need explicit proxy settings

Bug #244448 reported by anatoly techtonik on 2008-07-01
This bug affects 2 people
Affects Status Importance Assigned to Milestone

Bug Description

Common practice to make bzr 1.5 work through a proxy is to specify proxy settings in environment variables HTTP_PROXY and HTTPS_PROXY. The one side of the problem is that it is undocumented, but there is also another side that this variables are not available on windows unlike the other platforms. If the proxy requires authentication it is also a great security risk to place login/pass (esp. domain credentials often used for windows proxies) into environment variables. Although config files is not the best place to store passwords either, exposing them in environment variable is like writing them on a wall.

To store credentials more or less securely I propose entering "proxy_server", "proxy_user" and "proxy_pwd" configuration variables explicitly in [DEFAULT] section of some global and into branch/project specific sections of configuration files. Current authentication.conf file description is confusing and file format is itself bogus in the sense that it still needs HTTP_PROXY variable to supply user/pass for it. I doubt that it works at all, at least for my installation modifying [proxy] settings doesn't affect anything with or without HTTP_PROXY set (windows 2000).

Windows proxy options processing should take into account that some special combination of username and password (possibly empty) can be used to allow SSPI magic authenticate against proxy transparently. See bug #244435

description: updated
Vincent Ladeuil (vila) wrote :

authentication.conf does provides the necessary settings, as long as the host matches the proxy and the scheme matches the protocol used.

bug #244435 *is* relevant though

Vincent Ladeuil (vila) wrote :

But pycurl doesn't know about authentication.conf and the urllib implementation doesn't know about SSPI

Changed in bzr:
status: New → Invalid
anatoly techtonik (techtonik) wrote :

So. Do I need to use HTTP_PROXY environment variable to make settings in authentication.conf work?

How can I specify in authentication.conf that one project should be accessible through one proxy and other with no proxy at all?

Changed in bzr:
status: Invalid → Incomplete
Vincent Ladeuil (vila) wrote :

No. Authentication.conf provides additional information based on the host used.

The problem here is that pycurl is used as blackbox and our wrapper do not attempt to decorate the HTTP[S]_PROXY variable(s).

Then, the urllib implementation lacks SSPI support.

For your last question, authentication.conf doesn't try to associate a proxy with a project.

Proxies are associated with hosts. If your projects are on different hosts, then fine.

Wether or not you need a proxy for a host is also configured via the no_proxy environment variable.

Or more appropriately for windows (but this is relevant for urllib implementation only) from either the environment variables *or* the Internet Settings found in the registry by python (see python getproxies_registry() for the gory details).

What bzr http implementation are you using ?

anatoly techtonik (techtonik) wrote :

I am using both standalone bzr-1.5.exe distribution and Python 2.5 package.

So, how can I configure bzr to associate proxies with hosts using the following requirements, so that this configuration can be copied to other developer machines?

Consider one host is my local server "localhost", which should not be accessible via proxy.
Other server "vpn-dev" is on remote subnet and should be accessible via local proxy "localhost:1080".
All unknown servers should be directed to domain proxy.

Vincent Ladeuil (vila) wrote :

The proxy configuration in your case is not specific to bzr, what you want is no proxy for localhost.

Having two different proxies is rather unusual and I don't know how to handle that easily (setting env variables or modifying your internet setttings are not easy).

How do you configure, say, firefox or internet explorer to work with such a config ?

By using an automatic proxy configuration url pointing to a js script ?

In that case there is no equivalent for neither pycurl nor urllib and you'll have to set env variables or wrap bzr calls. Not nice :-/

Why do you *need* a local proxy ? Can't that be handled by your domain proxy ?

And by bzr http implementation I meant urllib or pycurl, i.e. do you use just 'http:' (in which case pycurl is used if installed (AFAIK windows version includes pycurl) or 'http+urllib:' or 'http+pycurl:' do be explicit ?

anatoly techtonik (techtonik) wrote :

Proxy configuration is bzr specific and is used solely for accessing to source repositories. In subversion server configuration is contained in "servers" file. Servers are grouped into sections with wildcards if required like * etc. Then each section has its own http_proxy settings.

