[Bug][Linux][net8.0] Proxy CONNECT fails (407) using HTTPS_PROXY env var with credentials; No Proxy-Authorization header sent #114066
Comments
|
I tried to repro it locally and it works as expected. Set up local proxy, user name with a dot, set up with env var https_proxy. And it works as expected: proxy replies 407, CONNECT gets resend with Basic auth creds, tunnel is established - as seen in WireShark. So can you reduce it to a simple Also, are you aware that using proxy sitting on HTTP (no TLS) with Basic auth sends your credentials in equivalent of plain text over the wire to the proxy? |
|
This issue has been automatically marked |
|
This issue will now be closed since it had been marked |
Description
Area/Component: System.Net.Http / Networking / NuGet Client (dotnet restore)
Version:
.NET SDK: 8.0.107 (Runtime 8.0.7)
OS: Linux (Oracle Linux 9.1 running in WSL 2)
Problem Description:
When running dotnet restore on Linux behind a proxy that requires Basic authentication, if the proxy settings are configured solely via the HTTPS_PROXY environment variable with embedded credentials (format: http://user:password@proxyhost:port), the restore process fails with error NU1301. Diagnostic logs show the underlying failure is an HTTP 407 (Proxy Authentication Required) response from the proxy server during the initial CONNECT request to establish the HTTPS tunnel.
Crucially, using the curl command in the same WSL environment with the exact same HTTPS_PROXY environment variable setting works correctly. curl successfully sends the Proxy-Authorization: Basic ... header for the CONNECT request and establishes the connection.
Network traces (tcpdump) confirm that dotnet restore (specifically the underlying HttpClient used by NuGet tasks) does not include the Proxy-Authorization header in its CONNECT request, leading to the 407 failure.
This issue is observed even when the user-level ~/.nuget/NuGet/NuGet.Config file is removed or does not contain any conflicting proxy settings, forcing reliance on environment variables.
The same dotnet restore operation works correctly on Windows under the same user account, suggesting the issue is specific to the .NET runtime/SDK's handling of proxy environment variables with credentials on Linux, possibly related to the CONNECT request phase.
Environment Details:
Proxy Server: Fortinet Proxy (identified by Proxy-Agent: Fortinet-Proxy/1.0 header)
Authentication: Requires Basic authentication for HTTPS tunnel requests.
Username Format: Contains special characters, specifically a dot (.), e.g., local.user1.
Reproduction Steps
Evidence / Comparison:
Failing dotnet restore -v d log snippet:
/usr/lib64/dotnet/sdk/8.0.107/NuGet.targets(156,5): error : Unable to load the service index for source https://api.nuget.org/v3/index.json. [/home/xxxx/yyyy.csproj]
/usr/lib64/dotnet/sdk/8.0.107/NuGet.targets(156,5): error : The proxy tunnel request to proxy 'http://my.proxy.com/' failed with status code '407'." [/home/xxxx/yyyy.csproj]
...
---> System.Net.Http.HttpRequestException: The proxy tunnel request to proxy 'http://my.proxy.com/' failed with status code '407'."
at System.Net.Http.HttpConnectionPool.EstablishProxyTunnelAsync(Boolean async, CancellationToken cancellationToken)
...
Successful curl -v log snippet (using same env var):
< HTTP/1.1 200 Connection established
< Proxy-Agent: Fortinet-Proxy/1.0
... (TLS handshake and GET succeed) ...
tcpdump snippet during dotnet restore:
18:26:40.525072 eth0 Out IP V62021.47253 > my.proxy.com.http: Flags [P.], seq 2741:2878, ack 592201, win 1499, options [nop,nop,TS val 1825873387 ecr 189830794], length 137: HTTP: CONNECT api.nuget.org:443 HTTP/1.1
Host: api.nuget.org:443
User-Agent: NuGet .NET Core MSBuild Task/6.8.1 (Oracle Linux Server 9.1)
<<< No Proxy-Authorization header present >>>
18:26:40.526905 eth0 In IP my.proxy.com.http > V62021.47253: Flags [.], seq 592201:597993, ack 2878, win 145, options [nop,nop,TS val 189830896 ecr 1825873387], length 5792: HTTP: HTTP/1.1 407 Proxy authentication required
Proxy-Authenticate: Negotiate
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm="domain.com"
...
Expected behavior
dotnet restore (and the underlying HttpClient) should correctly parse the username and password from the HTTPS_PROXY environment variable (in user:password@host:port format) and include the appropriate Proxy-Authorization: Basic header in the initial CONNECT request to the proxy server, allowing successful tunnel establishment and package restore, similar to how curl behaves.
Actual behavior
dotnet restore fails with NU1301. Diagnostic logs show the RestoreTask failing due to System.Net.Http.HttpRequestException: The proxy tunnel request to proxy 'http:///' failed with status code '407'.". Network traces confirm the Proxy-Authorization header is missing from the CONNECT request sent by the .NET process.
Regression?
No response
Known Workarounds
A successful workaround involves setting up a local proxy relay (e.g., tinyproxy) within WSL. The local proxy is configured to authenticate with the upstream Fortinet proxy using Basic auth. dotnet restore is then configured (via HTTPS_PROXY=http://127.0.0.1:<local_port>) to use the local relay. This works correctly, further indicating the issue lies in the initial client (.NET) authentication handling.
Configuration
No response
Other information
No response
The text was updated successfully, but these errors were encountered: