"407 Proxy Authentication Required" in CI
The corporate proxy rejected the request with 407 because it requires authentication and none, or invalid credentials, were sent. The destination was never reached; the proxy itself refused to forward the request.
What this error means
Requests through the proxy fail with "Received HTTP code 407 from proxy after CONNECT" or "407 Proxy Authentication Required", while unproxied localhost calls work.
curl: (56) CONNECT tunnel failed, response 407
Received HTTP code 407 from proxy after CONNECTCommon causes
Proxy credentials are missing from the proxy URL
The proxy needs user:pass embedded in the proxy URL (or a Proxy-Authorization header), and the request sent none.
The supplied proxy credentials are wrong
A stale or mistyped username or token authenticates as no one, so the proxy returns 407.
How to fix it
Provide credentials in the proxy URL
- Store the proxy username and password as CI secrets.
- Embed them in the proxy URL used by
HTTPS_PROXY/HTTP_PROXY. - Re-run; the proxy should now forward the CONNECT.
env:
HTTPS_PROXY: http://${{ secrets.PROXY_USER }}:${{ secrets.PROXY_PASS }}@proxy.corp.example:8080Verify the credentials against the proxy
Test the proxy directly so you know whether the account or the URL formatting is wrong.
curl -x http://user:pass@proxy.corp.example:8080 https://example.com/ -IHow to prevent it
- Keep proxy credentials in secrets and inject them into the proxy env vars.
- URL-encode special characters in the proxy password so parsing does not break.
- Prefer a proxy that authenticates the runner network over per-request credentials where possible.