run “pip install” behind proxy

Even when you trust the MITM proxy devices’ self-signed certificates, pip can still fail.

# cat ~/.config/pip/pip.conf
cert = /etc/pki/ca-trust/extracted/openssl/

Even with telling the server names to be explicitly trusted.

# pip install --trusted-host --trusted-host google-auth
Collecting google-auth
  HTTP error 403 while getting (from
  Could not install requirement google-auth from because of error 403 Client Error: Forbidden for url:
Could not install requirement google-auth from because of HTTP error 403 Client Error: Forbidden for url: for URL (from


I had to use a squid proxy to make it happen.

# export https_proxy=http://10.123.456.5:3128
# pip install --trusted-host --trusted-host google-auth
Collecting google-auth
  Downloading (73kB)
    100% |████████████████████████████████| 81kB 3.0MB/s
Collecting pyasn1-modules>=0.2.1 (from google-auth)
  Downloading (66kB)
    100% |████████████████████████████████| 71kB 5.4MB/s
Collecting cachetools>=2.0.0 (from google-auth)
Requirement already satisfied (use --upgrade to upgrade): six>=1.9.0 in /usr/lib/python2.7/site-packages (from google-auth)
Collecting rsa>=3.1.4 (from google-auth)
Collecting pyasn1<0.5.0,>=0.4.1 (from pyasn1-modules>=0.2.1->google-auth)
  Downloading (73kB)
    100% |████████████████████████████████| 81kB 37.5MB/s
Installing collected packages: pyasn1, pyasn1-modules, cachetools, rsa, google-auth
  Found existing installation: pyasn1 0.1.9
    Uninstalling pyasn1-0.1.9:
      Successfully uninstalled pyasn1-0.1.9
  Found existing installation: pyasn1-modules 0.0.8
    Uninstalling pyasn1-modules-0.0.8:
      Successfully uninstalled pyasn1-modules-0.0.8
Successfully installed cachetools-3.1.0 google-auth-1.6.3 pyasn1-0.4.5 pyasn1-modules-0.2.4 rsa-4.0

Apache use ssl virtual host to reverse proxy to http

Documenting partially for myself but also for anyone else who just wants to deal with the http virtual host, but have ssl as well.

You need some basic ssl configs, which I tend to place in a separate file so all virtal hosts can share the same settings.

touch "${tf}" ; chmod 0644 "${tf}" ; chown root.root "${tf}" ;
cat <<EOF 1> "${tf}"
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
<Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateChainFile /etc/pki/tls/certs/chain-localhost.crt

SetEnvIf User-Agent ".*MSIE 4\.0b2.*"                 nokeepalive ssl-unclean-shutdown                 downgrade-1.0 force-response-1.0

LogLevel warn
ErrorLog logs/ssl_error_log
CustomLog logs/ssl_access_log combinedvhost

<Directory "/var/www/html/notfound/">
        AllowOverride None
        Order allow,deny
        Allow from all

# END OF FILE all-ssl.cnf

And the real config file:

touch "${tf}" ; chmod 0644 "${tf}" ; chown root.root "${tf}" ;
cat <<EOF 1> "${tf}" 
# reference:
# ssl act as proxy:

#Listen 80 # not needed here in base C7 because this is provided in /etc/httpd/conf/httpd.conf
#Listen 443
<VirtualHost *:80>
ServerAlias * *
UseCanonicalName Off

DocumentRoot /var/www/html
Options +Indexes
IndexOptions IgnoreCase FancyIndexing FoldersFirst NameWidth=* DescriptionWidth=*

<VirtualHost *:443>

ServerAlias *

Include conf.d/all-ssl.cnf
# try the <proxy> stuff from

<Proxy *>
Order deny,allow
Allow from all

SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /
ProxyPassReverse /


Ansible find first accessible proxy and use it

If you need to find the first available http proxy and use it for a process, you can use a python snippet to discover it and use it.



  - name: learn which proxy to use
    script: {{ http_proxies | join( " " ) }}
    changed_when: false
    register: open_ports

  - set_fact:
      http_proxy: "{{ open_ports.stdout_lines[0] }}"
    - 'open_ports.stdout | length > 0'
    - 'open_ports.stdout | length = 0'

  - name: use http_proxy environment variable
    script: -i {{ inputvar }}
      http_proxy: "http://{{ http_proxy | default(omit) }}"

The sole output is the first hostname and port available.

# Filename:
# Location: /etc/ansible/roles/install_sccm/files/
# Author: bgstack15
# Startdate: 2018-10-02 10:13
# Title: Script that Gets the First Open Port
# Purpose: Return to standard output the first valid host and port to use as a http proxy
# Project: projects derived from ansible role certreq
# History:
# Usage:
#    in ansible
# Reference:
#    string split
# Improve:
# Documentation:

import socket, sys
from contextlib import closing


def check_socket(host, port):
   with closing(socket.socket(socket.AF_INET, socket.SOCK_STREAM)) as sock:
      if sock.connect_ex((host,port)) == 0:
         print host + ":" + str(port)
         return True
   return False

x = 0
for myarg in sys.argv:

