How to clone from github from behind corporate proxy

Question

I am behind a corporate proxy that is pretty annoying:

1. The actual proxy address used is determined by a script
2. It requires authentication
3. It replaces the certificates of web pages using HTTPS

How to successfully clone a github repository in this scenario?

Answer 1

1. The first issue is not really related to git - it's more that it is a necessary step to be able to actually configure the proxy.
   The proxy configuration on a windows computer can be found at Control Panel -> Internet Options -> Connections -> LAN settings.
   If "Use automatic configuration script" is checked, you first need to download the specified file and open it. I got a file containing a small script. It looked something like this:

   function FindProxyForURL(url, host)
   {
       var myip = myIpAddress();
       var hostip = dnsResolve(host);
       if (isInNet(hostip,"192.168.0.0","255.255.0.0"))
           return "DIRECT";
       if (isInNet(hostip,"xyz.abc.0.0","255.255.0.0"))
           return PROXY special-proxy:8080;
       return "PROXY default-proxy:8080";
   }
   

   So, in my case, the proxy to use was default-proxy:8080.

2. To actually get git to use the proxy, I had to use git config --global http.proxy http://<domain>\<username>:<password>@default-proxy:8080.

   The obvious downside to this is that you will have your domain password stored as plain text on the hard disk.

   Other settings didn't work, although different sources claim they should. Those were:

   1. Setting the environment variables https_proxy or http_proxy to http://<domain>\<username>:<password>@default-proxy:8080
   2. Setting the global git config to that value: git config --global https.proxy http://<domain>\<username>:<password>@default-proxy:8080
   3. Setting the environment variable http_proxy to http://<domain>\<username>:<password>@default-proxy:8080

3. To get around the third issue, the simplest possibility is to ignore the certificate errors by setting an environment variable - the certificates returned by the proxy aren't worth anything anyway:

   set GIT_SSL_NO_VERIFY=true
   

---

To not store the plain password in the git config, you can use a local proxy instead, e.g. cntlm.

It allows to store a password hash instead. To get the hash, use this command:

cntlm.exe -H -d <domain> -u <username>

After that, you will be prompted for your password. The result will be a list of three hashes, of which PassNTLMv2 most likely is the relevant one in this scenario. Replace the Password line in the cntlm.ini with the line from the output, including the PassNTLMv2 part.

Obviously, you have to configure git to use this local proxy instead, now.

Answer 2

If you also want write access to github you will have to be able to get ssh access to github through the proxy. To do this, you can use corkscrew.

In short this is how you do this:
First unpack corkscrew
Then create a file in ~/.ssh/proxy_auth which contains <proxy_username>:<proxy_password>
Now tell ssh to use corkscrew to access github.com through the proxy by adding the following to ~/.ssh/config:

host github.com
    port 22
    proxycommand corkscrew <proxy_ip_address> <proxy_port> %h %p ~/.ssh/myauth

Now test if ssh can get through the proxy by ssh -T [email protected]. If this works, the git:/ protocol should also be able to get through the proxy.