git clone是否可以通过NTLM代理工作？

Question

I've tried both using export http_proxy=http://[username]:[pwd]@[proxy] and git config --global http.proxy http://[username]:[pwd]@[proxy] .

I couldn't make it work. It looks like git uses Basic authentication:

Initialized empty Git repository in /home/.../.git/
* Couldn't find host github.com in the .netrc file, using defaults
* About to connect() to github.com port 8080 (#0)
*   Trying 10.... * Connected to github.com (10....) port 8080 (#0)
* Proxy auth using Basic with user '...'
> GET http://github.com/sunlightlabs/fiftystates.git/info/refs HTTP/1.1
Proxy-Authorization: Basic MD...
User-Agent: git/1.6.1.2
Host: github.com
Pragma: no-cache
Accept: */*
Proxy-Connection: Keep-Alive

< HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to t
he Web Proxy filter is denied.  )
< Via: 1.1 ...
< Proxy-Authenticate: Negotiate
< Proxy-Authenticate: Kerberos
< Proxy-Authenticate: NTLM
< Connection: Keep-Alive
< Proxy-Connection: Keep-Alive
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 4118
* The requested URL returned error: 407
* Closing connection #0
fatal: http://github.com/sunlightlabs/fiftystates.git/info/refs download error - The requested URL returned error: 407

Google search returned mixed and probably not updated results. Somewhere it says that curl is (was?) used under the hood, but its options are (were?) hardwired into code. For example,

curl --proxy-ntlm --proxy ...:8080 google.com

works, and I'd like to use the same option with git.

I need some more definite answers here: has anybody succeed using git through Windows proxies? Which version?

Thanks.

Answer 1

Default NTLM credentials

In order to use default NTLM credentials, provide an empty username and password

git config --global http.proxy https://:@proxy:port

Firewall Client for ISA Server

Instead of setting proxy for git, npm, etc. you can use Firewall Client for ISA Server from Microsoft. After installation:

Start > Autostart > Microsoft Firewall Client Management

Settings tab > Manual specified ISA Server > proxy:port Web Browser tab > Uncheck "Enable web browser automatic configuration."

Answer 2

Git supports NTLM proxy authentication from version 1.7.10 onwards, relevant commit is https://github.com/gitster/git/commit/dd6139971a18e25a5089c0f96dc80e454683ef0b

1.7.10 release notes briefly mentioned it as:

* HTTP transport learned to authenticate with a proxy if needed.

I've successfully tested it with the proxy at my workplace which is NTLM and requires user/pass, you can test yourself with following commands:

git config --global http.proxy http://user:password@proxy.com:port
git clone http://git.videolan.org/git/bitstream.git

Regards,

Answer 3

Cloning works for me but only over HTTP (since our corporate firewall blocks the ssh/git protocols):

$ export http_proxy="http://username:password@proxy:port/"
$ git clone http://github.com/sunlightlabs/fiftystates_site.git fifty
Initialized empty Git repository in /home/user/fifty/.git/
got e15f5192b923d8e87abaeb9406d0f4d80403da09
walk e15f5192b923d8e87abaeb9406d0f4d80403da09
got a78b792191f1cf5e961753dcfe05e9c809bdb0ed
got 76e6e86e72a0f998f7663da69ca49c457a302e27
walk 76e6e86e72a0f998f7663da69ca49c457a302e27
got 35b68a3b876fb90e73ba7a7eb51432e825ef2aa3
...

Github suggests cloning via git://github.com/... but you have to change it to http://github.com/... manually.

Edit: I'm using git version 1.5.6.3.

Hope that helps!

Answer 4

AndreaG (in a comment above) has the only acceptable answer to this problem that I can find. It seems that Git just won't work with NTLM proxies even though it really should because cURL (which it uses underneath) does work just fine. Why this issue can't be fixed I have no idea. It seems to be a fairly common issue.

The solution, in full then, is to use ntlmaps to act as a proxy to the proxy. All you need to do is to download the latest version of the app from: http://ntlmaps.sourceforge.net/

Change the config file to include your authentication and proxy details and then set the proxy to be your new local one:

git config --global http.proxy http://localhost:5865

I can confirm that it works just fine. Not only that you can use it for any app that requires NTLM authentication but does not provide full NTLM support.

