Skip to content
Latchkey

"407 Proxy Authentication Required" in CI

The corporate proxy rejected the request with 407 because it requires authentication and none, or invalid credentials, were sent. The destination was never reached; the proxy itself refused to forward the request.

What this error means

Requests through the proxy fail with "Received HTTP code 407 from proxy after CONNECT" or "407 Proxy Authentication Required", while unproxied localhost calls work.

Terminal
curl: (56) CONNECT tunnel failed, response 407
Received HTTP code 407 from proxy after CONNECT

Common causes

Proxy credentials are missing from the proxy URL

The proxy needs user:pass embedded in the proxy URL (or a Proxy-Authorization header), and the request sent none.

The supplied proxy credentials are wrong

A stale or mistyped username or token authenticates as no one, so the proxy returns 407.

How to fix it

Provide credentials in the proxy URL

  1. Store the proxy username and password as CI secrets.
  2. Embed them in the proxy URL used by HTTPS_PROXY/HTTP_PROXY.
  3. Re-run; the proxy should now forward the CONNECT.
.github/workflows/ci.yml
env:
  HTTPS_PROXY: http://${{ secrets.PROXY_USER }}:${{ secrets.PROXY_PASS }}@proxy.corp.example:8080

Verify the credentials against the proxy

Test the proxy directly so you know whether the account or the URL formatting is wrong.

Terminal
curl -x http://user:pass@proxy.corp.example:8080 https://example.com/ -I

How to prevent it

  • Keep proxy credentials in secrets and inject them into the proxy env vars.
  • URL-encode special characters in the proxy password so parsing does not break.
  • Prefer a proxy that authenticates the runner network over per-request credentials where possible.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →