HTTP 407 while attempting to get dependencies using dep - go

I am trying to work on a Go open source project, on a corporate device. Attempts to address the dependencies via dep ensure command always return 407 PROXY AUTH required. I do have http_proxy and https_proxy environment variable set with values in the format http://user:pasword#proxyname:proxyport. I have also attempted to set the git configs http.proxy. But I do get the same error. What am I missing?
Thanks

This is owing to Git client configuration issues and mismatch between git binary and gnutls. I have had to recompile git binary using openssl, to get this to work.

Related

Using Artifactory to proxy Cypress with CYPRESS_DOWNLOAD_MIRROR

Desired behavior
I would like to use CYPRESS_DOWNLOAD_MIRROR pointing toward my artifactory configuration for Cypress and just be able to do npm install and download library AND binary of Cypress
Current behavior
When setting Cypress in artifactory, and downloading it with CYPRESS_DOWNLOAD_MIRROR set toward this tool, the download script find binary files as X.Y.Z and not cypress.zip and fail. Apparently I can't rename binaries in artifactory. It seems to have made it available in a name X.Y.Z instead of cypress.zip
My artifactory admin tell me to do this command before but I can't since it's a post action of Cypress
curl –v « https://artifactory.mycompany.fr/artifactory/remote-download.cypress-generic/desktop/6.8.0?platform=win32&arch=x64 » > cypress.zip
Workaround
For now, I'm using CYPRESS_INSTALL_BINARY to point to a manually uploaded binary in artifactory but it's a pain because I have to separate Linux binary (for CI) and Windows binary (for dev) and if my package is configured with "cypress": "^6.2.1" the npm library will go to 6.2.1 and my binary will stuck to 6.2.0 for example...
Debug logs
Installing Cypress (version: 6.8.0)
× Downloading Cypress
→ Cypress Version: 6.8.0
Unzipping Cypress
Finishing Installation
The Cypress App could not be downloaded.
Does your workplace require a proxy to be used to access the Internet? If so, you must configure the HTTP_PROXY environment variable before downloading
Cypress. Read more: https://on.cypress.io/proxy-configuration
Otherwise, please check network connectivity and try again:
URL: https://artifactory.mycompany.fr/artifactory/remote-download.cypress.io/desktop/6.8.0?platform=win32&arch=x64
Error: self signed certificate in certificate chain
Download method
npm
Operating System
Linux
Windows
Other
I'm behind a proxy
I don't really know if it's an artifactory or a Cypress matter but I need help ^^
In addition to accepted answer, it is possible to replace pre-defined 'Query Params' with enabling 'Propagate Query Params'. If set, the query params passed with the request to Artifactory, will be passed on to the remote repo.
Please note, according to JFrog docs, this setting is only available for Generic type repositories.
I was able to make it work on Windows using the following:
I created a generic remote repository, making sure it is pointing to https://download.cypress.io, and under the advanced tab, added the query params: platform=win32&arch=x64 (notice there is a dedicated field for it).
The above is required in order to cache the correct binary based on the OS and arch (you might require a different remote repository with different query params).
I found it on Cypress doc that these query params control the binary type which will be downloaded (so we need to make sure it fits the client os and arch).
In the .npmrc I simply provided the following:
CYPRESS_DOWNLOAD_MIRROR=https://user:myverystrongpassword#myartifactory/artifactory/generic-cypress-windows
I've used this command (on MacOS) to directly pass path to downloaded Cypress.zip file
CYPRESS_INSTALL_BINARY=~/Downloads/cypress.zip yarn add cypress --D

Why does go module ssh custom private repo (non-github) config still request https fetch?

I am using Go modules.
In order to use module version, I cannot use local module. For example:
replace locakpkg => ../localpkg v0.1.0
The above will fail because replacement local path cannot have version so far (go 1.15).
Thus, to make the module version work, I decided to use a private ssh repo.
I did search how to make private ssh repo work for two days.
By following many online articles, I did
git config --global url.user#private.com:.insteadOf https://private.com/
go env -w GOPRIVATE=private.com
I found out go get will always do https fetch to check ssl credential. So I configured a https server properly too.
But in the end, I still get an error message:
unrecognized import path "private.com/foo": reading https://private.com/foo?go-get=1: 404 Not Found
I did google this error and found out this spec https://golang.org/ref/mod#vcs-find which says I have to let the server reply with <meta name="go-import" content="root-path vcs repo-url"> for https fetch request.
If there is a way to use git tag versioning in local module packages, I am OK to use local replace in go.mod instead of configuring a private ssh repo.
If the above point is not possible, how to avoid https fetch when I configure a private ssh repo? I think ssh repo has nothing to do with https protocol.
(I am using go 1.15 at linux. The latest stable version while posting this answer)
I solved the problem and posting here, hopefully, this will help other people one day. I don't find any correct answer by my search online.
In short, the answer is to use .git suffix in all places. Without .git suffix, go mod tidy and go get will use https instead of ssh (git).
At Client:
The file ~/.gitconfig (at linux) if you use /repopath/foo.git path at server:
[url "ssh://user#private.com"]
insteadOf = https://private.com
The file ~/.gitconfig (at linux) if you use ~/repopath/foo.git path at server:
[url "user#private.com:"]
insteadOf = https://private.com/
Execute the following to update ~/.config/go/env at linux:
go env -w GOPRIVATE=private.com
In go.mod, it should use
require private.com/repopath/foo.git v0.1.0
In file.go, it should be
import private.com/repopath/foo.git
At SSH Server
in foo.git/go.mod at private server should have:
module private.com/repopath/foo.git
And make sure the git repo at server has tag version v0.1.0. Don't forget to use git push --tags at client to update the tag version to the server. Without --tags, tag version will not be pushed.
After adding .git suffix to all the required places, go mod tidy and go get will no longer send https request.

