53

I'm using Git on Windows, on a corporate network where I'm behind an HTTP proxy with Basic authentication. Outbound SSH doesn't work, so I have to use HTTPS through the proxy.

I'm aware of how to use git config http.proxy to configure the settings as http://[username]:[password]@[proxy]:[port].

However, particularly as this is a shared machine, I'd rather not store my password in my .gitconfig. Additionally, changing my .gitconfig using the git config command leaves my password in my bash history, so even if I remember to clear my .gitconfig at the end of the session, I'll almost certainly forget to clear my history as well.

I've tried setting http.proxy without a password, in the vain hope that I'd get a prompt asking me for my password when I try to push/pull, but I only get a 407 Proxy Authentication Required. All the information I've found online seems to either ignore the issues with having the password saved in plaintext in .gitconfig, or deals with NTLM proxies.

I'm quite happy to type my proxy details every time I need to connect - the best solution I can see at the moment is writing a wrapper script that will prompt for my password and set that as an environment variable when calling git proper. Is this a decent solution, and are there any security implications to setting an environment variable for a single call in a script? Preferably, are there any built-in settings or existing tools that I can use for this?

ajd
  • 982
  • 1
  • 8
  • 19

5 Answers5

62

since git 2.8.0

git config --global http.proxy http://[user]@proxyhost:port
git config --global credential.helper wincred
0xA0
  • 649
  • 5
  • 6
  • Works for me. (from PowerShell console, without git bash) To be explicit, "[user]" is replaced by the actual Domain\UserName (or similar). I get an initial error when pushing/pulling: fatal: HttpRequestException encountered. An error occurred while sending the request. ...but the command goes through and completes the push/pull. thx @0xA0 – HerbM Aug 17 '18 at 11:48
  • Though I also need: https.sslverify = false – HerbM Aug 17 '18 at 11:55
  • 1
    This is the best solution I've seen since most other suggestions involve either storing the password in plaintext or switching off `sslverify`. – David Brower Jan 29 '20 at 09:55
  • This is slightly safer than store the password in an environmental variable since it can be accessed by any program in user mode. – Welgriv Mar 18 '20 at 13:15
  • For me `[user]` didn't work. I have replaced it with my username and it worked. – Daniels118 Oct 12 '21 at 12:58
43

Instead of using git setting, you can also use environment variable (that you can set just for your session), as described in this answer:

set http_proxy=http://username:password@proxydomain:port
set https_proxy=http://username:password@proxydomain:port
set no_proxy=localhost,.my.company

So your wrapper script could, instead of modifying the .gitconfig (and leaving your password in plain text) set environment variables on demand, just for your current session.

As noted by Welgriv, this is unsafe since environmental variables can be accessed by any program in user mode.

These days (2020, 5+ years later), I prefer:

set http_proxy=http://127.0.0.1:3128
set https_proxy=http://127.0.0.1:3128

With 127.0.0.1:3128 being the default URL for a genotrance/px, a small HTTP proxy server, which will automatically authenticate through an NTLM proxy.
No password or even user to set.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Thx vonc * I can use a *combination of your answer and the one offered by @0xA0 * -- easily change the value of the proxy in the environment and also use my WinCred to authenticated. – HerbM Aug 17 '18 at 12:03
  • 1
    @HerbM Sure, both approaches are valid and, in your case, complementary. – VonC Aug 17 '18 at 12:10
  • It's unsafe since environmental variables can be accessed by any program in user mode. – Welgriv Mar 18 '20 at 13:15
  • @Welgriv I agree and I have included your comment in the answer for more visibility. I have added as well an alternative solution. – VonC Mar 18 '20 at 13:22
3

VonC's answer doesn't always solve the problem. I don't know why, but it may depend on the proxy server - or maybe it's some other issue alltogether?

It may help to replace the git:// protocol of the repository with http://.

Note: As in VonC's answer, you'll have to setup the http(s)_proxy environment variables first:

set http_proxy=http://username:password@proxydomain:port
set https_proxy=http://username:password@proxydomain:port

For example, clone marble's stable git would usually be cloned like this (from the marble documentation):

git clone -b Applications/15.12 git://anongit.kde.org/marble ~/marble/sources

In windows' cmd (assuming http_proxy has been set), you may then have to use http[s]:// instead:

git clone -b Applications/15.12 http://anongit.kde.org/marble ~/marble/sources
DomTomCat
  • 8,189
  • 1
  • 49
  • 64
0

I know this is an old post but thought I should add a note. In Windows 10, I did the above command in git bash as "git config --global https.proxy http://[userid]:[passwordWithSpclChars]@url:port" ... but since my credential has special characters, I had to then edit the config file C:\USERS<userid>.gitconfig to URL encode the special characters in my credential. Then I was able to proceed with git fetch from origin.

iowatiger08
  • 1,892
  • 24
  • 30
  • You can also percent encore the special character: https://stackoverflow.com/a/35195690/6309 – VonC Feb 02 '22 at 19:41
  • Yeah this still stores a credential locally. The set environment variable setting however did not work for me though. – iowatiger08 Feb 03 '22 at 22:31
-3

If you are behind Proxy server, follow this.

Make sure port 9418 is excluded from your firewall rules.Ask network administrator

Unset Proxy if it is already set:

  • git config --global --unset http.proxy
  • git config --global --unset https.proxy

Set the proper Proxy:

Common Errors:

  • 502: URL/IP is unreachable from your network.
  • 407: Proxy authentication Denied.
  • 80 : Proxy has not been set properly.
Rahul Shukla
  • 21
  • 2
  • 3
    This saves the password to disk, which the question specifically wants to avoid. – Tom Apr 27 '18 at 08:39