Build / configure Python runner with custom CA / Proxy settings

Admin Talk Installation
1

Your Setup:

  • Self-Hosted Seatable 5.3.12 EE
  • Running in internal network with own CA, Internet Access through local proxy (Squid)

Describe the Problem/Error/Question:

I had the usual problem that containers with internet connectivity in our network need to fulfill the following networking requirements:

  • Communicate via TLS
  • Verify server certificates signed by our internal CA
  • Use a proxy server to connect to the internet

For the standard python-runner, I found no standard way to configure either of this. There is a way to configure requests from within python to do both (SSL: Either skip verification, or explicitly use a CA bundle), but it’s complex, not easily transferred to other servers, and fails when python packages do not support custom CAs.

import requests;
http_proxy  = "http://my-proxy:3128"
https_proxy = "http://my-proxy:3128"
ftp_proxy   = "http://my-proxy:3128"

proxies = { 
              "http"  : http_proxy, 
              "https" : https_proxy, 
              "ftp"   : ftp_proxy
            }
# working
print(requests.get("https://www.google.com", proxies=proxies, verify=False))
print(requests.get("https://some-internal-server", verify="/path/to/ca-bundle"))

Most seriously, even accessing Seatable itself (via the API) fails, because the python-runner does not its own Seatable-Server. So basically, the python-runner can’t access bases in our environment via the API.

While I’m waiting if the developers might pick this up with some configuration options for the phython-runner container, I found my own solution by building my own, using this Custom Python Runner - SeaTable Admin Manual

I thought I might share this here so that others could benefit, and the delevopers might get an idea what to make confgurable. Here’s my Dockerfile for a custom python-runner:

FROM seatable/seatable-python-runner:4.2.2

USER root

# my-ca.crt must be in the build context root
ADD my-ca.crt /usr/local/share/ca-certificates/my-ca.crt
RUN update-ca-certificates

USER seatable

# set global proxy ENV; NO_PROXY includes internal IPs, IPs in docker networks etc.
ENV NO_PROXY=.local,.my-domain,10.0.0.0/8,172.0.0.0/8,127.0.0.1,localhost,my-seatable-host.domain.com,my-proxy
ENV FTP_PROXY=http://my-proxy:3128
ENV HTTPS_PROXY=http://my-proxy:3128
ENV HTTP_PROXY=http://my-proxy:3128
ENV no_proxy=.local,.my-domain,10.0.0.0/8,172.0.0.0/8,127.0.0.1,localhost,my-seatable-host.domain.com,my-proxy
ENV ftp_proxy=http://my-proxy:3128
ENV https_proxy=http://my-proxy:3128
ENV http_proxy=http://my-proxy:3128

# set global CA bundle for python (single packages might need specific configuration)
ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
1 Like
Has handling of custom CAs / Proxy settings been improved in Seatable 6.x?