Target application is not accesible inside the Docker container behind proxy.

Question

Target application is not accesible inside the Docker container behind proxy.

KristofKuli opened this issue 3 months ago · comments

Describe the bug

We are using ZAP Proxy on self-hosted agent pool, behind proxy and the target application is not accessible. The pipeline fails with OSError: [Errno 5] ZAP failed to access: https://url.company.com. Interestingly, when we run the below command on the same agent pool, the connection works.
docker run -t ghcr.io/zaproxy/zaproxy:stable curl -v https://url.company.com

If we are using a different self-hosted agent pool, where proxy is not used, then the connection works. The command being used for both pools is:
docker run --user root -v /agent/_work*:/zap/wrk/:rw -v /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt -e http_proxy -e https_proxy -e HTTP_PROXY -e HTTPS_PROXY --name zap_scan -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py -t ${{parameters.target}} -g gen.conf -I -x issues.xml -r scan-report.html

${{parameters.target}} equals to https://url.company.com.

Could you please help us understand what could be the issue?

Steps to reproduce the behavior

Since we are using self-hosted agent pool, behind proxy, this can't reproduced.

Expected behavior

ZAP proxy can connect to the endpoint.

Software versions

ghcr.io/zaproxy/zaproxy:stable

Screenshots

No response

Errors from the zap.log file

ERROR [Errno 5] ZAP failed to access: https://url.company.com/
2024-03-01 16:51:18,870 I/O error: [Errno 5] ZAP failed to access: https://url.company.com/
Traceback (most recent call last):
File "/zap/zap-full-scan.py", line 348, in main
zap_access_target(zap, target)
File "/zap/zap_common.py", line 108, in _wrap
return_data = func(*args_list, **kwargs)
File "/zap/zap_common.py", line 404, in zap_access_target
raise IOError(errno.EIO, 'ZAP failed to access: {0}'.format(target))
OSError: [Errno 5] ZAP failed to access: https://url.company.com/

Additional context

No response

Would you like to help fix this issue?

Yes

Simon Bennetts · Answer 1 · Wed Mar 06 2024 22:01:28 GMT+0800 (China Standard Time)

See https://www.zaproxy.org/docs/docker/diagnosing-problems/#zap-cannot-connect-to-the-target
Please do not raise issues for questions - the ZAP User Group is a much better option: https://groups.google.com/group/zaproxy-users

thc202 · Answer 2 · Thu Mar 07 2024 16:09:38 GMT+0800 (China Standard Time)

That's because you are not configuring ZAP to use the proxy (ZAP does not read/use the HTTP*_PROXY env vars, maybe it should).

KristofKuli · Answer 3 · Thu Mar 07 2024 16:44:33 GMT+0800 (China Standard Time)

Thanks for the suggestion. How should I configure ZAP then? I didn't find any relevant information in the documentation. Even if we remove the env vars from the docker run command, the issue still persist.

thc202 · Answer 4 · Thu Mar 07 2024 17:30:47 GMT+0800 (China Standard Time)

For the time being that would have to be done with -config args, e.g.:

-config network.connection.httpProxy.enabled=true -config network.connection.httpProxy.host=myproxy -config network.connection.httpProxy.port=1234

Since you are using the packaged scans that would have to be passed through -z arg:
https://www.zaproxy.org/docs/docker/full-scan/#usage

thc202 · Answer 5 · Thu Mar 07 2024 17:35:41 GMT+0800 (China Standard Time)

Somewhat relevant issue: #8360.

KristofKuli · Answer 6 · Tue Mar 12 2024 17:06:25 GMT+0800 (China Standard Time)

I have tried the above mentioned suggestion, replacing the values to our proxy, but then I receive the following error:
ERROR [Errno 5] Failed to connect to ZAP after 600 seconds
2024-03-12 08:22:29,348 I/O error: [Errno 5] Failed to connect to ZAP after 600 seconds

Simon Bennetts · Answer 7 · Tue Mar 12 2024 17:14:44 GMT+0800 (China Standard Time)

Please ask on the ZAP User Group https://groups.google.com/group/zaproxy-users not on a closed issue.