The HTTP 407 error occurs when Git cannot authenticate with a proxy server that requires credentials. This typically happens in corporate environments where network traffic must pass through an authenticated proxy, and Git hasn't been configured with the correct proxy credentials or authentication method.
This error indicates that Git attempted to connect to a remote repository (like GitHub, GitLab, or Bitbucket), but the connection was blocked by an intermediary proxy server that requires authentication. The "407 Proxy Authentication Required" HTTP status code is returned when the proxy needs valid credentials before it will forward your request. In corporate and enterprise environments, network administrators often require all outbound HTTP/HTTPS traffic to pass through a proxy server. This allows the organization to monitor traffic, enforce security policies, and cache frequently accessed content. When the proxy requires authentication, Git must provide valid credentials to the proxy before it can reach the actual Git remote server. The authentication flow works like this: 1. Git tries to connect to the remote repository (e.g., github.com) 2. The request is intercepted by the corporate proxy server 3. The proxy requires authentication and returns HTTP 407 4. Git must provide proxy credentials to proceed 5. Once authenticated with the proxy, the request is forwarded to the actual destination This is separate from repository authentication - you need to authenticate with the proxy first, then potentially authenticate with the Git remote server as well.
Set up Git to use your proxy server with authentication credentials. You'll need your proxy server address, port, and credentials:
Basic proxy configuration:
# Set HTTP proxy
git config --global http.proxy http://username:[email protected]:8080
# Set HTTPS proxy (often same as HTTP proxy)
git config --global https.proxy http://username:[email protected]:8080If your company uses a domain (e.g., CORP\username):
# Use backslash for domain - escape it properly
git config --global http.proxy "http://CORP\\username:[email protected]:8080"URL encode special characters in password:
If your password contains special characters, you must URL-encode them:
- @ becomes %40
- # becomes %23
- ! becomes %21
- $ becomes %24
- & becomes %26
- \ becomes %5C
# Example: password is "p@ss#word!"
git config --global http.proxy "http://username:p%40ss%23word%[email protected]:8080"Verify your settings:
git config --global --get http.proxy
git config --global --get https.proxyGit defaults to "anyauth" which automatically selects an authentication method. However, this doesn't always work correctly with all proxy types. Explicitly setting the method often resolves 407 errors:
Set Basic authentication:
git config --global http.proxyAuthMethod basicAvailable authentication methods:
- anyauth - Auto-detect (default, but sometimes fails)
- basic - HTTP Basic authentication (username:password)
- digest - HTTP Digest authentication (more secure than basic)
- negotiate - Kerberos/SPNEGO authentication
- ntlm - Windows NTLM authentication
For Windows/Active Directory environments:
# Try NTLM if Basic doesn't work
git config --global http.proxyAuthMethod ntlmUsing environment variable override:
# Set for a single command
GIT_HTTP_PROXY_AUTHMETHOD=basic git clone https://github.com/user/repo.git
# Or export for the session
export GIT_HTTP_PROXY_AUTHMETHOD=basicNote: The http.proxyAuthMethod setting only takes effect when your proxy URL includes a username (the user@host format).
Many corporate proxies use NTLM (Windows NT LAN Manager) authentication, which Git doesn't handle well natively. CNTLM is a local proxy that handles NTLM authentication for you:
Install CNTLM:
# On Ubuntu/Debian
sudo apt install cntlm
# On macOS (using Homebrew)
brew install cntlm
# On Windows: Download from https://cntlm.sourceforge.net/Configure CNTLM (edit /etc/cntlm.conf or cntlm.ini):
Username your_username
Domain CORP
Password your_password
Proxy proxy.company.com:8080
NoProxy localhost, 127.0.0.*, 10.*, 192.168.*
Listen 3128Generate password hash (more secure):
cntlm -H -d CORP -u your_username
# Enter password when prompted
# Copy the output hashes to cntlm.confStart CNTLM:
# On Linux
sudo systemctl start cntlm
# On macOS
brew services start cntlm
# On Windows
cntlm -v # Test first
net start cntlm # Run as serviceConfigure Git to use local CNTLM proxy:
git config --global http.proxy http://127.0.0.1:3128
git config --global https.proxy http://127.0.0.1:3128
# No username/password needed - CNTLM handles itAs an alternative to Git config, you can set proxy settings via environment variables. This is useful for CI/CD pipelines or when you want proxy settings to apply to all applications:
Set environment variables:
# For Linux/macOS - add to ~/.bashrc, ~/.zshrc, or ~/.profile
export HTTP_PROXY="http://username:[email protected]:8080"
export HTTPS_PROXY="http://username:[email protected]:8080"
export NO_PROXY="localhost,127.0.0.1,.company.com"
# Apply changes
source ~/.bashrcFor Windows (Command Prompt):
set HTTP_PROXY=http://username:[email protected]:8080
set HTTPS_PROXY=http://username:[email protected]:8080
set NO_PROXY=localhost,127.0.0.1,.company.comFor Windows (PowerShell):
$env:HTTP_PROXY = "http://username:[email protected]:8080"
$env:HTTPS_PROXY = "http://username:[email protected]:8080"
$env:NO_PROXY = "localhost,127.0.0.1,.company.com"
# To set permanently:
[System.Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.company.com:8080", "User")One-time command execution:
HTTPS_PROXY="http://user:pass@proxy:8080" git clone https://github.com/user/repo.gitImportant: Git respects both lowercase and uppercase environment variable names (http_proxy and HTTP_PROXY), but uppercase is more widely compatible.
For complex configurations or when command-line encoding is problematic, edit your Git configuration file directly:
Open your global gitconfig:
# Find the location
git config --global --list --show-origin
# Edit directly
git config --global --edit
# Or edit: ~/.gitconfig (Linux/macOS) or C:\Users\USERNAME\.gitconfig (Windows)Add proxy configuration:
[http]
proxy = http://DOMAIN\username:[email protected]:8080
proxyAuthMethod = basic
sslVerify = false
[https]
proxy = http://DOMAIN\username:[email protected]:8080Per-repository proxy settings:
You can also set proxy only for specific URLs:
[http "https://github.com"]
proxy = http://username:[email protected]:8080
proxyAuthMethod = basic
[http "https://gitlab.company.com"]
proxy = ""Note about sslVerify: Setting sslVerify = false may be necessary if your proxy performs SSL inspection (man-in-the-middle). This is a security trade-off - only disable SSL verification if you understand the implications and trust your network.
If you've changed passwords or proxy configurations, old cached settings may interfere:
Remove Git proxy settings:
# Clear global proxy settings
git config --global --unset http.proxy
git config --global --unset https.proxy
git config --global --unset http.proxyAuthMethod
# Clear all http settings
git config --global --remove-section http
git config --global --remove-section httpsCheck for proxy settings at multiple levels:
# Show all config with origins
git config --list --show-origin | grep -i proxy
# System level (may require admin)
git config --system --unset http.proxy
# Repository level (if set per-repo)
git config --local --unset http.proxyClear environment variables:
# For current session
unset HTTP_PROXY HTTPS_PROXY http_proxy https_proxy
# Check if set
env | grep -i proxyClear credential cache:
# If using credential cache
git credential-cache exit
# If using credential store
rm ~/.git-credentialsAfter clearing, reconfigure your proxy settings with the correct credentials.
Corporate proxies often perform SSL/TLS inspection (man-in-the-middle), which can cause certificate errors alongside or instead of 407 errors:
Add corporate CA certificate to Git:
# Export your company's root CA certificate from your browser
# (usually in Settings > Certificates > Authorities > Export)
# Tell Git to use the certificate
git config --global http.sslCAInfo /path/to/company-ca-cert.pem
# Or append to the existing CA bundle
cat company-ca-cert.pem >> /etc/ssl/certs/ca-certificates.crtOn Windows, export and add certificate:
1. Open Internet Options > Content > Certificates
2. Go to Trusted Root Certification Authorities
3. Find your company's CA certificate
4. Export as "Base-64 encoded X.509 (.CER)"
5. Configure Git:
git config --global http.sslCAInfo "C:\path\to\company-ca-cert.crt"Disable SSL verification (last resort):
# Not recommended for security reasons
git config --global http.sslVerify false
# Better: disable only for specific hosts
git config --global http."https://internal-git.company.com".sslVerify falseEnable verbose debugging:
GIT_CURL_VERBOSE=1 GIT_TRACE=1 git clone https://github.com/user/repo.gitIf proxy authentication continues to be problematic, consider using SSH for Git operations. Many corporate proxies only inspect HTTP/HTTPS traffic, allowing SSH through:
Check if SSH works through your network:
ssh -T [email protected]
# If this succeeds (or prompts for key), SSH is allowedSet up SSH key authentication:
# Generate SSH key
ssh-keygen -t ed25519 -C "[email protected]"
# Add to SSH agent
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519
# Copy public key
cat ~/.ssh/id_ed25519.pub
# Add this to your GitHub/GitLab account settingsChange remote from HTTPS to SSH:
# Check current remote
git remote -v
# Change to SSH
git remote set-url origin [email protected]:username/repo.gitIf SSH is blocked, try SSH over HTTPS port (GitHub):
# Edit ~/.ssh/config
Host github.com
Hostname ssh.github.com
Port 443
User git
# Test
ssh -T [email protected]SSH through HTTP proxy (if allowed):
# Add to ~/.ssh/config
Host github.com
ProxyCommand nc -X connect -x proxy.company.com:8080 %h %p
# Or for NTLM proxy with corkscrew:
# ProxyCommand corkscrew proxy.company.com 8080 %h %p### Understanding Proxy Authentication Methods
Git (via libcurl) supports several proxy authentication methods:
| Method | Description | Use Case |
|--------|-------------|----------|
| anyauth | Auto-detect (default) | Works when proxy announces supported methods |
| basic | Username:password in Base64 | Simple proxies, but credentials visible |
| digest | Challenge-response hash | More secure than basic |
| ntlm | Windows NTLM protocol | Active Directory environments |
| negotiate | Kerberos/SPNEGO | Enterprise SSO with Kerberos |
The http.proxyAuthMethod setting requires the proxy URL to include a username portion (user@host format) to take effect.
### Debugging Proxy Connections
Enable verbose output to diagnose issues:
# Curl-level debugging
GIT_CURL_VERBOSE=1 git clone https://github.com/user/repo.git
# Git tracing
GIT_TRACE=1 GIT_TRACE_CURL=1 git clone https://github.com/user/repo.git
# Check what authentication method is being used
GIT_TRACE_CURL=1 git clone https://github.com/user/repo.git 2>&1 | grep -i proxy### Windows-Specific NTLM Issues
On Windows, Git for Windows uses different libcurl builds that may or may not include NTLM support. If native NTLM doesn't work:
1. Use CNTLM as a local proxy (recommended)
2. Try the px proxy tool: https://github.com/genotrance/px
3. Use Git Credential Manager which may handle proxy auth better
### Using px as an Alternative to CNTLM
The px proxy is a modern alternative to CNTLM, written in Python:
# Install
pip install px-proxy
# Run (auto-detects Windows proxy settings)
px
# Configure Git to use px
git config --global http.proxy http://127.0.0.1:3128px automatically reads Windows proxy settings and handles NTLM authentication.
### PAC Files and Auto-Proxy Detection
Some organizations use PAC (Proxy Auto-Config) files. Git doesn't natively support PAC files, so you need to:
1. Find the actual proxy server URL from the PAC file
2. Configure Git with that direct proxy URL
3. Or use tools like px that handle PAC files
### Multiple Proxy Configurations
For different Git hosts, configure different proxies:
# In ~/.gitconfig
[http "https://github.com"]
proxy = http://external-proxy.company.com:8080
[http "https://git.internal.company.com"]
proxy = "" # No proxy for internal Git
[http "https://gitlab.com"]
proxy = http://external-proxy.company.com:8080
proxyAuthMethod = ntlm### Security Considerations
1. Avoid storing passwords in plain text in .gitconfig or environment variables if possible
2. Use CNTLM with hashed passwords instead of plaintext
3. Consider using credential helpers that integrate with OS keychains
4. If using sslVerify = false, understand you're disabling certificate validation
5. Rotate proxy credentials periodically and update configurations
kex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git
fatal: unable to access: no_proxy configuration not working
How to fix 'no_proxy configuration not working' in Git
fatal: unable to read tree object in treeless clone
How to fix 'unable to read tree object in treeless clone' in Git