Answer 5

You can also use cntlm,

http://cntlm.sourceforge.net/

A solution similar to ntlmaps but written in pure C. It works in the same way as ntlmaps by creating a local proxy server (127.0.0.1) at a port (3128 default) on your machine. This new locally created proxy server does not require any authentication and thus can be used with any application that supports http proxy. It can also create a local socks proxy if you need one.

The main advantage over ntlmaps which is written in python, is that cntlm has very low CPU and RAM usage, typically <2%.

Answer 6

TL/DR:

export GIT_HTTP_PROXY_AUTHMETHOD=basic

or

git config --global http.proxyauthmethod basic

I had the same issue when git (curl) proxy auth did not work. Credentials were right. Upgrade to the latest git-v2.15.0 did not help.

The issue was due to wrong proxy authentication method chosen by git-libcurl.

The valid proxy_authmethod options are defined in git source: https://github.com/git/git/blob/d0e9983980a25e0c398cc03342e5ad22ef85b8a8/http.c#L81

The proxyauthmethod can be defined either through GIT_HTTP_PROXY_AUTHMETHOD environment variable or http.proxyauthmethod git config option. Environment variable overrides the config option value.

Answer 7

Since this was a question I kept finding on my search to make this work, I'll add my answer here.

I needed to get access to a github.com hosted repo working via an http(s) proxy (that requires NTLM authentication) on one network, and have it still work when on a normal internet connection, from our Mac OS X dev machines.

Here is how I made it work. This won't work for every git hosting provider, but I'm posting in case it helps you figure this out. This is also only for Mac OS X, but if you figure out how to run something on network change for your system, the rest should follow.

I had to use git clone git@github.com:user/repo.git after setting up ssh access as normal (http://help.github.com/mac-set-up-git/).

I then needed to setup a local http(s) proxy that handles the NTLM authentication, such as ntlmaps, cntlm or Authoxy. I've tested with Authoxy. I'll leave configuring this to you, because you'll need to know your own proxy details.

You'll also need corkscrew, which is just sudo port install corkscrew if you have MacPorts.

Then I added the following to ~/.ssh/config :

Host github.com.disabled
User git
HostName ssh.github.com
Port 443
ProxyCommand /opt/local/bin/corkscrew localhost 6574 %h %p

Where 6574 is the TCP port I set Authoxy to listen on.

Now I created a script that tries to find the http(s) proxy server, and configures the ssh setup according to what it finds, at /usr/local/bin/locationchanger :

#!/bin/sh

set -o nounset
set -o errexit

sleep 10 # allow for WiFi to actually connect.

# if we can find the proxy server, then use it.
if ! host proxy.internal.network;
then
    echo "Proxy server not found, clearing http(s) proxy";
    sed -i '.backup' -E 's/^Host github.com$/Host github.com.disabled/' "$HOME/.ssh/config"
else
    echo "Proxy server found, setting http(s) proxy";
    sed -i '.backup' -E 's/^Host github.com.disabled$/Host github.com/' "$HOME/.ssh/config"
fi
echo "Done."

Don't forget to chmod +x /usr/local/bin/locationchanger .

Now create ~/Library/LaunchAgents/LocationChanger.plist :

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
    "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>tech.inhelsinki.nl.locationchanger</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/locationchanger</string>
    </array>
    <key>WatchPaths</key>
    <array>
        <string>/Library/Preferences/SystemConfiguration</string>
    </array>
</dict>
</plist>

And then launchctl load ~/Library/LaunchAgents/LocationChanger.plist . This launchd job will run whenever the network changes. If it can find your internal network http(s) proxy server, it will make ssh use corkscrew to work through Authoxy, which will handle working through the company proxy. If it can't find the proxy server, it will disable the special ssh config, and you're working just like normal.

Now our team doesn't have to think about network switching anymore.

Answer 8

I've been using ntlmaps and been having good results getting through windows/NT proxies: http://ntlmaps.sourceforge.net/

The git configuration is:

git config --global http.proxy http://localhost:5865

Answer 9

I have stumbled on a more easier and possibly safer solution that works not just for git but also any command based installers

• Rubygems in ruby
• npm in node

One solution running all your traffic from command line is proxied with authentiction.

Wont expose your password in the user:password@domain:port format

Solution:

Download Fiddler , It has a built in way to add authentication headers to all requests.

Once running menu Rules-> Automatically Authenticate (Tick that)

Then for git

git config --global http.proxy http://localhost:8888
git config --global https.proxy http://localhost:8888

Thats it!