Feature #10652


Automatic detection of user and password from env

Added by xfalcox (Rafael Silva) over 9 years ago. Updated over 9 years ago.

Target version:


Get user and pass from http_proxy variable when specified, so that NET::HTTP can handle connections behind authenticated proxies automatically.

I'm new, so please correct me if this isn't the correct way to go.

Also, I've open a PR on github at [[]]


f17b3008197b81b8afaefb7de2ed43187620a1dc.patch.txt (1.07 KB) f17b3008197b81b8afaefb7de2ed43187620a1dc.patch.txt lib/net/http.rb xfalcox (Rafael Silva), 12/25/2014 09:50 PM

Related issues 1 (0 open1 closed)

Related to Ruby master - Feature #12921: Retrieve user and password for proxy from envClosedActions

Updated by nobu (Nobuyoshi Nakada) over 9 years ago

  • Status changed from Open to Assigned
  • Assignee set to akr (Akira Tanaka)
  • Priority changed from Normal to 3

Looks like a repeated request to my eyes.

Updated by akr (Akira Tanaka) over 9 years ago

  • Assignee changed from akr (Akira Tanaka) to ayumin (Ayumu AIZAWA)
  • Priority changed from 3 to Normal

ayumin committed the patch at r49118.

However, I think there should be security consideration.

Storing secret information in environment variables is not a trivially safe behavior.

For example, I read two articles recently:

Updated by ayumin (Ayumu AIZAWA) over 9 years ago

I'm sorry that I missed this issue. However I think it's reasonable to storing the credential into env.
I believe that the ruby should provide way to access credential which is put on environment as a tool. Using this feature or not is depends on the user.
But if majority do not agree to enable this pach, I'm ok to reverting it soon.

Updated by ayumin (Ayumu AIZAWA) over 9 years ago

I confirmed RFC1738, it says "No user name or password is allowed." for HTTP.
So, I will revert r49118, sorry.

Updated by ayumin (Ayumu AIZAWA) over 9 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Applied in changeset r49124.

Revert r49118 [Feature #10652]

Updated by xfalcox (Rafael Silva) over 9 years ago

I've sent the patch because this behavior is the expected since many unix tools (curl, wget, apt-get) and programming languagues (nodejs, python) respect the environment variable http_proxy.

This makes very hard to use some ruby tools in the enterprise world, where the proxy is required, and you try to use a gem or program that didn't care to be proxy compliant.

Updated by akr (Akira Tanaka) over 9 years ago

curl, wget and apt-get supports storing passwords in .curlrc, .wgetrc, .netrc or apt.conf.

So users can store password in a file if environment variable is not appropriate.
Your patch only supports environment variable.
It encourages users to store passwords in a environment variabe even if it is not appropriate.

I think the missing piece is a library for password store for storing passwords in a file.
(The file should be possible to be encrypted.)

Updated by xfalcox (Rafael Silva) over 9 years ago

Sorry to insist on this, but what about other languages like python and nodejs working fine while ruby fails with "407 Proxy authentication required"?

From an user point of view it's a unexpected behavior, since ruby reads the string, and ignores some parts of it (user & password), while other languages work out of box in his enterprise setup.

This is very annoying when you just want to consume a gem but the author didn't include explict proxy support, and net/http doesn't provide it either.

Actions #9

Updated by shyouhei (Shyouhei Urabe) over 7 years ago

  • Related to Feature #12921: Retrieve user and password for proxy from env added

Also available in: Atom PDF