Many corporate environments monitor and secure traffic to/from the internet by using proxy servers. Depending on your network configuration, running our agent in these environments may require some additional configuration steps, especially when using Docker Desktop since it uses an intermediary Linux virtual machine that may not automatically be configured to use your proxy servers and may not share certificates installed by network policies with Docker containers.
This will largely be an issue when your corporate proxy server inspects SSL/TLS traffic and uses a self-signed CA Certificate that is trusted within your network, as our agent will fail when verifying secure communications while connecting to Rigor's services.
Below we'll cover two distinct solutions: using a secondary proxy that does not inspect SSL/TLS traffic and injecting a custom CA Certificate into the Docker container.
Knowing exactly what configuration is most appropriate is for you to decide after consulting with your network administrator.
Configuring Docker to use a secondary proxy
In cases where the system-wide proxy configuration will inspect SSL/TLS traffic, but a secondary proxy server is available, you can provide the secondary proxy connection information by configuring the Docker Engine or by specifying proxy configuration only to the Rigor Agent by specifying environment variables. Docker has great documentation on how you can configure the Docker engine on their website: https://docs.docker.com/network/proxy/
This approach will require a secondary proxy server that is configured to allow SSL/TLS traffic to pass through it without being inspected.
Using a custom Certificate Authority
For cases when a secondary proxy server is not available and your proxy server has a custom CA Certificate distributed to workstations, it's possible to inject your certificate into our agent Docker container and add it to the trusted list of certificates.
While it's possible for you to create your own Docker container based upon Rigor's agent container, we don't recommend it as it will require some automated process to detect new versions of the Rigor agent, re-build the derived Docker image, distribute the image, and restart all applicable Docker containers.
Instead, we recommend that you follow these general steps:
- Create a folder on your host machine and place the CA Certificate (in CRT format) in the folder
- Mount that folder as volume to the container
- Modify the command used when launching the container to update the CA Certificate cache before starting the agent software
Docker Compose Example
Here is a simple docker-compose.yml file example of starting the Rigor agent container with a mounted volume and registering the certificates on startup:
version: '3'
services:
agent:
image: docker.rigor.com/agent:stable
command: bash -c "sudo update-ca-certificates && bundle exec shoryuken -r ./config/boot_shoryuken.rb"
environment:
RUNNER_TOKEN: your_runner_token_here
DISABLE_NETWORK_SHAPING: "true"
volumes:
- ./certs:/usr/local/share/ca-certificates/my_certs/
You can see that we included the default COMMAND instruction from the Rigor agent's Dockerfile and simply prepended the `sudo update-ca-certificates` terminal command.
Docker run command
To execute the same example using the `docker run` command, we would use the following:
docker run -e DISABLE_NETWORK_SHAPING=true -e RUNNER_TOKEN=your_runner_token_here --volume=`pwd`/certs:/usr/local/share/ca-certificates/my_certs/ docker.rigor.com/agent:stable bash -c "sudo update-ca-certificates && bundle exec shoryuken -r ./config/boot_shoryuken.rb"