# Portsnap behind a corporate proxy



## Durden (Sep 16, 2013)

I hope someone can help with this. I've been trying to get my ports updated behind our corporate firewall/proxy but receive the following error:


```
fetch: transfer timed out
fetch: 6182ba71de2e177e07bae51b8f445d14000d273c1e282670212c3f82c1c10.tgz appears to be truncated: 4096/72413102 bytes
```

Is there a way around this? I'm fairly sure the problem is the proxy, I've run into similar problems when trying to update an Arch Linux system.

I hope someone can help.


----------



## chatwizrd (Sep 16, 2013)

Use an external proxy.


----------



## Durden (Sep 16, 2013)

This is an external proxy*.*


----------



## SirDice (Sep 17, 2013)

Durden said:
			
		

> I'm fairly sure the problem is the proxy, I've run into similar problems when trying to update an Arch Linux system.
> 
> I hope someone can help.


Have you tried talking to the person that administers the proxy?


----------



## adripillo (Sep 17, 2013)

Durden said:
			
		

> I hope someone can help with this. I've been trying to get my ports updated behind our corporate firewall/proxy but receive the following error:
> 
> 
> ```
> ...



You should talk with the person that administrates the proxy and use your work proxy instead of an external one. It should download without any problem, if the admin lets you, of course. I had and have several problems with ports on FreeBSD and PC-BSD at work but it is not the SO _[ ? -- Mod ]_, it is the proxy administrator that just blocks me so he can download movies faster. Anyway back to your problem, FreeBSD should work fine behind a local proxy.


----------



## throAU (Sep 18, 2013)

Yeah I'm stuck trying to make this work too.

I am also the one who administers the proxy (It's a TMG 2010 box running on Windows 2008 R2).  iPhones and other non-Windows devices can authenticate to it.

What now? 

I've tried feeding fetch environmental variables for the username and password but can't seem to make it work.

I have the following in /etc/rc.conf


```
HTTP_PROXY="http://my.proxy.server.com.au:8080"
HTTP_PROXY_AUTH="basic:MyUserName:MyPassword"
```

It certainly doesn't help that the man page for `fetch` gives no indication on how to specify the host/port (i.e., should it be prefixed with HTTP?), doesn't really log what it is doing properly, etc.

As far as I can see, it isn't even hitting my TMG box with the above configuration.

edit:
Stripping the http part from the proxy host like 
	
	



```
HTTP_PROXY="my.proxy.server.com.au:8080"
```
 results in fetch hitting my proxy server, but it doesn't attempt to authenticate with the above configuration.


----------



## SirDice (Sep 18, 2013)

throAU said:
			
		

> I have the following in /etc/rc.conf
> 
> 
> ```
> ...


These do absolutely nothing in rc.conf. They're supposed to be set in your user's shell environment. Set them on the command line or add them to ~/.cshrc (assuming you're using csh for root).


----------



## throAU (Sep 18, 2013)

Yeah, I've since figured this out. However, it still doesn't work if I add the variables to the shell. I think it may well be something to do with TMG brain damage - I believe that even if you supply a username and password, it attempts to perform the request without authentication first, and then asks for authentication when the initial request fails.

e.g.


```
# fetch -v -v http://www.freebsd.org
scheme:   [http]
user:     []
password: []
host:     [www.freebsd.org]
port:     [0]
document: [/]
scheme:   []
user:     [domain\username]
password: [********]
host:     [PER-INF-TMG.x.y.z]
port:     [8080]
document: [/]
---> PER-INF-TMG.x.y.z:8080
looking up PER-INF-TMG.x.y.z
connecting to PER-INF-TMG.x.y.z:8080
requesting http://www.freebsd.org/
>>> GET http://www.freebsd.org/ HTTP/1.1
>>> Host: www.freebsd.org
>>> User-Agent: fetch libfetch/2.0
>>> Connection: close
>>>
<<< HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  )
proxy requires authorization
```

