Can not use proxy with password

[Yogu]

I have a global config entry like the following:

http.proxy=http://username:password@proxy.com:8080

libgit2's fetch fails with

Failed to set proxy: The parameter is incorrect.

The problem is that WINHTTP_PROXY_INFO does not support authentication for proxies (see also this question)

This is bad because official git does support authentication for proxies and thus libgit2 can not perform network operations in perfectly valid git configurations.

[nulltoken]

http.proxy=http://username@password@proxy.com:8080

@Yogu Shouldn't it be http.proxy=http://username:password@proxy.com:8080 ?

[Yogu]

@nulltoken Sorry, that was a typo in the issue description. The config file is correct.

[nulltoken]

I can see some options with some promising names in this documentation describing the options flags supported by WinHttpSetOption

• WINHTTP_OPTION_PROXY_PASSWORD
• WINHTTP_OPTION_PROXY_USERNAME

/cc @phkelley

[ethomson]

Indeed, win http absolutely supports proxies with passwords. We just need to set the options.

Can't look at this today but I can dig in this weekend if nobody beats me to it.

On Feb 7, 2014, at 5:26 AM, nulltoken notifications@github.com wrote:

I can see some options with some promising names in this documentation describing the options flags supported by WinHttpSetOption

WINHTTP_OPTION_PROXY_PASSWORD
WINHTTP_OPTION_PROXY_USERNAME
/cc @phkelley

—
Reply to this email directly or view it on GitHub.

[ghost]

Did this ever get looked at?

[carlosmn]

The WinHTTP transport (which is the only one which supports a proxy) does look up the proxy from the config and env variables.

[carlosmn]

Closing as it seems it was actually fixed.

[nulltoken]

Reopening as it seems that we still don't extract the proxy username and password from the url that git_remote__get_http_proxy() returns

[nulltoken]

@ethomson Are you still up to take a look at this? This would be a neat addition as currently libgit2 users behind a corporate proxy are compelled to rely on local proxy (eg. cntlm, ntlmaps, ...)

[nulltoken]

@FeodorFitsner In order to ease the implementation of this feature, we were thinking about starting with a failing test. Would you have any idea how we could set up some kind of NTLM proxy during our AppVeyor builds? Would you know any product we could download and install to this purpose?

[FeodorFitsner]

Look at this thread: http://help.appveyor.com/discussions/questions/787-simulate-enterprise-proxy

[nulltoken]

@FeodorFitsner Awesome! Thanks for the tip

@ethomson There's a chocolatey package for privoxy (which looks like supporting NTLM). Would that fit our need?

[nulltoken]

Hmmm. Not sure Privoxy actually supports user authentication by itself. It supports forwarding up to a parent proxy.

[nulltoken]

Another option might be DeleGate which is also available as a chocolatey package.

However, I'd really like someone with proxy skills to take another look at the manual, as I'm a bit out of my depth here.

[ethomson]

Right, this is a bullet point that it has session persistence. NTLM and
Kerberos authenticate the entirety of a kept-alive session. If you are a
proxy and do not honor this notion, then you will require users to
authenticate for every request (at best). If you are painfully unaware of
connection affinity, and assume that everything is cookies and basic, then
you will mix up authenticated connections.

It looks like privoxy does not support authentication itself:

Privoxy itself does not support proxy authentication

says the manual. Which is a shame.

Does the Appveyor image have a JRE installed? If so, I may be able to make
something work.

On Fri, Apr 24, 2015 at 4:47 PM, nulltoken notifications@github.com wrote:

Another option might be DeleGate
http://www.delegate.org/delegate/Manual.htm which is also available as
a chocolatey package https://chocolatey.org/packages/DeleGate.

However, I'd really like someone with proxy skills to take another look at
the manual, as I'm a bit out of my depth here.

—
Reply to this email directly or view it on GitHub
#2106 (comment).

[nulltoken]

@ethomson http://www.appveyor.com/docs/installed-software states that the following are installed:

Java SE Development Kit (JDK)

• JDK 1.7 x64 (C:\Program Files\Java\jdk1.7.0\bin - default in PATH)
• JDK 1.7 x86 (C:\Program Files (x86)\Java\jdk1.7.0\bin)
• JDK 1.8 x64 (C:\Program Files\Java\jdk1.8.0)
• JDK 1.8 x86 (C:\Program Files (x86)\Java\jdk1.8.0)

[ethomson]

OK, I think I have a proxy that I can bring to the party that I've used for testing previously.

[ghost]

I've also tried setting up squid with ntlm_fakeauth via http://wiki.squid-cache.org/ConfigExamples/Authenticate/LoggingOnly but something goes wrong and the connection is terminated (at least with curl)

[carlosmn]

I started looking into it, and while we can have a guess that a server will support Basic, it opens up a can of worms about whether people do want to have their password in plaintext or whether a program/user would prefer to be asked for them as needed, possibly using the same cred callbacks we already have for the endpoint.

It also opens up whether we'd like to allow the user to specify the want NTLM auth or what.

[carlosmn]

Fixed as part of #3110 we now extract the auth info from caller- or config-provided urls.