   # show version
   if myarg == "--version" or myarg == "-V":
      print(sys.argv[0]+" "+GFOP_VERSION)

   x = x + 1
   # skip the script $0 name itself
   if x > 1:
      # split on the colon
      host, port = myarg.split(":",2)
      # short-circuit upon first successful one
      if check_socket(host,int(port)):

Quick script to purge URL from squid proxy

If you have the requisite permissions in squid.conf, you can just use a quick script to purge URLs. I use this for flushing local files I am developing and download to clients with http.

touch "${tf}" ; chmod 0755 "${tf}"
echo <<EOF > "${tf}"
for word in ${@} ;
   squidclient -h localhost -r -p 3128 -m PURGE "${word}"

For squid, I am using a few lines to allow purging:

acl PURGE method PURGE
http_access allow PURGE localhost

Then you can call it:


Install openssl-1.1.0 on CentOS7

I really wanted the -proxy flag on the openssl command. It’s not available in the provided openssl package (1.0.1 series), but it is in the 1.1.0 which is now the base package in Fedora. But for the Enterprise Linux users, you need to do a little bit of work to get it.

Download a pre-compiled package

You could just download the package from my copr. Save the contents of the .repo file [] or use them from here.

name=Copr repo for stackrpms owned by bgstack15

Install with:

yum install openssl110

And then the binary has been named openssl110

Download and compile the source

tar -zxf openssl-1.1.0i.tar.gz
cd openssl-1.1.0i
sudo make install

To prevent an error that resembles:

/usr/local/bin/openssl version
/usr/local/bin/openssl: error while loading shared libraries: cannot open shared object file: No such file or directory

You have to provide the library files in a directory that the dynamic linker is looking in. There are multiple ways to tackle this.

Option 1: update library path

Add the directory containing the and similar files to the LD_LIBRARY_PATH environment variable.

export LD_LIBRARY_PATH=/usr/local/lib64:${LD_LIBRARY_PATH}

Option 2: move library files to lib directory

Or just move the files to the main library location. On a x86_64 system, that would be:

mv /usr/lib64/



Internet search openssl s_client http proxy []
openssl s_client using a proxy []
How to update openssl 1.1.0 in Centos 6.9/7.0 []

Adding Reverse Proxy for Plex to Apache vhost


It is easy to find apache vhost definitions for reverse proxying plex traffic.
What this post does is show you how to include the parts needed, to provide a reverse proxy to plex, in an existing vhost. Why would you need this? I don’t know. I did, and it was as easy as adding a few bits to represent the web address.

Adding reverse proxy for plex to Apache vhost

So in your vhost, add these lines:

        <Proxy *>
                Order deny,allow
                Allow from all
        ProxyRequests Off
        ProxyPass               /web/
        ProxyPassReverse        /web/
        <LocationMatch '^/web\/.*$'>
                RequestHeader set Front-End-Https "On"
                RewriteEngine On
                RewriteCond     %{REQUEST_URI}          !^/web
                RewriteCond     %{HTTP:X-Plex-Device}   ^$
                RewriteCond %{REQUEST_METHOD}   !^(OPTIONS)$
                RewriteRule ^/$ /web/$1 [R,L]

So the difference in this snippet from a separate vhost definition is that you proxypass only the /web/ location over to your Plex media server.


	ServerAlias example www

	DocumentRoot	/var/www

	Options +Indexes
	IndexOptions IgnoreCase FancyIndexing FoldersFirst NameWidth=* DescriptionWidth=*
	IndexIgnore FOOTER.html repodata favicon.ico favicon.png
	ReadmeName FOOTER.html
	DirectoryIndex index.php index.html index.htm
	ServerSignature Off

	SetEnvIf Request_URI "ignoredfile.html" dontlog
	LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedvhost
	CustomLog logs/access_log combinedvhost env=!dontlog

	# Useful additions for a mirror server
	AddIcon /icons/rpm.png          .rpm
	AddIcon /icons/deb.png          .deb
	AddIcon /icons/repo.png         .repo
	AddType application/octet-stream .iso

	AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript
	BrowserMatch ^Mozilla/4 gzip-only-text/html
	BrowserMatch ^Mozilla/4\.0[678] no-gzip
	BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

	TraceEnable off
	<FilesMatch "\.acl$">
		Deny from All
	&ltDirectory "/var/www/example">
		AllowOverride None
		Order allow,deny
		Allow from all
		Options Indexes FollowSymLinks
       # Allows "" redirection to "" behavior
# RewriteEngine On
# RewriteCond %{HTTP_HOST} ^([^.]*)\.example\.no-ip\.biz$
# RewriteRule /(.*)$1 [R,L]

	# reference: welcome.conf, reverseproxyforplex.conf
	# reference:
	<Proxy *>
		Order deny,allow
		Allow from all
	ProxyRequests Off
	ProxyPass		/web/
	ProxyPassReverse	/web/
	<LocationMatch '^/web\/.*$'>
		RequestHeader set Front-End-Https "On"
	        RewriteEngine On
		RewriteCond	%{REQUEST_URI}		!^/web
		RewriteCond	%{HTTP:X-Plex-Device}	^$
		RewriteCond %{REQUEST_METHOD}	!^(OPTIONS)$	
		RewriteRule ^/$ /web/$1 [R,L]