diff --git a/src/cargo/ops/registry.rs b/src/cargo/ops/registry.rs
index 3346e5b41a6..4bc5b56f837 100644
--- a/src/cargo/ops/registry.rs
+++ b/src/cargo/ops/registry.rs
@@ -560,6 +560,9 @@ pub fn configure_http_handle(config: &Config, handle: &mut Easy) -> CargoResult<
     if let Some(proxy) = http_proxy(config)? {
         handle.proxy(&proxy)?;
     }
+    handle.proxy_auth(&http.proxy_auth.to_easy())?;
+    handle.proxy_username(http.proxy_username.as_deref().unwrap_or(""))?;
+    handle.proxy_password(http.proxy_password.as_deref().unwrap_or(""))?;
     if let Some(cainfo) = &http.cainfo {
         let cainfo = cainfo.resolve_path(config);
         handle.cainfo(&cainfo)?;
diff --git a/src/cargo/util/config/mod.rs b/src/cargo/util/config/mod.rs
index 5743f9baf3f..3c52cdb15cd 100644
--- a/src/cargo/util/config/mod.rs
+++ b/src/cargo/util/config/mod.rs
@@ -77,7 +77,7 @@ use crate::util::{internal, toml as cargo_toml};
 use crate::util::{FileLock, Filesystem, IntoUrl, IntoUrlWithBase, Rustc};
 use anyhow::{anyhow, bail, format_err, Context as _};
 use cargo_util::paths;
-use curl::easy::Easy;
+use curl::easy::{Auth, Easy};
 use lazycell::LazyCell;
 use serde::Deserialize;
 use toml_edit::{easy as toml, Item};
@@ -2215,10 +2215,41 @@ impl Drop for PackageCacheLock<'_> {
     }
 }
 
+#[derive(Debug, Default, Deserialize, PartialEq)]
+#[serde(rename_all = "kebab-case")]
+pub enum CargoHttpProxyAuth {
+    #[default]
+    Auto,
+    Disable,
+    Basic,
+    Digest,
+    Gss,
+    Ntlm,
+}
+
+impl CargoHttpProxyAuth {
+    pub fn to_easy(&self) -> Auth {
+        let mut auth = Auth::new();
+        match self {
+            Self::Auto => auth.basic(true).digest(true).gssnegotiate(true).ntlm(true),
+            Self::Disable => &auth,
+            Self::Basic => auth.basic(true),
+            Self::Digest => auth.digest(true),
+            Self::Gss => auth.gssnegotiate(true),
+            Self::Ntlm => auth.ntlm(true),
+        };
+        auth
+    }
+}
+
 #[derive(Debug, Default, Deserialize, PartialEq)]
 #[serde(rename_all = "kebab-case")]
 pub struct CargoHttpConfig {
     pub proxy: Option<String>,
+    #[serde(default)]
+    pub proxy_auth: CargoHttpProxyAuth,
+    pub proxy_username: Option<String>,
+    pub proxy_password: Option<String>,
     pub low_speed_limit: Option<u32>,
     pub timeout: Option<u64>,
     pub cainfo: Option<ConfigRelativePath>,
diff --git a/src/doc/src/reference/config.md b/src/doc/src/reference/config.md
index 1b4243ffa34..75bf886218d 100644
--- a/src/doc/src/reference/config.md
+++ b/src/doc/src/reference/config.md
@@ -96,6 +96,9 @@ vcs = "none"              # VCS to use ('git', 'hg', 'pijul', 'fossil', 'none')
 [http]
 debug = false               # HTTP debugging
 proxy = "host:port"         # HTTP proxy in libcurl format
+proxy-auth = "auto"         # HTTP proxy authentication mechanism
+proxy-username = ""         # HTTP proxy username
+proxy-password = ""         # HTTP proxy password
 ssl-version = "tlsv1.3"     # TLS version to use
 ssl-version.max = "tlsv1.3" # maximum TLS version
 ssl-version.min = "tlsv1.1" # minimum TLS version
@@ -627,6 +630,28 @@ setting in your global git configuration. If none of those are set, the
 `HTTPS_PROXY` or `https_proxy` environment variables set the proxy for HTTPS
 requests, and `http_proxy` sets it for HTTP requests.
 
+##### `http.proxy-auth`
+* Type: string
+* Default: "auto"
+* Environment: `CARGO_HTTP_PROXY_AUTH`
+
+Sets a mechanism to authenticate against the proxy.
+Possible values are: "auto", "disable", "basic", "digest", "gss" and "ntlm".
+
+##### `http.proxy-username`
+* Type: string
+* Default: none
+* Environment: `CARGO_HTTP_PROXY_USERNAME`
+
+Authenticate against the proxy using the given username.
+
+##### `http.proxy-password`
+* Type: string
+* Default: none
+* Environment: `CARGO_HTTP_PROXY_PASSWORD`
+
+Authenticate against the proxy using the given password.
+
 ##### `http.timeout`
 * Type: integer
 * Default: 30
diff --git a/src/doc/src/reference/environment-variables.md b/src/doc/src/reference/environment-variables.md
index d49922afbfd..f5b8764fb0b 100644
--- a/src/doc/src/reference/environment-variables.md
+++ b/src/doc/src/reference/environment-variables.md
@@ -101,6 +101,9 @@ In summary, the supported environment variables are:
 * `CARGO_FUTURE_INCOMPAT_REPORT_FREQUENCY` - How often we should generate a future incompat report notification, see [`future-incompat-report.frequency`].
 * `CARGO_HTTP_DEBUG` — Enables HTTP debugging, see [`http.debug`].
 * `CARGO_HTTP_PROXY` — Enables HTTP proxy, see [`http.proxy`].
+* `CARGO_HTTP_PROXY_AUTH` — The proxy authentication mechanism, see [`http.proxy-auth`].
+* `CARGO_HTTP_PROXY_USERNAME` — The proxy username, see [`http.proxy-username`].
+* `CARGO_HTTP_PROXY_PASSWORD` — The proxy password, see [`http.proxy-password`].
 * `CARGO_HTTP_TIMEOUT` — The HTTP timeout, see [`http.timeout`].
 * `CARGO_HTTP_CAINFO` — The TLS certificate Certificate Authority file, see [`http.cainfo`].
 * `CARGO_HTTP_CHECK_REVOKE` — Disables TLS certificate revocation checks, see [`http.check-revoke`].
@@ -163,6 +166,9 @@ In summary, the supported environment variables are:
 [`future-incompat-report.frequency`]: config.md#future-incompat-reportfrequency
 [`http.debug`]: config.md#httpdebug
 [`http.proxy`]: config.md#httpproxy
+[`http.proxy-auth`]: config.md#httpproxy-auth
+[`http.proxy-username`]: config.md#httpproxy-username
+[`http.proxy-password`]: config.md#httpproxy-password
 [`http.timeout`]: config.md#httptimeout
 [`http.cainfo`]: config.md#httpcainfo
 [`http.check-revoke`]: config.md#httpcheck-revoke