Cannot fetch Rust/Cargo packages through intercepting proxy

makefu · October 28, 2021, 2:30pm

Hey all, i am working in an enterprise environment where there is an tls intercepting proxy between the nix build host and the internet. I wanted to build a rust package with “buildRustPackage”, however i cannot get it to run through the proxy. On the host i tried to set every Environment variable to the prepared cacert package instead of the default one:

CURL_CA_BUNDLE
SSL_CERT_FILE
NIX_SSL_CERT_FILE
CARGO_HTTP_CAINFO

however everything seems to be ignored by buildRustPackage . Overriding cacert or even cargo via an overlay is not really an option for me as it would mean a mass rebuild.
Has anyone managed to work around this or found a good solution such as overriding the rust environment only?

I opened an issue almost 1.5 years ago:
https://github.com/NixOS/nixpkgs/issues/89526

According to the note in https://github.com/NixOS/nixpkgs/blob/a0dbe47318bbab7559ffbfa7c4872a517833409f/pkgs/development/compilers/rust/cargo.nix#L39-L42 nixpkgs sets CARGO_HTTP_CAINFO and SSL_CERT_FILE to cacert but there is no obvious way to override this behavior

Any help would be greatly appreciated!

Sandro · October 29, 2021, 6:40pm

I did something similar for fetchFromGitHub to add some root CAs.

First I needed to change some impureENVs https://github.com/NixOS/nixpkgs/commit/6f53c067482743fd68a5beceeb1205fab0ebe4c4, then I modified the nix-daemon.service and added the ENV to the right CAs and then added them to the buildSandbox. You probably need to do something similar for rust.

makefu · October 31, 2021, 8:34pm

@Sandro good to know you found a real solution for github. I’ve added a workaround for my issue in Unable to fetch Rust/Cargo dependencies through TLS-intercepting proxy · Issue #89526 · NixOS/nixpkgs · GitHub . Some “real” certificate support would be great for cargo though

EDIT: any chance for some documentation on how to handle restrictive networks, proxies and TLS intercepting proxies? Like which env vars to set, how to configure the nix-daemon, etc? I saw stdenv also has support for "GIT_PROXY_COMMAND" and "SOCKS_SERVER", i never knew!

vccs · April 22, 2022, 1:50pm

@Sandro How did you make the fetcher read the cert? I’m trying to do something similiar in fetchCargoTarball but it seems that in the sandbox the fetcher can’t access anything. Could you please give me some hints? Thanks!

Sandro · April 24, 2022, 10:09pm

Probably that specific fetcher needs some adjustment.

vccs · April 25, 2022, 2:56am

Do you mean that the snadbox can be bypassed somehow?

Sandro · April 25, 2022, 1:55pm

No, I mean that this fetcher is probably missing options to add the extra certificates or the tool is using it’s own ssl store and we need to add some flag to it. But I don’t know for sure because I didn’t look into it.

vccs · April 26, 2022, 2:21am

I can’t access the path I passed to the fetcher. Anyway, I’ll open an MR when I finish it and you may be interested in reviewing it.