-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cargo behind a proxy #636
Comments
Typically these proxy variables are given in the form of URLs (e.g. |
I had actually thought of that, and I did try this with all the relevant proxy variables set with the full URLs. I.e., [http]
proxy = "http://proxy.example.com:8000/"
[https]
proxy = "https://proxy.example.com:8000/" and the environment variables being export HTTP_PROXY=http://proxy.example.com:8000/
export HTTPS_PROXY=https://proxy.example.com:8000/
export FTP_PROXY=ftp://proxy.example.com:8000/ but the result remains the same. |
Taking a quick look through libgit2's source, it looks like they handle reading HTTP proxy settings in a private-looking function, but only ever call this function from the winhttp transport. And in fact, @alexcrichton has opened an issue for that here: libgit2/libgit2#2555 |
Aha yes indeed! I would very much like cargo to support proxies. I believe that all of our own personal HTTP requests are routed through proxies when necessary (mostly when dealing with the registry), but as @tomjakubowski found out this has yet to move over to libgit2 on unix. My plan at this point is to make a Thanks for opening this! It's good to have a tracker. |
Is there a way to manually do the cloning ? I am new to rust, so I don't know where cargo is supposed to store the dependent repos ... |
Ok I just cloned it and used a file:/// type url .. |
Until this issue is fixed, you can use |
Same story here -- behind a corporate proxy with SSL certificate injection (and both $ cargo build --verbose
Updating registry `https://github.com/rust-lang/crates.io-index`
Unable to update registry https://github.com/rust-lang/crates.io-index
Caused by:
failed to fetch `https://github.com/rust-lang/crates.io-index`
Caused by:
SSL error: error:140E0114:SSL routines:SSL_shutdown:uninitialized E.g., I normally get Is this also caused by |
@aldanor yes that's coming from libgit2, but I don't think that it's coming from They did have support for Are you sure that the only error there is |
@alexcrichton Nope, not sure it's exactly the same problem (other than the OP's error was "no route to host" and not SSL-related), wonder how to confirm it? It's just I've faced this same problem with most tools and package managers (git, npm, wget, pip to name a few) and in each case it was solved by disabling ssl verification, hence the assumption it was also the problem here. If I enable $ git config --global http.sslverify true
$ git clone https://github.com/rust-lang/cargo.git
Cloning into 'cargo'...
error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/rust-lang/cargo.git/info/refs
fatal: HTTP request failed which is a different SSL routine and a different error code, hm... So maybe |
+1 C:\master\src>cargo build To learn more, run the command again with --verbose. C:\master\src>cargo build --verbose Caused by: |
Ok, as a status update to this I've finished binding libgit2's custom transport API and I've written a simple HTTP backend using libcurl: https://crates.io/crates/git2-curl. I'll try to hook this up into cargo and then we should get proxy support for free because libcurl supports it out of the box. Unfortunately the implementation is not super efficient (reads an entire network operation, aka repository, into memory) due to the current design of |
Great!! This would defiantly help/ |
Due to libgit2 not supporting HTTP proxies, the custom transport API of the library must be used to reimplement the HTTP transport with proxy support. The git2-curl crate implements this transport on top of the curl-rust crate. By using libcurl we gain all sorts of proxy support for free. This transport is not used by default, however, as it is not well battle tested and the architecture is not currently ideal (download the entire repo into memory on a clone). Only when an HTTP proxy is present is the new transport used. The other drawback of git2-curl is that it does not currently support authentication. If a private git repository is cloned or authentication is required then it will generate an error instead of correctly asking for credentials. Closes rust-lang#636
Due to libgit2 not supporting HTTP proxies, the custom transport API of the library must be used to reimplement the HTTP transport with proxy support. The git2-curl crate implements this transport on top of the curl-rust crate. By using libcurl we gain all sorts of proxy support for free. This transport is not used by default, however, as it is not well battle tested and the architecture is not currently ideal (download the entire repo into memory on a clone). Only when an HTTP proxy is present is the new transport used. The other drawback of git2-curl is that it does not currently support authentication. If a private git repository is cloned or authentication is required then it will generate an error instead of correctly asking for credentials. Closes #636
Wonder if this is supposed to work now? (not quite clear from the merge mentioned above). Are cargo/libgit2 now expected to respect // Weird thing, I'm not getting a "connection refused" error while using the same proxies as before (were previously causing "ssl certificate failed"). |
@aldanor yeah this should in theory work now, could you gist the errors you're seeing? |
Hi, I'm working behind our company firewall using a Windows 7 PC. I've no futher Network skills. I took the Proxy IP from my Internet Explorer and tried:
Any ideas? THX, Mark |
@worker2345234 could you try also setting the |
Ok, I created a small .cargo/config file:
The cargo result is the same as yesterday. I tried to load https://github.com/rust-lang/crates.io-index directly in the InternetExplorer, works. A screenshot from the InternetExplorer-Settings: |
@minecrawler It seems that it is cargo regression. Does this workaround work for your environment? #598 (comment) |
