Crypto
11 Mar 2026
Read 14 min
How to fix HTTP 407 proxy authentication error in minutes *
how to fix HTTP 407 proxy authentication error and restore downloads in minutes with clear steps now
Learn how to fix HTTP 407 proxy authentication error in minutes: check your proxy login, set the right proxy URL, and test with a quick curl command. Update system and app settings, add no_proxy for local sites, and install your company certificate if needed.
An HTTP 407 message means your proxy server wants you to sign in before it lets traffic through. You may see it in a browser, curl, Git, npm, pip, or a CI pipeline. The good news: most fixes take only a few minutes. This guide shows clear steps, common mistakes, and fast tests so you can get back online without guesswork.
What HTTP 407 Means
HTTP 407 stands for Proxy Authentication Required. A proxy sits between your device and the internet. It checks your identity, enforces rules, and logs traffic. When your request does not include valid proxy credentials, the proxy replies with 407 and often sends a “Proxy-Authenticate” header that lists the login method it expects. Common times you see 407:- On corporate networks that require user login
- When your password changed or expired
- If a tool uses the wrong proxy address or port
- When the app sends no credentials or the wrong auth method (Basic vs NTLM/Kerberos)
- With a broken or outdated PAC (proxy auto-config) file
How to fix HTTP 407 proxy authentication error: Quick wins
Start with these checks
- Confirm your username and password. If your company uses SSO, make sure you are signed in to the domain or VPN.
- Check the proxy URL and port. Use the exact address your IT team gave you.
- Watch for special characters in passwords. In URLs, “@” becomes %40, “:” becomes %3A, “#” becomes %23.
- Try both HTTP and HTTPS proxy schemes if your docs are unclear. Example: http://proxy.company.com:8080 or https://proxy.company.com:8443.
- If Wi‑Fi uses a captive portal, open a browser and complete the sign-in first.
Test with curl to pinpoint the problem
Curl gives fast, clear feedback.- Basic auth test: curl -I -x http://user:pass@proxy:port https://example.com
- If you need NTLM or Kerberos: curl -I –proxy-ntlm -x http://user:pass@proxy:port https://example.com or curl -I –proxy-negotiate -x http://proxy:port https://example.com
- Show details: curl -v -x http://proxy:port https://example.com to read “Proxy-Authenticate” in the response and match the method.
Set or Reset System Proxy Settings
Some apps use system proxy settings. Others use environment variables. Make sure both are correct.Windows
- Open Settings > Network & Internet > Proxy. Set the script URL (PAC) or manual proxy address and port. Save.
- If old WinHTTP settings break CLI tools, sync them: open an elevated Command Prompt and run netsh winhttp import proxy source=ie.
- Clear old settings if needed: netsh winhttp reset proxy.
- If your company installs a root certificate for TLS inspection, ensure it is in the Trusted Root store.
macOS
- Go to System Settings > Network > Wi‑Fi (or your interface) > Details > Proxies.
- Enable Automatic Proxy Configuration and paste the PAC URL, or enable Web Proxy (HTTP) and Secure Web Proxy (HTTPS) with host and port.
- If passwords changed, remove old saved credentials from Keychain and re-enter.
- If your proxy inspects TLS, install the company root certificate in Keychain and set it to Always Trust.
Linux
Many tools read environment variables.- Temporarily set in your shell: export HTTP_PROXY=http://user:pass@proxy:port and export HTTPS_PROXY=http://user:pass@proxy:port.
- Also set lowercase: export http_proxy=… and export https_proxy=….
- Add exceptions: export NO_PROXY=localhost,127.0.0.1,.local,.company.com.
- To persist, add these lines to ~/.bashrc or ~/.profile, then reload your shell.
Fix App-Specific 407 Errors
Different apps keep their own proxy settings. Match the app to your working curl setup.Web browsers
- When a prompt appears, enter domainusername if required (Windows domains often need this format).
