Import dependencies behind unsafe proxy using go get

Nokeni · November 3, 2021, 1:47pm

Hi everyone, thank you for reading this,

First, please excuse my English.

My problem is about the GOINSECURE environment variable.

I am working for my corporation behind a firewall and so on…
My goal is to download and import (go get…) a lib.

So the proxy that I am using at my work is working with http (i know…). No https available.

So I had to configured the GOPROXY env. variable to use the right proxy.
And configured GOINSECURE env. variable to not check over the fact that the proxy is in fact using http protocol.

Here are my (anonymoused) env vars :

PS C:\Users\xx\Documents\go_policyExtractor> go env
set GO111MODULE=
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\xx\AppData\Local\go-build
set GOENV=C:\Users\xx\AppData\Roaming\go\env
set GOEXE=.exe
set GOEXPERIMENT=
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=*.PROXY,PROXY,*.github.com,github.com		#uncertainty; PROXY = corpo server hostname
set GOMODCACHE=C:\Users\xx\go\pkg\mod
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPATH=C:\Users\xx\go
set GOPRIVATE=
set GOPROXY=http://xx:XX@PROXY:8080				#xx = username; XX = password; PROXY = corpo server hostname
set GOROOT=C:\Users\xx\Documents\go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLDIR=C:\Users\xx\Documents\go\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=go1.17.2
set GCCGO=gccgo
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=C:\Users\xx\Documents\go_policyExtractor\go.mod
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\xx\AppData\Local\Temp\go-build3899924670=/tmp/go-build -gno-record-gcc-switches

As you can see, proxy and insecure configured…
But here is the result of any go get

PS C:\Users\xx\Documents\go_policyExtractor> go get github.com/xuri/excelize
go: github.com/mohae/deepcopy@v0.0.0-20170929034955-c48cc78d4826: refusing to pass credentials to insecure URL: http://xx:xxxxx@PROXY:8080/github.com/mohae/deepcopy/@v/v0.0.0-20170929034955-c48cc78d4826.mod

I already rode this issue : cmd/go: support sending credentials to an insecure GOPROXY · Issue #35975 · golang/go · GitHub

And tried the local CA fix but…

PS C:\Users\xx\local_ca> mkcert -install
ERROR: add cert: failed adding cert: Access Refused.

I’m done testing everything…

Do anyone has an idea about the way i should use GOINSECURE (is it even the right var?)

Just to remember : my goal is to download code from github using go get through my corpo http (no https) proxy.

Thanks for reading this; hope that my explanation was enough.

christophberger · November 3, 2021, 7:48pm

Hi @Nokeni,

From cmd/go: support sending credentials to an insecure GOPROXY · Issue #35975 · golang/go · GitHub

We intentionally do not support sending credentials to insecure proxies. Accidentally dropping the s in the https:// URL should not result in credentials being sent over the network unencrypted.

So the credentials error is by design.

Looks like the company server needs to either get configured to use https, or be accessible without credentials.

Nokeni · November 3, 2021, 8:09pm

Hi @christophberger, thank you for your attention.

I totally agree with your commentary.

But that is exactly the purpose of the GOINSECURE environment variable isn’t it ?

Here’s the release note of golang’s version where GOINSECURE var has been implemented :
https://golang.org/doc/go1.14

The interesting point on this release note (for us at least) is this one :

        Environment variables
GOINSECURE is a new environment variable that instructs the go command to not require an HTTPS connection, and to skip certificate validation, when fetching certain modules directly from their origins. Like the existing GOPRIVATE variable, the value of GOINSECURE is a comma-separated list of glob patterns.

So I thought that i would be able, using this var, to finally reach github.

So is it a bug, or a misunderstood from myself ?

EDIT : I think, reading your comment that the point is all about credentials. Using GOINSECURE, i could reach github through the proxy using http if the credentials were not in the URL i guess… Thank you.

christophberger · November 3, 2021, 8:56pm

Yes, I think the only problem at the credentials that would be sent over plain HTTP. I guess your configuration would work well as it is if the proxy needs no creds or if the connection is HTTPS.

system · February 1, 2022, 8:57pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.