Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: How to trouble shoot "code 407 from proxy after CONNECT"
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: walter via curl-users <curl-users_at_lists.haxx.se>
Date: Wed, 31 Aug 2022 12:49:06 +1000
On 30 Aug 2022, at 20:54, Daniel Stenberg wrote:
> On Tue, 30 Aug 2022, Walter via curl-users wrote:
>
> The 407 response is used for proxies both for temporary "handshake
> responses" but also for "you are not authenticated" responses. In the
> case of NTLM, it needs one or two 407s back before it is supposed to
> succeed.
Daniel, thanks for chiming in! :-)
When I issue the request with the –-verbose option, I get details like
this (some info is obfuscated):
* About to connect() to proxy 123.456.78.90 port 3129 (#0)
* Trying 123.456.78.90...
* Connected to 123.456.78.90 (123.456.78.90) port 3129 (#0)
* Establish HTTP proxy tunnel to httpbin.org:443
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* Proxy auth using NTLM with user 'DOMAIN\user'
> CONNECT httpbin.org:443 HTTP/1.1
> Host: httpbin.org:443
> Proxy-Authorization: NTLM
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 407 Proxy Access Denied
< Server: WebMarshal Proxy
< Content-Length: 0
< Proxy-Connection: keep-alive
< Proxy-Authenticate: NTLM
< X-WebMarshal-RequestID: <ID_string1>
<
* TUNNEL_STATE switched to: 0
* Establish HTTP proxy tunnel to httpbin.org:443
* Proxy auth using NTLM with user 'DOMAIN\user'
> CONNECT httpbin.org:443 HTTP/1.1
> Host: httpbin.org:443
> Proxy-Authorization: NTLM
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 407 Proxy Access Denied
< Expires: 0
< Server: WebMarshal Proxy
< Cache-Control: no-cache
< Proxy-Connection: close
< Via: 1.1 WEBMARSHAL
< Content-Length: 2361
< Content-Type: text/html; charset=utf-8
< Proxy-Authenticate: Basic realm="WebMarshal Proxy Server"
< X-WebMarshal-RequestID: <ID_string2>
<
* Ignore 2361 bytes of response-body
* Received HTTP code 407 from proxy after CONNECT
* Connection #0 to host 123.456.78.90 left intact
curl: (56) Received HTTP code 407 from proxy after CONNECT
> Make sure that the Proxy-authenticate headers you receive back from
> the proxy states that it wants NTLM.
The way I read the verbose output above is that the proxy *does* try
NTLM authentication.
> If possibly, investigate what the proxy itself logs for this traffic.
Unfortunately I have no control over the proxy.
It might be a network issue, because from a normal browser (which sits
on a Windows machine) I can download external URLs. Can I tell curl
other details to feed to the proxy?
Date: Wed, 31 Aug 2022 12:49:06 +1000
On 30 Aug 2022, at 20:54, Daniel Stenberg wrote:
> On Tue, 30 Aug 2022, Walter via curl-users wrote:
>
> The 407 response is used for proxies both for temporary "handshake
> responses" but also for "you are not authenticated" responses. In the
> case of NTLM, it needs one or two 407s back before it is supposed to
> succeed.
Daniel, thanks for chiming in! :-)
When I issue the request with the –-verbose option, I get details like
this (some info is obfuscated):
* About to connect() to proxy 123.456.78.90 port 3129 (#0)
* Trying 123.456.78.90...
* Connected to 123.456.78.90 (123.456.78.90) port 3129 (#0)
* Establish HTTP proxy tunnel to httpbin.org:443
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* Proxy auth using NTLM with user 'DOMAIN\user'
> CONNECT httpbin.org:443 HTTP/1.1
> Host: httpbin.org:443
> Proxy-Authorization: NTLM
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 407 Proxy Access Denied
< Server: WebMarshal Proxy
< Content-Length: 0
< Proxy-Connection: keep-alive
< Proxy-Authenticate: NTLM
< X-WebMarshal-RequestID: <ID_string1>
<
* TUNNEL_STATE switched to: 0
* Establish HTTP proxy tunnel to httpbin.org:443
* Proxy auth using NTLM with user 'DOMAIN\user'
> CONNECT httpbin.org:443 HTTP/1.1
> Host: httpbin.org:443
> Proxy-Authorization: NTLM
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 407 Proxy Access Denied
< Expires: 0
< Server: WebMarshal Proxy
< Cache-Control: no-cache
< Proxy-Connection: close
< Via: 1.1 WEBMARSHAL
< Content-Length: 2361
< Content-Type: text/html; charset=utf-8
< Proxy-Authenticate: Basic realm="WebMarshal Proxy Server"
< X-WebMarshal-RequestID: <ID_string2>
<
* Ignore 2361 bytes of response-body
* Received HTTP code 407 from proxy after CONNECT
* Connection #0 to host 123.456.78.90 left intact
curl: (56) Received HTTP code 407 from proxy after CONNECT
> Make sure that the Proxy-authenticate headers you receive back from
> the proxy states that it wants NTLM.
The way I read the verbose output above is that the proxy *does* try
NTLM authentication.
> If possibly, investigate what the proxy itself logs for this traffic.
Unfortunately I have no control over the proxy.
It might be a network issue, because from a normal browser (which sits
on a Windows machine) I can download external URLs. Can I tell curl
other details to feed to the proxy?
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-08-31