Mailroom doesn't respect `no_proxy` environment variable

Summary

Mailroom doesn't respect no_proxy settings. This issue has become more visible since we've flipped to webhook delivery_method as default in 15.3: gitlab-com/gl-infra/scalability#1462 (cc @qmnguyen0711 )

Steps to reproduce

1. Set up a GitLab instance with Service Desk and Incoming Email configured. Let's assume you have http://yourdomain.com set as external_url.

2. Make sure that the delivery_method is set to webhook. In Rails console, run pp Gitlab::MailRoom.enabled_configs to check MailRoom active configs.

3. Test Service desk and make sure it is working.

4. Configure http_proxy/https_proxy/no_proxy on your instance. We want to bypass proxy for our external_url hostname, and we want to use no_proxy environment for it:

   gitlab_rails['env'] = {
       "http_proxy" => "http://proxyip:proxyport",
       "https_proxy" => "http://proxyip:proxyport"
       "no_proxy" => "127.0.0.1,localhost,yourdomain.com,.yourdomain.com" 
   }

5. Reconfigure GitLab one more time and test Service desk again.

6. Check your proxy access logs, and you should see that the Postback request to http://yourdomain.com/api/v4/internal/mail_room/incoming_email is going through proxy.

Example Project

It is impossible to replicate this on Gitlab.com

What is the current bug behavior?

Mailroom doesn't respect no_proxy settings

What is the expected correct behavior?

Mailroom should respect no_proxy settings.

Relevant logs and/or screenshots

We've had two internal customer reports already about this:

• https://gitlab.zendesk.com/agent/tickets/376945
• https://gitlab.zendesk.com/agent/tickets/359241

Both customers wanted to exclude requests to their external_url from going through proxy, but mailroom kept forwarding requests through. They had to disable http_proxy/https_proxy/no_proxy completely on the instance to make Service Desk deliver emails again.

Output of checks

I reproduced it on GitLab 15.9.1 and 14.10.5.

Results of GitLab environment info

Expand for output related to GitLab environment info

root@192:/#  gitlab-rake gitlab:env:info

System information
System:		
Proxy:		http_proxy: http://34.175.94.171:3128
		no_proxy: localhost,127.0.0.1,192.168.99.108:8888
		https_proxy: http://34.175.94.171:3128
Current User:	git
Using RVM:	no
Ruby Version:	2.7.5p203
Gem Version:	3.1.4
Bundler Version:2.2.33
Rake Version:	13.0.6
Redis Version:	6.2.6
Sidekiq Version:6.4.0
Go Version:	unknown

GitLab information
Version:	14.10.5-ee
Revision:	af6735ad95f
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	PostgreSQL
DB Version:	12.7
URL:		http://192.168.99.108:8888
HTTP Clone URL:	http://192.168.99.108:8888/some-group/some-project.git
SSH Clone URL:	ssh://git@192.168.99.108:2222/some-group/some-project.git
Elasticsearch:	no
Geo:		no
Using LDAP:	no
Using Omniauth:	yes
Omniauth Providers: 

GitLab Shell
Version:	13.25.1
Repository storage paths:
- default: 	/var/opt/gitlab/git-data/repositories
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell

Results of GitLab application Check

Expand for output related to the GitLab application check

Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 13.25.1 ? ... OK (13.25.1)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Checking Reply by email ...
IMAP server credentials are correct? ... Checking khrechyshkina@gitlab.com
yes
Mailroom enabled? ... skipped
MailRoom running? ... skipped
Checking Reply by email ... Finished
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet)
Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Projects have namespace: ...
2/1 ... yes
2/2 ... yes
Redis version >= 5.0.0? ... yes
Ruby version >= 2.7.2 ? ... yes (2.7.5)
Git user has default SSH configuration? ... yes
Active users: ... 1
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes
Elasticsearch version 7.x (6.4 - 6.x deprecated to be removed in 13.8)? ... skipped (elasticsearch is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished

Possible fixes

Workaround

The workaround is to either disable http_proxy/https_proxy settings all together or change delivery_method back to sidekiq. On omnibus installations, one can change delivery_method with this setting in /etc/gitlab/gitlab.rb file:

gitlab_rails['incoming_email_delivery_method'] = "sidekiq"