- Clear saved proxy credentials and retry if the prompt loops.
- If your browser uses a PAC file, open the PAC URL in the browser and confirm it loads. If not, ask IT for the right URL.
- Chrome errors like ERR_TUNNEL_CONNECTION_FAILED can be a sign of a bad proxy address or blocked auth.
npm, yarn, and Node.js
- Set config: npm config set proxy http://user:pass@proxy:port and npm config set https-proxy http://user:pass@proxy:port.
- If you use environment variables, make sure they are set before running npm.
- If your network uses TLS inspection, install your company CA so npm can verify HTTPS. Avoid disabling strict SSL unless IT instructs you.
- Clean old entries: check ~/.npmrc for stale proxy lines and remove duplicates.
Git
- Global proxy: git config –global http.proxy http://user:pass@proxy:port and git config –global https.proxy http://user:pass@proxy:port.
- Per-repo override: run the same commands without –global inside the repo, or unset with git config –global –unset http.proxy.
- Use a credential helper (Git Credential Manager on Windows/macOS) to avoid storing plain text passwords.
- For corporate hosts that should bypass the proxy, add them to NO_PROXY or unset proxy for that host: git config –global http.https://git.company.com.proxy “”
Python and pip
- Inline for one install: pip install –proxy http://user:pass@proxy:port package-name
- Environment variables work too. If a wheel download fails with 407, verify HTTPS_PROXY is set.
- If your CA is custom, set REQUESTS_CA_BUNDLE to your CA file or install the CA system-wide.
Docker and container builds
- For the Docker daemon on Linux, create /etc/systemd/system/docker.service.d/http-proxy.conf with lines Environment=”HTTP_PROXY=http://user:pass@proxy:port” and Environment=”HTTPS_PROXY=http://user:pass@proxy:port”. Then run systemctl daemon-reload and systemctl restart docker.
- Add build-time args in Dockerfiles or use –build-arg HTTP_PROXY=… to allow apt, yum, or pip inside containers to reach the internet.
- Add NO_PROXY for local registries and internal hosts.
Match the Authentication Method
Proxies can demand different auth types. Basic is user and password. NTLM and Kerberos link to your system login.- Read the Proxy-Authenticate header from a failed request. It might say Basic, NTLM, or Negotiate.
- Basic: most tools work with http://user:pass@host:port.
- NTLM: use tools that support NTLM (curl –proxy-ntlm, Git Credential Manager, or system-integrated browsers on Windows).
- Kerberos/Negotiate: make sure you are logged in to the domain and have a valid ticket (on Linux/macOS, kinit may be needed). Use curl –proxy-negotiate.
Bypass the Proxy When Safe
Some targets should not go through the proxy. Sending them through the proxy can trigger a 407 or slow you down.- Local services: localhost, 127.0.0.1, 10.0.0.0/8, 192.168.0.0/16
- Company internal domains: add .company.com to NO_PROXY
- Development tools like Docker registries or local Kubernetes APIs
When It’s a Network or Proxy Issue
If you followed the steps and still get 407, the problem may be on the proxy.- Account lock or expired password: try signing in to your corporate portal or reset your password.
- PAC file bug: share the PAC URL with IT and the site you tried to reach.
- Policy block: your target domain may need an allowlist update.
- Time skew: big clock drift can break Kerberos. Sync your system time.
- TLS inspection: install the corporate root CA or ask IT to exclude your target.
- The exact time and your time zone
- Target URL and your source IP
- The Proxy-Authenticate header you saw
- curl -v output (redact passwords)
One-Minute Recovery Plan
- Test with curl using -x and your credentials. If it works, the proxy and login are okay.
- Copy that working proxy string into your app’s proxy setting.
- Add NO_PROXY for local and internal domains.
- If auth still fails, switch to the right method (Basic, NTLM, or Negotiate) and retry.
For more news: Click Here
FAQ
Q: What does HTTP 407 mean and how can I fix it quickly?