go get -insecure on a corporate network

C:\Users\me
> go get -insecure github.com/denisenkom/go-mssqldb
# cd .; git clone https://github.com/denisenkom/go-mssqldb C:\Users\me\Projects\Go\src\github.com\denisenkom\go-mssqldb
Cloning into 'C:\Users\me\Projects\Go\src\github.com\denisenkom\go-mssqldb'...
fatal: unable to access 'https://github.com/denisenkom/go-mssqldb/': SSL certificate problem: unable to get local issuer certificate
package github.com/denisenkom/go-mssqldb: exit status 128
According to go help get this connection should drop down to http? Yes? Do I misunderstand? How do I get this to work w/o https?
PS: I'm not interested in trying to fix https (which on this Win10 image I have no control over anyway) - I already fought that battle with npm and lost...
Edit: I found a passable answer by fixing the global git config. I hate to do it, but needs must... atom.io/go-plus does not seem to pick up this config change, I will ping the author.
C:\Users\me
> git config --global http.sslVerify false
Update Q2 2021: with the newly released Go 1.17 (beta), you now have, for deprecations:
go get
The go get -insecure flag is deprecated and has been removed.
To permit the use of insecure schemes when fetching dependencies, please use the GOINSECURE environment variable.
The -insecure flag also bypassed module sum validation, use GOPRIVATE or GONOSUMDB if you need that functionality.
See go help environment for details.

Cargo on Windows behind a corporate proxy

I think this is a very common issue among those who want to use Cargo with Windows at work; I have seen multiple GitHub issues and forum posts related to it, but none of the answers solved my problems.
Whenever I try to build some code pointing to a crates.io crate, I get the following error:
Downloading <package>
error: unable to get packages from source
Caused by:
failed to download package <package> from <package address>
Caused by:
SSL connect error
What can I do to fix this? I know that Cargo can use the settings at .cargo/config and that the proxy details can be included there, but it doesn't work for me, with or without specifying the path for the certificate (I used the one distributed with curl), like below:
[http]
proxy = "http://user:password#proxy-address.xyz:port"
cainfo = "cert.pem"
[https]
proxy = "https://user:password#proxy-address.xyz:port"
cainfo = "cert.pem"
The proxy specified in the config file works for any other purpose.
I'm using Windows 7 64bit, Rust 1.11 GNU and Cargo bundled with it. How can I get this working? Currently I have to resort to downloading crate sources manually from their repositories and specifying paths = [...] for each of them in the Cargo config file.
I had the same problem, and I solved simply setting environment variables http_proxy and https_proxy with http(s)://user:password#proxy-address.xyz:port.
The only annoiyng part is that, when you need to unset the proxy (e.g. when you are smart-working from another network without using company's VPN) you have to unset / delete those variables.
It appears that this is no longer an issue as of cargo 0.13 bundled with Rust 1.13 stable - I no longer need to manually download packages and put them in paths in cargo's config file.

CMake ExternalProject_Add proxy settings

I have been quite successfully using CMake to perform builds using the ExternalProject_Add function, but my company recently put in a proxy server... Which has broken the aforementioned build scripts.
The download step fails during the extract phase because the tarball that was downloaded is only the redirect request from the proxy server (at least I think this is what is contained in the tiny tarball it acquires).
I found this post on the CMake mailing-list. I thought maybe if it worked for the file() command it might work for the ExternalProject_Add() command. I set both http_proxy and HTTP_PROXY environment variables, but still received the same error. I have thought about overriding the DOWNLOAD_COMMAND argument with a wget call since this command seems to behave with the proxy settings. However, I wanted to know if there was a better way.
UPDATE 1: I checked the contents of the small tarball, and it does contain HTML; however, it is a notification that Authentication is required. I'm not sure why it is requiring authentication because I haven't had to enter any login information for wget. wget shows the following output:
Resolving webproxy... 10.0.1.50
Connecting to webproxy|10.0.1.50|:80... connected.
Proxy request sent, awaiting response... 200 OK
Download begins here...
UPDATE 2: I have also noticed that both apt-get and svn fail with this new proxy setup, but git does not... svn complains about "Server sent unexpected return value (307 Proxy Redirect)..." Very confusing...
Thanks!
What version of CMake are you using? The file(DOWNLOAD command started using the follow redirect flag in version 2.8.2, introduced by the following commit:
http://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=ef491f78218e255339278656bf6dc26073fef264
Using a custom DOWNLOAD_COMMAND is certainly a reasonable workaround.

Resources