I've installed TeamCity on a Windows Server 2012 box behind a corporate firewall that requires user authentication via a proxy server to access the internet.
I want to connect TeamCity to Bitbucket (git) which hosts our projects, to pull down the code and build and deploy within the corp network.
Git on it's own via SourceTree (Git Windows client) and via the command line works fine. I've added the proxy setting to the .gitconfig and it can connect without issues over https via the proxy.
So far so good. But when I try to get TeamCity to talk to bitbucket I get an error:
Connection failed!
List remote refs failed: java.netConnectException:
Connection refused: connect bitbucket.org
I looked in the docs and it appears if you want to connect via a proxy you need pass the credentials to the JVM that is running TeamCity. As I'm on Windows Server 2012 and TeamCity is running as a service this is supposedly achieved by setting an environment variable like so:
TEAMCITY_SERVER_OPTS
-Dproxyset=true
-Dhttp.proxyHost=11.111.1.11
-Dhttp.proxyPort=8080
-Dhttp.proxyUser=username
-Dhttp.proxyPassword=password
-Dhttp.nonProxyHosts=localhost|127.0.0.1
-Dhttps.proxyHost=11.111.1.11
-Dhttps.proxyPort=8080
-Dhttps.proxyUser=username
-Dhttps.proxyPassword=password
-Dhttps.nonProxyHosts=localhost|127.0.0.1
I've created a system level env variable and restarted the server which then gives me the following error:
https://bitbucket.org/teamname/example.git: 407 Proxy Authentication
Required ( Forefront TMG requires authorization to fulfil the request.
Access to the Web Proxy filter is denied. )
So this leaves me with two possibilities
- The firewall is blocking the request as it's coming from a Windows Service
- The username and password are not being passed on
The TeamCity docs don't mention the proxyUser and proxyPassword arguments, I've inserted them myself after looking at the available JVM proxy arguments.
I've asked one of our network guys to take a look at the firewall (not in today), but in the meantime if anyone has experience of this and knows if there is anything I've missed. Any help will be much appreciated.
Update 16th Feb 2016
Whilst looking at the JetBrains support site I found the following:
Hi, we don't support proxy authentication from command line. And by
setting only parameters it won't work.
Also, the options above applies to java code executed with TC server
JVM only. However, we often use native clients to access VCS: hg,
perforce and TFS. Git and svn use java libraries.
So it appears the environment variable approach is a dead end, will have to look at using the Git client to make the connection.
Answer
So the answer to how to get TeamCity working behind a NTLM proxy server is to cheat.
In the end I installed an application called CNTLM Authentication Proxy, this sits between TeamCity and my NTLM proxy and handles all the requests.
When it works it's great I can connect to bitbucket and builds are triggered etc. But I should add a word of caution, on Windows Server 2012 R2, it crashes a lot. We didn't notice it much at first, but as we've added applications to TeamCity we've had multiple crashes a day which require the CNTLM service to be restarted.
I've now had a new Proxy setup without Authentication to fix the problem. Your mileage may vary.
To connect TeamCity to CNTLM you need to add an env variable TEAMCITY_SERVER_OPTS with the following value
-Dproxyset=true -Dhttp.proxyHost=localhost -Dhttp.proxyPort=3128 -Dhttp.nonProxyHosts="localhost|127.0.0.1" -Dhttps.proxyHost=localhost -Dhttps.proxyPort=3128 -Dhttps.nonProxyHosts="localhost|127.0.0.1"
with port 3128 being what CNTLM is listening on once installed. You'll need to restart the TeamCity Service and Agent when you've changed / added this.
No comments:
Post a Comment