@minecrawler the In short, it looks like the problem is that Cargo asserts the validity of certificates but the certificate it's working with isn't valid. Cargo doesn't currently respect The tl;dr; I believe is that on Windows right now there's no way to get Cargo to accept an invalidate SSL certificate. Ideally the relevant certificates would be added to your OS certificate store, but we still need to implement custom validation. |
@cosmo0920 Thank you for your hint, but unfortunately that workaround does not work for me. @alexcrichton Thank you for the explanation. There is just one thing I do not understand: Why would it work on an OS other than Windows? How would you go about it on Linux and why shouldn't something like that be a viable option on Windows? |
Each platform has its own method of establishing and validating SSL connections. On Windows the HTTP library we're using, libcurl, doesn't read |
I just downloaded the nightly aaaaannnnddd.... finally it works (after almost 2 years....trying,trying,trying)! First time that I could call successfully e.g. 'cargo install racer' , thanks for the #3699 fix. Highfive Alex, I'm sure this will give rust a kick into company environements. Here a brief summery how I could get it to work (Win7 inside my company behind company Firewall with NTLM authentification): 1.) download and install CNTLM proxy on my PC to manage the authentification for our company firewall [http]
proxy = "127.0.0.1:3128" # use my cntlm proxy for authentification
timeout = 60000 # Timeout for each HTTP request, in milliseconds
check-revoke = false # please ignore the man in the middle attack of our IT department @alex: Would be nice, if you will give the rustup team a hint that they also implement a |
@worker2345234 glad it's working, thanks for the confirmation! Want to file an issue over at rust-lang-nursery/rustup.rs for the revocation issue with rustup? |
rustup also uses curl lib to download the binaries. That's why the rustup tool often doesn't work at companies. |
Oh sure, an issue is just a good tracking point for integration |
was excited to hear that someone got it working, however it's still not working for me :(
with cargo config:
|
I used the same cargo Version: |
My error message with with |
Can confirm that the issue has been resolved for me -- Linux, |
@minecrawler oh dear, and to confirm you placed the configuration in |
@alexcrichton yes, I should have edited the right one, because before I upgraded, I had the local registry configured in that file, which worked (at least for compilation) |
@minecrawler you may be running into a different issue then unfortunately :( |
@alexcrichton is there any way to get more information? For example the reply from the proxy or the reply from the destination? That's the stuff I would expect from |
@minecrawler your error looks like it's happening somewhere deep inside libgit2, which I unfortunately don't know how to coax more debugging information out of :( You could also try building Cargo with debug information and stepping through libgit2, but short of that I unfortunately don't have many ideas :( |
cargo config tip here was great. solved my problem with installing ripgrep. |
I also have an issue related to this: corporate proxy requires authentication, so if I set up the https_proxy env variable with user@host format, it gets back a 407 - authentication failed. If I supply my password, it works, but naturally I want to avoid that if possible. Is there a way make cargo/rustup prompt for the proxy password? |
@bocc I am on Windows, so I don't know if this is helpful. I don't know, what triggered the changes, but lately, the cargo behind a proxy works for me. It just does. However, I use one little tool, which helps me get many tools around our corporate proxy (npm, bower, git,...). It's called CNTLM. I run it as a portable application, using a scheduled script to start it. You can also install it as a service, though (requires admin rights). CNTLM is a local proxy which you can supply with a hashed version of your credentials in a config file. Then you route all traffic over that proxy. Your applications will not require authentication for CNTLM, and CNTLM will do the authentication with the corporate proxy, which means your applications will gain internet access (yay). |
@bocc unfortunately Cargo doesn't support prompting for a password right now, it needs to be configured somehow to be stored via other means (like @minecrawler is mentioning I believe) |
I am having a similar issue;
I am not behind any proxy and every network based app works fine here. I am on windows 10 and have avast as the antivirus. I have already tried disabling the antivirus but that didn't fix anything. My Rust version is |
@alexcrichton I am getting error
|
it's also work fine with socks5 proxy:
|
add proxy config to ~/.cargo/config was working for me
|
I had the same error with a GitLab CI runner in Windows Docker container. I just needed to set the Edit: ...and set the Environment variables |
When running behind a corporate proxy that uses self-signed certificates, there are several cargo configuration features that will help
Extract your Corporate proxy's public certificate chain to base64 encoded.cer files and then using a text editor paste them all into a single file named something like "certificates.pem" (Name is unimportant) |
I am using trying to use Cargo from behind a proxy, and it is unable to fetch external repositories despite having all the appropriate environment variables and configurations.
More specifically, I have the following environment variables set:
along with their lowercase counterparts. Git and Cargo both have in their configuration:
and
git
from the command line works fine; however, when Cargo attempts to fetch a repository, I encounteryet if I run git on its own, it works fine:
The text was updated successfully, but these errors were encountered: