Docker build behind corporate firewall - Extensions not loading

garyf · April 1, 2025, 3:18pm

We have issues with docker build behind our corporate firewall. Note that this all works as expected on machines that are not on the company VPN.

We pass required extensions like so…

ENV LUCEE_EXTENSIONS=
37C61C0A-5D7E-4256-8572639BE0CF5838;version=2.2.4.15,
B737ABC4-D43F-4D91-8E8E973E37C40D1B;version=2.0.0.26,
7E673D15-D87C-41A6-8B5F1956528C605F;version=9.1.0,
8D7FB0DF-08BB-1589-FE3975678F07DB17;version=1.0.0.15,
66E312DD-D083-27C0-64189D16753FD6F0;version=1.2.0.10

This operation is failing silently i.e. no error returned to the docker build output.

NOTE: Prime suspect is an SSL auth issue with the download site. We have loaded our corporate certificates into the container at run time. This works for our other containers with dependencies (n.b they are running php) and also works on the lucee image generally.

The lucee image that we are using is: 5.4.4.38-light-nginx

Can anyone help with the following please…

Anyone got any experience with this issue?
What happens, internally? i.e. how are the values in the var LUCEE_EXTENSIONS used?
In case we we need to whitelist, what is the domain and url format for lucee extension downloads?

Zackster · April 1, 2025, 3:33pm

This is the approach we use for the lucee update/download server

The update server can’t depend on itself (catch-22), so we download directly from s3 and drop them into the deploy folder

github.com

lucee/lucee-data-provider/blob/main/devops/Dockerfile.base

#FROM lucee/lucee:6.0.3.1-tomcat9.0-jdk11-temurin-jammy
FROM lucee/lucee:6.2.0.321-light-nginx-tomcat10.1-jre21-temurin-jammy
ADD https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.20.0/jmx_prometheus_javaagent-0.20.0.jar /opt/lucee/bin/prometheus-java-agent.jar
ENV JAVA_OPTS="-javaagent:/opt/lucee/bin/prometheus-java-agent.jar=9090:/opt/lucee/conf/prometheus/config.yml"
ENV LUCEE_ADMIN_ENABLED=false
RUN  mkdir -p /opt/lucee/server/lucee-server/deploy && \
mkdir -p /opt/lucee/server/lucee-server/context && \
wget -nv https://ext.lucee.org/sentry-extension-5.5.2.15.lex -O /opt/lucee/server/lucee-server/deploy/sentry-extension.lex && \
wget -nv https://ext.lucee.org/s3-extension-2.0.2.21.lex -O /opt/lucee/server/lucee-server/deploy/s3-extension-2.0.2.21.lex && \
wget -nv https://ext.lucee.org/image-extension-2.0.0.29.lex -O /opt/lucee/server/lucee-server/deploy/image-extension-2.0.0.29.lex && \
wget -nv https://ext.lucee.org/esapi-extension-2.2.4.18.lex -O /opt/lucee/server/lucee-server/deploy/esapi-extension-2.2.4.18.lex && \
wget -nv https://ext.lucee.org/compress-extension-1.0.0.15.lex -O /opt/lucee/server/lucee-server/deploy/compress-extension-1.0.0.15.lex

RUN mkdir -p /var/www && mkdir -p /var/www/logs \
&& ln -sf /proc/1/fd/1 /opt/lucee/server/lucee-server/context/logs/application.log \
&& ln -sf /proc/1/fd/1 /opt/lucee/server/lucee-server/context/logs/datasource.log \
&& ln -sf /proc/1/fd/1 /opt/lucee/server/lucee-server/context/logs/deploy.log \
&& ln -sf /proc/1/fd/1 /opt/lucee/server/lucee-server/context/logs/felix.log \
&& ln -sf /proc/1/fd/1 /opt/lucee/server/lucee-server/context/logs/gateway.log \
&& ln -sf /proc/1/fd/1 /opt/lucee/server/lucee-server/context/logs/global.log \

This file has been truncated. show original

Given you are locking down your server’s internet access, you care about security, you probably should consider using the latest 5.4 docker images (latest java, tomcat and ubuntu) and start planning to migrate to Lucee 6

garyf · April 1, 2025, 4:22pm

Hi Zack,
Thanks for the super fast response.
That’s a useful insight into what goes on under the hood.
I’ll see what we can do with it.

Zackster · April 1, 2025, 6:22pm

it’s worth checking out that repo and having a look around, while there is some older scrappy code, in general, it’s considered best practise for modern Lucee