justin/new-site
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(healthcare): add gost proxy-relay so Chromium can use the residential proxy

Browse source 
Chromium rejects authenticated SOCKS5 ('Browser does not support socks5 proxy
authentication'). Add a gost (ginuerzh/gost:2.11.5) 'proxy-relay' sidecar that
listens unauthenticated on socks5://proxy-relay:11080 and forwards to the
authenticated residential upstream (HEALTHCARE_PROXY_UPSTREAM_URL). Workers point
Playwright at the relay via HEALTHCARE_PROXY_URL=socks5://proxy-relay:11080.

env template: split into HEALTHCARE_PROXY_UPSTREAM_URL (authenticated, password
percent-encoded so '#' -> %23) and HEALTHCARE_PROXY_URL (the relay address).

Validated end-to-end on dev: workers Chromium -> proxy-relay -> residential
egress IP 76.228.206.147; NPPES + PECOS both HTTP 200.
This commit is contained in:
justin 2026-06-05 18:39:26 -05:00
parent 4060fd7562
commit a79d6b1906
2 changed files with 36 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

26
docker-compose.yml
View file

@ -1,4 +1,20 @@
services: services:
# ── Residential proxy relay (healthcare NPPES/PECOS automation) ──────
# Chromium cannot use an *authenticated* SOCKS5 proxy directly, so we run a
# local unauthenticated gost relay that forwards to the authenticated
# residential upstream (username "performancewest"). The workers point
# Playwright at this relay via HEALTHCARE_PROXY_URL=socks5://proxy-relay:11080.
#
# HEALTHCARE_PROXY_UPSTREAM_URL is the authenticated upstream and is set in
# .env (rendered from the ansible vault). The password may contain URL
# special chars (e.g. '#'); store it percent-encoded ('%23') in that var.
proxy-relay:
image: ginuerzh/gost:2.11.5
command: >-
-L socks5://:11080
-F ${HEALTHCARE_PROXY_UPSTREAM_URL}
restart: unless-stopped
# ── Core Application ──────────────────────────────────────────────── # ── Core Application ────────────────────────────────────────────────
site: site:
build: ./site build: ./site
@ -107,10 +123,11 @@ services:
- CRYPTO_SWEEP_ADMIN_EMAIL=${ADMIN_EMAIL:-ops@performancewest.net} - CRYPTO_SWEEP_ADMIN_EMAIL=${ADMIN_EMAIL:-ops@performancewest.net}
- USAC_USERNAME=${USAC_USERNAME} - USAC_USERNAME=${USAC_USERNAME}
- USAC_PASSWORD=${USAC_PASSWORD} - USAC_PASSWORD=${USAC_PASSWORD}
# Residential SOCKS proxy for healthcare (NPPES/PECOS) Playwright flows. # Healthcare (NPPES/PECOS) Playwright flows egress through the residential
# Username "performancewest"; full URL set in .env via the ansible vault. # proxy via the unauthenticated gost relay sidecar (Chromium can't do
- HEALTHCARE_PROXY_URL=${HEALTHCARE_PROXY_URL:-} # authenticated SOCKS5). proxy-relay forwards to the authenticated upstream.
- UNDETECTED_PROXY_URL=${UNDETECTED_PROXY_URL:-} - HEALTHCARE_PROXY_URL=${HEALTHCARE_PROXY_URL:-socks5://proxy-relay:11080}
- UNDETECTED_PROXY_URL=${UNDETECTED_PROXY_URL:-socks5://proxy-relay:11080}
- ANYTIME_MAILBOX_SIGNUP_EMAIL=${ANYTIME_MAILBOX_SIGNUP_EMAIL:-noreply@performancewest.net} - ANYTIME_MAILBOX_SIGNUP_EMAIL=${ANYTIME_MAILBOX_SIGNUP_EMAIL:-noreply@performancewest.net}
- ANYTIME_MAILBOX_SIGNUP_PHONE=${ANYTIME_MAILBOX_SIGNUP_PHONE} - ANYTIME_MAILBOX_SIGNUP_PHONE=${ANYTIME_MAILBOX_SIGNUP_PHONE}
- ANYTIME_MAILBOX_DEFAULT_PASSWORD=${ANYTIME_MAILBOX_DEFAULT_PASSWORD} - ANYTIME_MAILBOX_DEFAULT_PASSWORD=${ANYTIME_MAILBOX_DEFAULT_PASSWORD}
@ -140,6 +157,7 @@ services:
- /etc/postfix/pw-warmup-start:/etc/postfix/pw-warmup-start:ro - /etc/postfix/pw-warmup-start:/etc/postfix/pw-warmup-start:ro
depends_on: depends_on:
- api-postgres - api-postgres
- proxy-relay
restart: unless-stopped restart: unless-stopped
# ── ERPNext CRM ───────────────────────────────────────────────────── # ── ERPNext CRM ─────────────────────────────────────────────────────

21
infra/ansible/roles/app/templates/app.env.j2
View file

@ -121,13 +121,20 @@ HESTIA_PASS={{ vault_hestia_pass | default('') }}
# ── Residential proxy (healthcare NPPES/PECOS automation) ──────────────────── # ── Residential proxy (healthcare NPPES/PECOS automation) ────────────────────
# CMS healthcare portals (NPPES, PECOS, I&A) block datacenter IPs, so the # CMS healthcare portals (NPPES, PECOS, I&A) block datacenter IPs, so the
# Playwright healthcare flows route through a residential SOCKS proxy. # Playwright healthcare flows egress through a residential SOCKS proxy
# Format: socks5://performancewest:<password>@hg409y7ez04.sn.mynetname.net:<port> # (host hg409y7ez04.sn.mynetname.net, username "performancewest").
# (username is "performancewest"). Set the full URL in the ansible vault as #
# vault_healthcare_proxy_url. Leave blank to run without a proxy. # Chromium can't use an *authenticated* SOCKS5 proxy, so the docker-compose
# UNDETECTED_PROXY_URL is the generic fallback used by FCC/state flows. # "proxy-relay" (gost) listens unauthenticated and forwards to the
HEALTHCARE_PROXY_URL={{ vault_healthcare_proxy_url | default('') }} # authenticated upstream below. Workers point Playwright at the relay.
UNDETECTED_PROXY_URL={{ vault_undetected_proxy_url | default(vault_healthcare_proxy_url | default('')) }} #
# HEALTHCARE_PROXY_UPSTREAM_URL = authenticated upstream consumed by the relay.
# Password may contain URL-special chars; store it PERCENT-ENCODED here
# (e.g. '#' -> '%23'): socks5://performancewest:<pw%23enc>@host:11080
# HEALTHCARE_PROXY_URL = address Playwright/workers use (the relay, no auth).
HEALTHCARE_PROXY_UPSTREAM_URL={{ vault_healthcare_proxy_upstream_url | default('') }}
HEALTHCARE_PROXY_URL={{ healthcare_proxy_url | default('socks5://proxy-relay:11080') }}
UNDETECTED_PROXY_URL={{ undetected_proxy_url | default('socks5://proxy-relay:11080') }}
# ── Application URLs ────────────────────────────────────────────────────────── # ── Application URLs ──────────────────────────────────────────────────────────
DOMAIN=https://{{ domain }} DOMAIN=https://{{ domain }}