments   
Comment by Edwin Zhou [ 31/Mar/21 ]

Hi evandrix@gmail.com

We haven’t heard back from you for some time, so I’m going to close this ticket. If this is still an issue for you, please let us know and we can reopen the ticket.

Best,
Edwin

Comment by Edwin Zhou [ 23/Mar/21 ]

Hi evandrix@gmail.com,

We'd like to know if this is still an issue for you. Were you able to find success with enabling free monitoring after Mark's advice?

Best,
Edwin

Comment by Mark Benvenuto [ 04/Feb/21 ]

Dear evandrix@gmail.com,

Thank you for the wonderful repro. I really appreciate it.

The reason why your command fails is that free monitoring does all of its HTTPS calls from mongod, not the mongo shell. The mongo shell just tells mongod to start sending monitoring data. You need to set the environment variables for mongod to support the proxy.

env http_proxy=http://127.0.0.1:8123 https_proxy=http://127.0.0.1:8123 ./mongod  

Also, with regards to your question about certificates, when just using polipo as a simple HTTP proxy without SOCKS, I did not need to disable certificate validation.

My Config:

#logSyslog = true
#logFile = polipo.log
proxyAddress="0.0.0.0"
#socksParentProxy="127.0.0.1:7050"
#socksProxyType=socks5
chunkHighMark=50331648
objectHighMark=16384
serverMaxSlots=64
serverSlots=16
serverSlots1=32 

Finally, there is no programmatic way to disable SSL validation today for free monitoring. You may be able to update your OS certificate store with the CA of the MTM proxy. On Debian/Ubuntu, this should be in /etc/ssl/certs (per https://git.launchpad.net/ubuntu/+source/curl/tree/debian/rules?id=24124d49eb988971bb5b93882ab10019ecf77ab3#n54).

Thanks

Mark

Comment by evandrix none [ 04/Feb/21 ]

in other places e.g. Firefox web browser, i've had to either disable SSL certificate verification, or trust the Zscaler root CA certificate, in order to allow the MITM to succeed without affecting my connection to the target site

another example e.g. python3 -m pip --trusted-host pypi.python.org --trusted-host files.pythonhosted.org --trusted-host pypi.org $*

but i haven't figured out how to do something like that here for this

Comment by evandrix none [ 04/Feb/21 ]

i'm running MongoDB v4.4.3 inside an Ubuntu 20.04 VM via VirtualBox on Windows 10 v18363 x64 on a corporate Surface Laptop.

i've installed `polipo`, the latest one was for Ubuntu 18.04 https://ubuntu.pkgs.org/18.04/ubuntu-universe-amd64/polipo_1.1.1-8_amd64.deb.html, modified the config to become as follows:

/etc/polipo/config:
logSyslog = true
logFile = /var/log/polipo/polipo.log
proxyAddress="0.0.0.0"
socksParentProxy="127.0.0.1:7050"
socksProxyType=socks5
chunkHighMark=50331648
objectHighMark=16384
serverMaxSlots=64
serverSlots=16
serverSlots1=32

$ `env http_proxy=http://127.0.0.1:8123 https_proxy=http://127.0.0.1:8123 curl -ksL "https://cloud.mongodb.com/freemonitoring/mongo"` worked

<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="robots" content="noindex, nofollow">
<title>MongoDB Free Monitoring</title>
<link rel="shortcut icon" type="image/x-icon" href="images/favicon.png"/>
<link rel="shortcut icon" href="/freemonitoring/assets/favicon.ico"><link href="/freemonitoring/assets/main.1cfe9ddd7a977d9aa801.css" rel="stylesheet"></head>
<body>
<div id="application"></div>
<script type="text/javascript" src="/freemonitoring/assets/bundle.1cfe9ddd7a977d9aa801.js"></script></body>
</html>

but $ `env http_proxy=http://127.0.0.1:8123 https_proxy=http://127.0.0.1:8123 mongo collection` failed (of course, i had another terminal console SSH'ed into an unrestricted host, with DynamicForward <port> while running this command)

collection 0> db.enableFreeMonitoring()
Unable to get immediate response from the Cloud Monitoring service. We willcontinue to retry in the background. Please check your firewall settings to ensure that mongod can communicate with "https://cloud.mongodb.com/freemonitoring/mongo"

is there a way to trace the network request being made here, whether it is actually going through the http proxy via the socks proxy exposed by the ssh tunnel?

Comment by Mark Benvenuto [ 03/Feb/21 ]

It depends on the operating system which MongoDB is running on.

On Windows, I believe it will obey the system settings (MongoDB uses WinHTTP).

On macOS and Linux, MongoDB uses libcurl. Libcurl supports the environment variable "http_proxy" (https://curl.se/libcurl/c/CURLOPT_PROXY.html). Note that "http_proxy" is all lower case. 

Example:

http_proxy=http://some.server.dom:port 

 

Comment by evandrix none [ 03/Feb/21 ]

corporate SSL proxy, in particular, Zscaler https://www.zscaler.com

Generated at Thu Feb 08 05:32:31 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.