This is with the environmental variable for proxy use set as follows:


```
HTTP_PROXY='domain\username:password@PER-INF-TMGW.x.y.z:8080'
```

(I did use \\ to split domain and username of course)


----------



## SirDice (Sep 18, 2013)

It may fail because of the single backslash. Try escaping it:

```
HTTP_PROXY='domain\\username:password@PER-INF-TMGW.x.y.z:8080'
```


----------



## throAU (Sep 18, 2013)

Confirming, plain `sh` for root:


```
# HTTP_PROXY="domain\\username:password@PER-INF-TMGW.x.y.z:8080"
# export HTTP_PROXY
# fetch http://www.google.com.au
fetch: http://www.google.com.au: Proxy Authentication Required
```

I suspect it*'*s due to TMG responding after trying with no authentication that authentication is required, and fetch just dies because it was rejected, whereas Windows then supplies credentials.

At the end of the day, I'm just going to open a hole on my ASA for BSD machines for HTTP.

TMG is so brain-dead that even if you set up a rule for "all users" (as opposed to "all authenticated users") to allow access to a URL, it still demands authentication.

Does anyone know if squid is usable reliably with domain authentication one way or another yet?  I haven't run it since 2008, back then unfortunately the NTLM authentication module would regularly die (forget the reason, but about once a week or so my squid instance would stop authenticating/die) and TMG of course gives management pretty reports, easy Microsoft supplied URL categorization/blocking, etc.

But of course TMG is now end-of-sale, so I'm looking for an alternative.


----------



## adripillo (Sep 18, 2013)

I have squid here and I do not need authentication, just take the allowed IPs from a table, if your IP is not on that file you can not access to Internet. No need of user and password. Also I do not use it permanently so each time I need to use Internet on a console I write:

`# setenv http_proxy [url=http://myproxy.server]http://myproxy.server:3128[/url]`
`# setenv ftp_proxy [url=http://myproxy.server]http://myproxy.server:3128[/url]`


----------



## SirDice (Sep 18, 2013)

Oh. I just noticed something.


```
HTTP_PROXY_AUTH="basic:MyUserName:MyPassword"
```

It's missing the 'realm', so it should be:

```
HTTP_PROXY_AUTH="basic:*:MyUserName:MyPassword"
```

And make sure your proxy allows basic authentication, NTLM is certainly not going to work.


----------



## Durden (Sep 18, 2013)

Man, I've tried all of this and am still not getting anywhere. _I'm c_urious why this works on Linux but not *Free*BSD.


----------



## throAU (Sep 19, 2013)

SirDice said:
			
		

> Oh. I just noticed something.
> 
> 
> ```
> ...



Well spotted!

However it still doesn't work...


```
# HTTP_PROXY_AUTH="basic:*:domain\\user:password"
# HTTP_PROXY="per-inf-tmgw.x.y.z:8080"
# export HTTP_PROXY
# export HTTP_PROXY_AUTH
# fetch -v -v http://www.google.com.au

... output omitted ...

basic: usr: [xxxxx\xxxxx]
basic: pwd: [xxxxxx]
>>> Proxy-Authorization: Basic d2FcamV0aHJvcjpRcCg0Vk1KZA==
>>> User-Agent: fetch libfetch/2.0
>>> Connection: close
>>>
<<< HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  )
fetch: http://www.google.com.au: Proxy Authentication Required
```

I'll check to see whether the TMG box is supporting basic authentication.  I'm not sure to be honest, however other non-Windows systems work with it (iOS, Android, Firefox, etc).


----------



## SirDice (Sep 19, 2013)

throAU said:
			
		

> I'll check to see whether the TMG box is supporting basic auth.  Not sure to be honest, however other non-windows systems work with it (iOS, Android, Firefox, etc).


I'm not sure about iOS or Android but Firefox certainly supports NTLM authentication. It's definitely worth checking. If I remember anything from running ISA back in the day, you should be able to enable both basic and NTLM authentication. It should even be possible to set the authentication to basic (or turn it off completely) only for this machine.


----------

