New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use netrc for proxy authentication #4151
Conversation
Thanks for the pull request! Note that reviews currently can take a bit longer, as @The-Compiler is busy with exams until September. (Powered by GitMate.io) |
This doesn't seem to work with socks proxies AFAICT. I need to figure out why I didn't get an auth challenge when I visited a socks proxy with authentication on. Looking around it seems it isn't supported in Chromium. Some people had asked for it to be added, but last response seems to be WONTFIX by Chromium devs, as they consider that hardly anyone uses socks with auth anyway. These were old requests though. I'm not sure if adding auth challenge detection for socks in qutebrowser would work, or if it needs adding to the underlying code in chromium/webengine too. |
try: | ||
host = url.host() | ||
except AttributeError: | ||
host = url |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This kind of thing definitely isn't the right way to go about this 😉
What about just making all callers pass a host (rather than a URL), and then do url.host()
where netrc_authentication
is called instead?
I had a think about this and I'm not even sure using netrc is a good idea really. I've been looking around to find other documentation or examples of it being used for proxy authenticaion but can't find anything. It doesn't seem to be historical linux/unix behaviour anyway. My findings about proxy auth in chrome/chromium uncovered a few bug reports/complaints, some going back to 2010. These were mostly from windows users though. Apparently Chrome in windows takes it settings from IE, or did at one time, and something broke there at some point. Apps like e.g. curl can use netrc for http/ftp auth, but it keeps proxy auth as separate command line flags --proxy-user etc. wget has credentials in its config file. Historical linux behaviour is to set http(s)_proxy as http(s)://username:password@host:port however this fails with chromium and qutebrowser, also when using the --proxy-server flag in chromium. It seems to always default to prompting for the auth info whether it's set or not. FWIW urllib seems to be able to detect proxies with auth settings:
However, this doesn't solve switching to different proxies on the fly. Many of the bug reports/complaints about proxy auth that I found on the net were from people whose corporate networks had > 1 proxy setup with different auth on each, and the general mood was to switch to FF. Also, it seems that socks auth isn't supported at all. There aren't any prompt for credentials and this results in a ERR_SOCKS_CONNECTION_FAILED. However I seem to recall that proxy changing addons /do/ support it, so it must be in the chromium code /somewhere/. At this point, I think a better solution would be to properly derive the auth info from the proxy URL rather than use a potentially insecure option of putting it in netrc in cleartext. I will see about doing something with that and make a new PR if I have any luck with it. Thoughts? |
A non-serious one.
You can use debug-pyeval to switch proxies!! But seriously, you have said why you are not wanting to use |
It's because qutebrowser doesn't use the login info when it's set in content.proxy - it only looks for the host:port and ignores username:password@ - so I have to login manually every time I need to switch. |
That seems like a bug considering the setting is parsed with this but I don't know how I can set up an authenticating proxy to test with. If |
One way to test is running |
Probably the easiest way to set up a proxy to test with is with 3proxy. The config is relatively simple (usually /etc/3proxy/3proxy.cfg):
That will create an http(s) server on port 33000 and a socks proxy on port 33500. |
mitmproxy looks easier though. Does it also do socks? |
http://doc.qt.io/qt-5/qtwebengine-overview.html#proxy-support
And it looks like that is because It looks like if we want to improve this use case we can either parse the config option in _on_proxy_authentication_required (and either just use it or set it as the default for the question) or learn to remember question answers. Or use .netrc. |
There's another problem here: proxy_host passed to _on_proxy_authentication_required() doesn't contain the port, only the IP. Authing by netrc will fail unless it contains a 'default' setting. If more than one proxy is on the same IP with different passes, or perhaps there's also a normal http auth on it too, then you've had it. So it seems to me that parsing the content.proxy string for username/password, and/or providing a separate content.proxy_user containing user:password similar to curl and wget, is the only/simplest way to do this. |
Related - I don't see a port being looked up in netrc_authentication() either, only url.host()
If you are running several services on the same machine on different ports (e.g. cups and other web frontends) wouldn't this be a problem? (Someone did report a problem with netrc in IRC I seem to recall. I wonder if this was why?) |
Yeah |
netrc files don't seem to support a port - note that they were originally written for FTP authentication, everything else seems like a slight abuse of the file anyways. Thus, I agree that this is kind of weird, and we should rather get the authentication information from the proxy URL. I opened #4278 for that. |
This adds support for proxy authentication using usernames/passwords in ~/.netrc. If the credentials are wrong either an access denied or SSL error occurs, depending on the protocol.
The change that I made in shared.py is probably not great, but it served to test with:
There's probably a better/more secure way to do this, like casting proxy_host to a Qurl before sending it, but that's a bit beyond my knowledge.
I didn't do any documentation for this. I wanted to just fly the general idea past you first.
This change is