Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to open devcontainer in VSCode on local machine behind Cloudflare Zero Trust proxy #75

Open
husterk opened this issue Jan 7, 2024 · 2 comments
Open

Unable to open devcontainer in VSCode on local machine behind Cloudflare Zero Trust proxy #75

husterk opened this issue Jan 7, 2024 · 2 comments

Comments

@husterk
Copy link

husterk commented Jan 7, 2024

My local network is behind a Cloudflare Zero Trust proxy. Typically, I would need to install the Cloudflare CA certificate on any container running on my local M1 Macbook Pro that needs external internet access.

However, I am unsure how to do this for devcontainers that install "features" such as the devcontainer in this template repository. I have attempted to define my own Dockerfile that installs the necessary cert but the feature installation still fails. When I attempt to start the devcontainer, I receive the following error.

[2024-01-07T23:37:20.400Z] Resolving Feature dependencies for 'ghcr.io/devcontainers/features/docker-in-docker:2'...
[2024-01-07T23:37:20.400Z] * Processing feature: ghcr.io/devcontainers/features/docker-in-docker:2
[2024-01-07T23:37:20.474Z] Error: unable to get local issuer certificate
[2024-01-07T23:37:20.474Z]     at TLSSocket.onConnectSecure (node:_tls_wrap:1543:34)
[2024-01-07T23:37:20.475Z]     at TLSSocket.emit (node:events:513:28)
[2024-01-07T23:37:20.475Z]     at TLSSocket._finishInit (node:_tls_wrap:962:8)
[2024-01-07T23:37:20.475Z]     at ssl.onhandshakedone (node:_tls_wrap:746:12)

Would you happen to have a recommendation for resolving this issue? I can't seem to get past this on my own.
@husterk
Copy link
Author

husterk commented Jan 9, 2024

Update: While this is technically still an issue, I was able to implement a workaround.

Workaround: In Cloudflare Zero Trust, I had to define a Gateway -> Firewall policies -> HTTP policy to "Do Not Inspect" each of the URLs that were being impacted by this issue. This includes Docker container registries, NPM registries, VSCode extension registries, etc.

While a bit tedious to determine and implement, this workaround does bypass the reported issue. However, it would still be nice to find a way to not have to manually identify each URL that needs to effectively be allow-listed.

@eljog
Copy link
Member

eljog commented Jan 16, 2024

@joshspicer / @chrmarti do you have any suggestions on getting features to work behind a network proxy?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@husterk @eljog