From: Dominik Csapak <d.csapak@proxmox.com>
To: Thomas Lamprecht <t.lamprecht@proxmox.com>,
Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Oguz Bektas <o.bektas@proxmox.com>
Subject: Re: [pve-devel] [PATCH storage 1/2] download-url: reuse http_proxy from datacenter.cfg for https
Date: Thu, 25 Nov 2021 15:23:18 +0100 [thread overview]
Message-ID: <a03631a3-fe78-7f6f-137d-7ee6fdf8f9ed@proxmox.com> (raw)
In-Reply-To: <42391428-bd80-2d55-5cb6-7c8ecd97a3a8@proxmox.com>
On 11/25/21 15:06, Thomas Lamprecht wrote:
> On 25.11.21 14:34, Dominik Csapak wrote:
>> LGTM and works :)
>>
>
> in general has the same issue as the ACME one from Stoiko, namely:
> The original http_proxy was always for external resources (our repos/appliances,
> subscription checks), but this and the ACME ones aren't necesarrily external, and
> proxying them may break some stuff (not all enterprise setups have control over the
> proxy to make it differ between internal/external resources) or be just undesired.
>
> What I'm missing on this and the acme patch is to actually step back and think
> proxying in PVE/PMG through, what are the different use cases, how can they be
> grouped sensible and exposed to the admin. At leas acknowledging something like
> that in the commit message and giving some reasons about why that drawback is
> accepted for now.
>
> I mean, Stoiko at least made it a per-acme-plugin decision if something should get
> proxied through the datacenter configured proxy or not, but one may want to have
> different too (albeit blowing it up per single smallest request-type is surely overkill).
>
> A https variant could be interesting too.
>
> One could imagine a format string like (disclaimer, made up on the spot):
>
> proxy: http=<>,https=<>,apply-on=<all|[base|acme|template-downloads]
>
> (<base> would be the original repo/appliances/subscriber coverage)
>
>
just to note, i am not disagreeing with you but a small comment to this
patch nonetheless:
imho the current state is rather broken, for http urls it uses the proxy
but not for https (isos are often hosted on https for now, e.g. debians)
ans since at least one person[0] expected it to use the proxy in any
case, i'd argue that for now this would be ok
yes a more general approach with specific uses/allow/blocklist (however
we want to implement this) would be better, but can still
be done after this
0: https://bugzilla.proxmox.com/show_bug.cgi?id=3716
next prev parent reply other threads:[~2021-11-25 14:23 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-09 14:13 [pve-devel] [PATCH manager storage 0/2] fix #3716: allow https proxy for URL download Oguz Bektas
2021-11-09 14:13 ` [pve-devel] [PATCH storage 1/2] download-url: reuse http_proxy from datacenter.cfg for https Oguz Bektas
2021-11-25 13:34 ` Dominik Csapak
2021-11-25 14:06 ` Thomas Lamprecht
2021-11-25 14:23 ` Dominik Csapak [this message]
2021-11-09 14:13 ` [pve-devel] [PATCH manager 2/2] set https_proxy to http_proxy for querying url metadata Oguz Bektas
2021-11-25 13:34 ` Dominik Csapak
2021-11-25 13:49 ` Oguz Bektas
2021-11-25 14:07 ` Thomas Lamprecht
2021-11-25 14:14 ` Oguz Bektas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a03631a3-fe78-7f6f-137d-7ee6fdf8f9ed@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=o.bektas@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=t.lamprecht@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox