Authenticated HTTP and HTTPS proxies sit between clients and the internet, enforcing access control for outbound traffic. Many corporate and provider networks only allow external connectivity through such gateways, so correctly authenticated requests are essential for reaching APIs, repositories, and web applications from automation and scripts. Consistent proxy authentication avoids stalled deployments, failing package installs, and manual browser-based workarounds.
The cURL tool uses libcurl to speak to proxies over HTTP or HTTPS, sending either absolute URLs or a tunnel via CONNECT while negotiating authentication schemes such as Basic, Digest, NTLM, or Negotiate. Proxy behavior is advertised with Proxy-Authenticate headers when access is denied, usually together with a 407 Proxy Authentication Required status, and credentials are supplied back using Proxy-Authorization headers controlled by options like –proxy , –proxy-user , and –proxy-anyauth. Explicit proxy settings can be combined with environment variables to keep scripts portable and configuration centralised.
Proxy misconfiguration or weak credential handling can leak secrets, block outbound services, or cause intermittent failures when authentication state changes between requests. Command-line flags that embed usernames or passwords appear in shell history and process listings, while environment variables can be inherited by child processes unexpectedly. The examples below assume a Linux system using cURL from a standard distribution build and an existing HTTP proxy that demands authentication before forwarding HTTPS traffic through a CONNECT tunnel.
Steps to authenticate to proxies with cURL:
- Run curl --version in a terminal to confirm the installed build and proxy capabilities.
$ curl --version curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 Release-Date: 2022-02-09 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: alt-svc AsynchDNS HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz NTLM SSL threadsafe UnixSockets ##### snipped #####
A feature list that includes HTTPS-proxy indicates support for authenticated HTTP and HTTPS proxies.
- Send an HTTPS request through the proxy without credentials to confirm that the proxy is reachable and requires authentication.
$ curl --proxy http://proxy.example:3128 https://httpbin.org/get <html> <head><title>407 Proxy Authentication Required</title></head> <body> <h1>Proxy Authentication Required</h1> <p>The proxy requires a valid Proxy-Authorization header.</p> ##### snipped #####
A status code of 407 Proxy Authentication Required from the proxy confirms that the endpoint is correct and that authentication is enforced.
- Repeat the proxied request with explicit credentials supplied to the –proxy-user option to authenticate successfully.
$ curl --proxy http://proxy.example:3128 --proxy-user 'user:password' https://httpbin.org/get { "args": {}, "headers": { "Accept": "*/*", "Host": "httpbin.org", "User-Agent": "curl/7.81.0", "Via": "1.1 proxy.example", "X-Forwarded-For": "198.51.100.24" }, "origin": "198.51.100.24", "url": "https://httpbin.org/get" }Embedding credentials directly in the command line exposes them to shell history and process listings on multi-user systems, which can leak proxy usernames and passwords.
- Add the –proxy-anyauth option so cURL can probe the proxy and automatically select the strongest supported authentication scheme.
$ curl --proxy http://proxy.example:3128 --proxy-user 'user:password' --proxy-anyauth https://httpbin.org/get { "args": {}, "headers": { "Accept": "*/*", "Host": "httpbin.org", "User-Agent": "curl/7.81.0", "Via": "1.1 proxy.example", "X-Forwarded-For": "198.51.100.24" }, "origin": "198.51.100.24", "url": "https://httpbin.org/get" }When –proxy-anyauth is set, the proxy first responds with Proxy-Authenticate headers, and cURL retries the request using the strongest mutually supported method, such as Digest or NTLM instead of plain Basic.
- Inspect the handshake and proxy headers in verbose mode to verify that authentication is applied and that the final response is forwarded by the proxy.
$ curl --proxy http://proxy.example:3128 --proxy-user 'user:password' --proxy-anyauth --verbose https://httpbin.org/get * Trying 192.0.2.10:3128... * Connected to proxy.example (192.0.2.10) port 3128 > CONNECT httpbin.org:443 HTTP/1.1 > Host: httpbin.org:443 > Proxy-Authorization: Basic dXNlcjpwYXNzd29yZA== ##### snipped ##### < HTTP/1.1 200 OK < Via: 1.1 proxy.example ##### snipped #####
Successful proxy authentication is indicated by a Proxy-Authorization header in the verbose output followed by an upstream 200 OK (or other non-407 status) from the target server.
- Configure environment variables for HTTP and HTTPS proxies to avoid repeating the –proxy option in every command.
$ export HTTP_PROXY=http://user:password@proxy.example:3128 $ export HTTPS_PROXY=http://user:password@proxy.example:3128
Environment variables are inherited by child processes and may be visible in process inspection tools, so proxy credentials stored this way should be restricted to trusted shells and sessions.
- Confirm that subsequent cURL commands use the authenticated proxy automatically by omitting explicit proxy options and checking the outgoing connection in verbose mode.
$ curl --verbose https://httpbin.org/ip * Trying 192.0.2.10:3128... * Connected to proxy.example (192.0.2.10) port 3128 > CONNECT httpbin.org:443 HTTP/1.1 > Host: httpbin.org:443 > Proxy-Authorization: Basic dXNlcjpwYXNzd29yZA== ##### snipped ##### { "origin": "198.51.100.24" }A response that shows the proxy’s public IP address in the origin field confirms that traffic is flowing through the authenticated proxy configuration.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
Comment anonymously. Login not required.