A: HTTP 407 stands for Proxy Authentication Required and means the proxy wants you to sign in before it lets traffic through. This guide explains how to fix HTTP 407 proxy authentication error in minutes by checking your proxy login, setting the correct proxy URL and port, and testing with a quick curl command.
Q: What quick checks should I run first to resolve a 407 error?
A: Start by confirming your username and password and sign in to the domain or VPN if your company uses SSO. Also verify the exact proxy URL and port, watch for special characters that need URL-encoding, try both http and https proxy schemes, and complete any captive-portal sign-in if on Wi-Fi.
Q: How can I use curl to diagnose a 407 proxy authentication error?
A: Use curl to get fast, clear feedback with commands like curl -I -x http://user:pass@proxy:port https://example.com and curl -v -x http://proxy:port https://example.com to read the Proxy-Authenticate header. If you need NTLM or Kerberos, try curl -I –proxy-ntlm -x http://user:pass@proxy:port https://example.com or curl -I –proxy-negotiate -x http://proxy:port https://example.com. If curl succeeds the proxy and credentials are fine and the issue is likely in your app settings, and if curl fails you should fix the proxy address, auth method, or your login.
Q: Which system proxy settings should I check on Windows, macOS, or Linux?
A: On Windows open Settings > Network & Internet > Proxy to set a PAC script or manual proxy and use netsh winhttp import proxy source=ie or netsh winhttp reset proxy to sync or clear WinHTTP settings for CLI tools. On macOS configure Proxies in System Settings > Network, remove old saved credentials from Keychain if passwords changed, and install the company root certificate and set it to Always Trust if TLS inspection is used. On Linux set HTTP_PROXY and HTTPS_PROXY (and lowercase equivalents), add NO_PROXY exceptions, and persist them in ~/.bashrc or ~/.profile.
Q: How do I fix 407 errors in browsers, npm, Git, pip, and Docker?
A: For browsers enter domainusername when prompted if required, clear saved proxy credentials if prompts loop, and confirm your PAC file loads in the browser. For npm and Node set npm config or environment proxy variables, for Git use git config –global http.proxy or unset per-repo, for pip use pip install –proxy or HTTPS_PROXY, and for Docker configure the daemon proxy file and use build-time args plus NO_PROXY for local registries. If your network performs TLS inspection, install the company CA so tools can verify HTTPS instead of disabling strict SSL.
Q: How do I match the proxy authentication method like Basic, NTLM, or Kerberos?
A: Read the Proxy-Authenticate header from a failed request to see whether the proxy expects Basic, NTLM, or Negotiate/Kerberos. Basic works with http://user:pass@host:port, NTLM requires tools that support NTLM (curl –proxy-ntlm, Git Credential Manager, or system-integrated browsers on Windows), and Kerberos/Negotiate needs you to be logged in to the domain with a valid ticket (on Linux/macOS kinit may be needed) or use curl –proxy-negotiate.
Q: When should I bypass the proxy with NO_PROXY and how do I set it?
A: Bypass the proxy for local services and internal domains such as localhost, 127.0.0.1, private network ranges, and .company.com to avoid triggering proxy auth or adding latency. Set NO_PROXY (and no_proxy) as a comma-separated list, for example NO_PROXY=localhost,127.0.0.1,.company.com,10.0.0.0/8, and export it in your shell or add it to your environment files.
Q: What information should I gather for IT if a proxy issue persists?
A: Provide the exact time and your time zone, the target URL and your source IP, the Proxy-Authenticate header you saw, and curl -v output with passwords redacted. Also report whether your account may be locked or expired, share the PAC file URL if relevant, and note if TLS inspection or clock skew (which can break Kerberos) could be factors.
* The information provided on this website is based solely on my personal experience, research and technical knowledge. This content should not be construed as investment advice or a recommendation. Any investment decision must be made on the basis of your own independent judgement.
Contents
