-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Differences between Windows and Linux when handling HTTPS requests through HTTP proxy #1434
Comments
Thanks for filing this issue. Unfortunately, a majority of the maintainers of urllib3 do not use proxies in our workflow and thus aren't familiar with the ecosystem or issues that are commonly faced by proxy users. |
I had exactly the same issue and found a hack. It has nothing to do with the OS. The source of this issue lies in
The key is that, failed or otherwise, the code only sends one request and then returns. Therefore, NTLM would work if you modify the code to perform the dances prior to the above block. This hack works on my work Windows machine. I don't think it's a "solution" but works in (and only in) this particular case. |
Thanks @YuMan-Tam! Unfortunately, I cannot test your solution, I'm not working with NTLM proxies anymore (thank god! 🙏) |
Hi all, @YuMan-Tam could you share the code snippet for the workaround? - I have been stuck at this problem for quite some weeks. Your help is deeply appreciated |
The relevant modification is commented with “Experimentation connections” and the three import modules sspi, base64, win32api. I think I only modified the function _tunnel. It has been a while since I lasted worked on it so I did not remember the details. But, roughly, for https requests, part of the NTLM dances dropped. Hence, one needs to find a way to keep the connection alive by manually passing the details of the dance. I figured this out by using the chrome/firefox debug log to isolate all send and receive data – up until the error occurs. This work around is specific for windows, and I only tested on my work PC which uses windows 7. However, I believe the mechanism works in general. Authentication information is abstracted away with the sspi and win32api module. Relevant snippet for
|
@YuMan-Tam your snippet worked well. I did this:
repo is here: https://github.com/dopstar/requests-ntlm2 |
Awesome. I hope I will have a chance to test this soon! Thank you again for your work! |
@YuMan-Tam Thanks for the excellent workaround. It worked perfectly in my case trying to NTLM authenticate with corporate proxy without exposing username:password in the code. Hope to see this addressed by urllib soon. |
Hi,
Let me explain the problem I was facing and how I end up here. I'll try to do a brief summary.
I work in a company that protects access to the Internet through a proxy that uses NTLMv2 for authentication. This is not a problem for Windows computers but it is a pain when working with GNU/Linux machines. Anyway, there is a great solution for that: CNTLM. It is possible to create a local proxy that is able to authenticate with the corporate proxy and then, by setting
http_proxy
,https_proxy
andno_proxy
env variables and configuring properly some specific tools that do not use this variables (apt, yum, git, docker, etc.), voilà, Internet for everyone! No problems so far with two exceptions:pip
andconda
.For those struggling with the same issue, please have a look at this open related issue: Doesn't work behind proxy in corporate Windows network (NTLM). I was able to use
pip
with Linux machines by setting up a local Nexus repository and adding pypi as a proxy repo. Yes, Nexus is able to authenticate with the NTLM proxy just fine.But, why do I think this is a
urllib3
issue, too? Sure, some interesting feature to add would be allowing NTLM authentication (see #242), but this is not what I am asking here (sure there are more interesting things to implement before an old authentication method). The problem is when I noticed thatpip
andconda
work just fine in Windows with CNTLM, but not in Linux. Same CNTLM, python andurllib3
versions. And the problem is thaturllib3
does not work properly when doing https requests through a proxy in Linux. I will try to have a look at the code, but I write these issue just in case more familiar withurllib3
can help 😃How to replicate:
virutalenv
orconda env
with python 3urllib3
with pip (I tried version 1.23)✤: A similar proxy can be simulated in GNU/Linux with Squid + Samba + NTLMv2 auth. Also, have a look at this comment: it is possible to set it up with Apache.
In Windows both requests works well. I just get the (expected) warning:
On the other hand, Linux http requests works but https one fails:
It looks like packet is not properly managed by CNTLM. Of course, this is the same error I get when trying to use
pip
andconda
or when using python requests module.Any ideas? Do you know any OS dependent feature that may be causing this?
Thanks!
The text was updated successfully, but these errors were encountered: