Import dependencies behind unsafe proxy using go get

Hi everyone, thank you for reading this,

First, please excuse my English.

My problem is about the GOINSECURE environment variable.

I am working for my corporation behind a firewall and so on…
My goal is to download and import (go get…) a lib.

So the proxy that I am using at my work is working with http (i know…). No https available.

So I had to configured the GOPROXY env. variable to use the right proxy.
And configured GOINSECURE env. variable to not check over the fact that the proxy is in fact using http protocol.

Here are my (anonymoused) env vars :

PS C:\Users\xx\Documents\go_policyExtractor> go env
set GO111MODULE=
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\xx\AppData\Local\go-build
set GOENV=C:\Users\xx\AppData\Roaming\go\env
set GOEXE=.exe
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=*.PROXY,PROXY,*,		#uncertainty; PROXY = corpo server hostname
set GOMODCACHE=C:\Users\xx\go\pkg\mod
set GOOS=windows
set GOPATH=C:\Users\xx\go
set GOPROXY=http://xx:XX@PROXY:8080				#xx = username; XX = password; PROXY = corpo server hostname
set GOROOT=C:\Users\xx\Documents\go
set GOTOOLDIR=C:\Users\xx\Documents\go\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=go1.17.2
set GCCGO=gccgo
set AR=ar
set CC=gcc
set CXX=g++
set GOMOD=C:\Users\xx\Documents\go_policyExtractor\go.mod
set CGO_CFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\xx\AppData\Local\Temp\go-build3899924670=/tmp/go-build -gno-record-gcc-switches

As you can see, proxy and insecure configured…
But here is the result of any go get

PS C:\Users\xx\Documents\go_policyExtractor> go get
go: refusing to pass credentials to insecure URL: http://xx:xxxxx@PROXY:8080/

I already rode this issue : cmd/go: support sending credentials to an insecure GOPROXY · Issue #35975 · golang/go · GitHub

And tried the local CA fix but…

PS C:\Users\xx\local_ca> mkcert -install
ERROR: add cert: failed adding cert: Access Refused.

I’m done testing everything…

Do anyone has an idea about the way i should use GOINSECURE (is it even the right var?)

Just to remember : my goal is to download code from github using go get through my corpo http (no https) proxy.

Thanks for reading this; hope that my explanation was enough.

Hi @Nokeni,

From cmd/go: support sending credentials to an insecure GOPROXY · Issue #35975 · golang/go · GitHub

We intentionally do not support sending credentials to insecure proxies. Accidentally dropping the s in the https:// URL should not result in credentials being sent over the network unencrypted.

So the credentials error is by design.

Looks like the company server needs to either get configured to use https, or be accessible without credentials.

Hi @christophberger, thank you for your attention.

I totally agree with your commentary.

But that is exactly the purpose of the GOINSECURE environment variable isn’t it ?

Here’s the release note of golang’s version where GOINSECURE var has been implemented :

The interesting point on this release note (for us at least) is this one :

        Environment variables
GOINSECURE is a new environment variable that instructs the go command to not require an HTTPS connection, and to skip certificate validation, when fetching certain modules directly from their origins. Like the existing GOPRIVATE variable, the value of GOINSECURE is a comma-separated list of glob patterns.

So I thought that i would be able, using this var, to finally reach github.

So is it a bug, or a misunderstood from myself ?

EDIT : I think, reading your comment that the point is all about credentials. Using GOINSECURE, i could reach github through the proxy using http if the credentials were not in the URL i guess… Thank you.

Yes, I think the only problem at the credentials that would be sent over plain HTTP. I guess your configuration would work well as it is if the proxy needs no creds or if the connection is HTTPS.

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.