Target application is not accesible inside the Docker container behind proxy.
KristofKuli opened this issue · comments
Describe the bug
We are using ZAP Proxy on self-hosted agent pool, behind proxy and the target application is not accessible. The pipeline fails with OSError: [Errno 5] ZAP failed to access: https://url.company.com. Interestingly, when we run the below command on the same agent pool, the connection works.
docker run -t ghcr.io/zaproxy/zaproxy:stable curl -v https://url.company.com
If we are using a different self-hosted agent pool, where proxy is not used, then the connection works. The command being used for both pools is:
docker run --user root -v /agent/_work*:/zap/wrk/:rw -v /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt -e http_proxy -e https_proxy -e HTTP_PROXY -e HTTPS_PROXY --name zap_scan -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py -t ${{parameters.target}} -g gen.conf -I -x issues.xml -r scan-report.html
${{parameters.target}} equals to https://url.company.com.
Could you please help us understand what could be the issue?
Steps to reproduce the behavior
Since we are using self-hosted agent pool, behind proxy, this can't reproduced.
Expected behavior
ZAP proxy can connect to the endpoint.
Software versions
ghcr.io/zaproxy/zaproxy:stable
Screenshots
No response
Errors from the zap.log file
ERROR [Errno 5] ZAP failed to access: https://url.company.com/
2024-03-01 16:51:18,870 I/O error: [Errno 5] ZAP failed to access: https://url.company.com/
Traceback (most recent call last):
File "/zap/zap-full-scan.py", line 348, in main
zap_access_target(zap, target)
File "/zap/zap_common.py", line 108, in _wrap
return_data = func(*args_list, **kwargs)
File "/zap/zap_common.py", line 404, in zap_access_target
raise IOError(errno.EIO, 'ZAP failed to access: {0}'.format(target))
OSError: [Errno 5] ZAP failed to access: https://url.company.com/
Additional context
No response
Would you like to help fix this issue?
- Yes
See https://www.zaproxy.org/docs/docker/diagnosing-problems/#zap-cannot-connect-to-the-target
Please do not raise issues for questions - the ZAP User Group is a much better option: https://groups.google.com/group/zaproxy-users
That's because you are not configuring ZAP to use the proxy (ZAP does not read/use the HTTP*_PROXY
env vars, maybe it should).
Thanks for the suggestion. How should I configure ZAP then? I didn't find any relevant information in the documentation. Even if we remove the env vars from the docker run command, the issue still persist.
For the time being that would have to be done with -config
args, e.g.:
-config network.connection.httpProxy.enabled=true -config network.connection.httpProxy.host=myproxy -config network.connection.httpProxy.port=1234
Since you are using the packaged scans that would have to be passed through -z
arg:
https://www.zaproxy.org/docs/docker/full-scan/#usage
I have tried the above mentioned suggestion, replacing the values to our proxy, but then I receive the following error:
ERROR [Errno 5] Failed to connect to ZAP after 600 seconds
2024-03-12 08:22:29,348 I/O error: [Errno 5] Failed to connect to ZAP after 600 seconds
Please ask on the ZAP User Group https://groups.google.com/group/zaproxy-users not on a closed issue.