Http_proxy when moving from lxd 2 to lxd 3

I have a question about moving from lxd 2 to lxd 3.

In lxd 2, networking was configured in /etc/default/lxd-bridge. In there, you could enable a http proxy (by default on port 13128). The default container profile set up link-local networking, and it set the http_proxy environment variable inside the container to point to the host side:

config:
  environment.http_proxy: http://[fe80::1%eth0]:13128
  user.network_mode: link-local

The upshot was: inside a container with no explicit networking you could still do apt-get install foo and it would work.

My question is, is it possible to get the same functionality in lxd 3?

I found information about a new proxy device feature added in lxd 3, but that seems to be a bit like ssh port forwarding - a local port is always forwarded to a fixed target host and port, unlike a HTTP proxy which understands HTTP headers. I also found information about lxd network added in lxd 2.3, so I know how to configure “real” networking, with or without NAT, but the old link-local networking isn’t mentioned.

Is there some knob which enables a built-in http proxy in lxd 3?

Or would I have to run a separate http proxy myself on the host, such as squid or apt-cacher-ng, and use the new local port forwarding feature to forward (say) 127.0.0.1:13128 inside the container to this proxy?

Many thanks,

Brian.

LXD 3.0 still supports that proxy configuration for IPv6 that you had in LXD 2.0.
You do not need to enable in /etc/default/lxd-bridge, but as in

$ lxc config set mycontainer environment.http_proxy http://[fe80::1%eth0]:13128

On the other hand, the proxy device is for TCP, UDP and Unix socket proxying (https://github.com/lxc/lxd/blob/master/doc/containers.md#type-proxy).

Having said that, you can still use the proxy device to provide proxy access to the container while at the same time avoid configuring the networking for those containers. For this to work, you would need to setup yourself a proxy on the host. Then, use a TCP proxy device to forward from the container’s port 3128 to the host’s proxy port.

LXD 3.0 still supports that proxy configuration for IPv6 that you had in LXD 2.0.
You do not need to enable in /etc/default/lxd-bridge , but as in

$ lxc config set mycontainer environment.http_proxy http://[fe80::1%eth0]:13128

That only sets the environment variable in the container. Nothing responds on [fe80::1%eth0] - I cannot even ping it - so setting the http_proxy environment variable pointing to that address doesn’t achieve anything useful.

Having said that, you can still use the proxy device to provide proxy access to the container while at the same time avoid configuring the networking for those containers. For this to work, you would need to setup yourself a proxy on the host. Then, use a TCP proxy device to forward from the container’s port 3128 to the host’s proxy port.

OK, that’s more or less what I said. This implies what I would need is something like:

$ lxc config set mycontainer environment.http_proxy http://127.0.0.1:13128

plus

$ lxc config device add mycontainer http proxy listen=tcp:127.0.0.1:13128 connect=tcp:x.x.x.x:13128  ## ?

(Aside: I can’t see how “proxy listen… connect…” decides whether to listen inside the container and connect from the host, or vice versa. What if the listen and connect addresses are both 127.0.0.1?)

And then also run a http proxy on the host.

Update: after more searching I found that lxd 3.3 has a proxy_protocol flag. However this doesn’t enable a HTTP proxy; rather it adds a HAproxy ‘PROXY protocol’ message to the start of the TCP stream, to relay the original source IP address.

This proxy protocol is the “PROXY protocol”. It has to do with letting a container know the real IP address of the source of the Internet connection.

This internal http proxy in LXD 2.0 was provided for free by the Go language. It appears that the relevant code still exists in LXD 3.0, so the maintainers can advise here on how to activate in LXD 3.0 or whether it has become deprecated. @stgraber

Can you also try with the environment variable and settings the proxy device? Both on localhost works. The proxy device is quite versatile and I believe it should be possible to make it work.

If you can point me to the part of code you are looking at, I may be able to trace where/if it’s activated.

Can you also try with the environment variable and settings the proxy device?

I’m not sure what you mean. I already tried setting http_proxy to [fe80::1%eth0] and like I say, there is nothing listening on that address. If you mean creating the LXD3 proxy device, then that won’t work without me installing a separate http proxy.

I was really just looking for an answer from someone who knows for sure one way or the other. Does LXD3 still have the HTTP proxy feature which LXD2.0 has? And if yes, how do you turn it on?

The URL is in my first reply
Sorry for being terse, I am on mobile.

The URL is in my first reply

If you mean this one

then:

  1. that is a documentation link, not a code link
  2. it does not mention the http proxy - only the new TCP socket proxying

But it does answer my question about directionality. There is a parameter bind=host or bind=container which says which side the proxy listens on. The default is bind=host, i.e. forwarding traffic inbound into the container.

Still on mobile. Indeed, I did not paste the source URL. Have a look at the source of LXD and you can easily locate this proxy code.