[SERVER-54045] Enable Free Monitoring behind a corporate SSL proxy Created: 26/Jan/21 Updated: 31/Mar/21 Resolved: 31/Mar/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Internal Code |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Question | Priority: | Major - P3 |
| Reporter: | evandrix none | Assignee: | Edwin Zhou |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Participants: |
| Description |
|
Is there a documented way of setting some option to do this? I noticed the FreeMon HTTP client is deprecated. |
| Comments |
| Comment by Edwin Zhou [ 31/Mar/21 ] | |||||||||||
|
We haven’t heard back from you for some time, so I’m going to close this ticket. If this is still an issue for you, please let us know and we can reopen the ticket. Best, | |||||||||||
| Comment by Edwin Zhou [ 23/Mar/21 ] | |||||||||||
|
We'd like to know if this is still an issue for you. Were you able to find success with enabling free monitoring after Mark's advice? Best, | |||||||||||
| Comment by Mark Benvenuto [ 04/Feb/21 ] | |||||||||||
|
Dear evandrix@gmail.com, Thank you for the wonderful repro. I really appreciate it. The reason why your command fails is that free monitoring does all of its HTTPS calls from mongod, not the mongo shell. The mongo shell just tells mongod to start sending monitoring data. You need to set the environment variables for mongod to support the proxy.
Also, with regards to your question about certificates, when just using polipo as a simple HTTP proxy without SOCKS, I did not need to disable certificate validation. My Config:
Finally, there is no programmatic way to disable SSL validation today for free monitoring. You may be able to update your OS certificate store with the CA of the MTM proxy. On Debian/Ubuntu, this should be in /etc/ssl/certs (per https://git.launchpad.net/ubuntu/+source/curl/tree/debian/rules?id=24124d49eb988971bb5b93882ab10019ecf77ab3#n54). Thanks Mark | |||||||||||
| Comment by evandrix none [ 04/Feb/21 ] | |||||||||||
|
in other places e.g. Firefox web browser, i've had to either disable SSL certificate verification, or trust the Zscaler root CA certificate, in order to allow the MITM to succeed without affecting my connection to the target site another example e.g. python3 -m pip --trusted-host pypi.python.org --trusted-host files.pythonhosted.org --trusted-host pypi.org $* but i haven't figured out how to do something like that here for this | |||||||||||
| Comment by evandrix none [ 04/Feb/21 ] | |||||||||||
|
i'm running MongoDB v4.4.3 inside an Ubuntu 20.04 VM via VirtualBox on Windows 10 v18363 x64 on a corporate Surface Laptop. i've installed `polipo`, the latest one was for Ubuntu 18.04 https://ubuntu.pkgs.org/18.04/ubuntu-universe-amd64/polipo_1.1.1-8_amd64.deb.html, modified the config to become as follows: /etc/polipo/config: $ `env http_proxy=http://127.0.0.1:8123 https_proxy=http://127.0.0.1:8123 curl -ksL "https://cloud.mongodb.com/freemonitoring/mongo"` worked <!doctype html> but $ `env http_proxy=http://127.0.0.1:8123 https_proxy=http://127.0.0.1:8123 mongo collection` failed (of course, i had another terminal console SSH'ed into an unrestricted host, with DynamicForward <port> while running this command) collection 0> db.enableFreeMonitoring() is there a way to trace the network request being made here, whether it is actually going through the http proxy via the socks proxy exposed by the ssh tunnel? | |||||||||||
| Comment by Mark Benvenuto [ 03/Feb/21 ] | |||||||||||
|
It depends on the operating system which MongoDB is running on. On Windows, I believe it will obey the system settings (MongoDB uses WinHTTP). On macOS and Linux, MongoDB uses libcurl. Libcurl supports the environment variable "http_proxy" (https://curl.se/libcurl/c/CURLOPT_PROXY.html). Note that "http_proxy" is all lower case. Example:
| |||||||||||
| Comment by evandrix none [ 03/Feb/21 ] | |||||||||||
|
corporate SSL proxy, in particular, Zscaler https://www.zscaler.com |