FF and IE use only one HTTP/HTTPS protocol and can authenticate with the proxy via SSPI. There is no problem with them. For other services I need to run local authorization proxy server. FF uses standard PAC (proxy autoconfiguration) file to distinguish between local and external addresses (there are also PhProxy and FoxyProxy extensions). Domain proxy is also a content-filtering proxy and from time to time I need to wrap connection in tunnel to bypass HTTP filters. Tunnel made with a PyTTY with SOCKS turned on.

http:// doesn't work because of so I used nosmart+http://

I was able to use http:// protocols after I've setup environment variables to point local authorization proxy server, but what I would like from this bugreport is to provide some arguments that bzr specific proxy/connection/server configuration should be contained in its own configuration file.

Vincent Ladeuil (vila) wrote :

Ok, so a possible solution will be to allow specifying http[s]_proxy in locations.conf/branch.conf and leave credentials in authentication.conf (or not, user choice) and gives these definitions priority over environment variables (not trivial but doable).

Your setup is rather unusual since you seem to encounter a lot of problems to go through your proxy. Generally we avoid out-smarting the network connection itself to keep both usage and code simple.

What do you call 'local authorization proxy' ? What software do you use for that ?

By PyTTY did you mean PuTTY ? AIUI, this is another case where you have to work around your proxy limitations (or bzr lack of support for it).

Will adding support for NTLM to urllib provide a alternative solution ; i.e. will you still need to use two different proxies or will that be enough to just use your proxy (are have you already encounter content-filtering problems when accessing bzr remote branches) ?

anatoly techtonik (techtonik) wrote :

'local authorization proxy' is NTLMaps - - it uses domain password to authenticate to parent proxy. One annoyance though is that it asks password every time, but at least it doesn't stored anywhere. It provides plain proxy interface for programs that doesn't support proxy authorization at all.

PyTTY is indeed PuTTY. It provides SOCKS server to tunnel requests over SSH connections. I believe bzr has similar bzr+ssh:// scheme, but it needs tunneling anyway through 80 or 443 port, because domain proxy bans connections on SSH port 22.

I haven't encountered content-filtering problems with bzr yet, because I've started to use it a couple days ago, but there were such problems with svn. Good svn has a detailed connection log to debug the problem, but it still took a long time to pinpoint the problem. If bzr uses plain HTTP requests with URLs that can contain words that can be filtered or request content can be matched by proxy filter then there are chances that at some point I will need to tunnel this connection too.

Vincent Ladeuil (vila) wrote :

Thanks for the detailed reply, things are clearer now.

I think this bug should be splitted to address the two identified problems:

- this bug should be about allowing specifying proxies at the location level (either in locations.conf or branch.conf),

- bug #244879 is about supporting NTLM in the urllib implementation.

As noted in bug #177643, handling proxies without relying on env variables for pycurl will be tricky.

About detailed log, using -Dhttp on the failing bzr commands should provides enough information to debug, if it doesn't... file a bug and we'll add the necessary traces (we already log all requests and headers sent and received, but if you need more, just say so).

I'll mark this bugs as confirmed.

Changed in bzr:
importance: Undecided → Medium
status: Incomplete → Confirmed
anatoly techtonik (techtonik) wrote :

Thanks for filing another bugreport. -Dhttp seems to be useful. Too bad it not documented neither in some "troubleshooting" chapter nor in config files.

Vincent Ladeuil (vila) wrote :

You're right, it appears in:
  bzr help global-options

with all the debug options available for troubleshooting.

May be we should have a "troubleshooting" help topic mentioning these flags and how to find and use .bzr.log

Libor Nenadál (libor-nenadal) wrote :

This proxy thing is very annoying as I'm using Windows and now I'm stuck in setting some environment variable instead of using Bazaar. Proxy definition in config file would be much better. Thank you.

I don't understand because I have the opposite problem : I don't want to use a proxy with bzr but bzr use Internet Explorer configuration :

Jelmer Vernooij (jelmer) on 2017-11-08
tags: added: check-for-breezy
Jelmer Vernooij (jelmer) on 2018-02-10
tags: added: win32
removed: check-for-breezy
tags: removed: win32
Changed in brz:
status: New → Triaged
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related questions