need explicit proxy settings

authentication.conf does provides the necessary settings, as long as the host matches the proxy and the scheme matches the protocol used.

bug #244435 *is* relevant though

But pycurl doesn't know about authentication.conf and the urllib implementation doesn't know about SSPI

So. Do I need to use HTTP_PROXY environment variable to make settings in authentication.conf work?

How can I specify in authentication.conf that one project should be accessible through one proxy and other with no proxy at all?

No. Authentication.conf provides additional information based on the host used.

The problem here is that pycurl is used as blackbox and our wrapper do not attempt to decorate the HTTP[S]_PROXY variable(s).

Then, the urllib implementation lacks SSPI support.

For your last question, authentication.conf doesn't try to associate a proxy with a project.

Proxies are associated with hosts. If your projects are on different hosts, then fine.

Wether or not you need a proxy for a host is also configured via the no_proxy environment variable.

Or more appropriately for windows (but this is relevant for urllib implementation only) from either the environment variables *or* the Internet Settings found in the registry by python (see python urllib.py getproxies_registry() for the gory details).

What bzr http implementation are you using ?

I am using both standalone bzr-1.5.exe distribution and Python 2.5 package.

So, how can I configure bzr to associate proxies with hosts using the following requirements, so that this configuration can be copied to other developer machines?

Consider one host is my local server "localhost", which should not be accessible via proxy.
Other server "vpn-dev" is on remote subnet and should be accessible via local proxy "localhost:1080".
All unknown servers should be directed to domain proxy.

The proxy configuration in your case is not specific to bzr, what you want is no proxy for localhost.

Having two different proxies is rather unusual and I don't know how to handle that easily (setting env variables or modifying your internet setttings are not easy).

How do you configure, say, firefox or internet explorer to work with such a config ?

By using an automatic proxy configuration url pointing to a js script ?

In that case there is no equivalent for neither pycurl nor urllib and you'll have to set env variables or wrap bzr calls. Not nice :-/

Why do you *need* a local proxy ? Can't that be handled by your domain proxy ?

And by bzr http implementation I meant urllib or pycurl, i.e. do you use just 'http:' (in which case pycurl is used if installed (AFAIK windows version includes pycurl) or 'http+urllib:' or 'http+pycurl:' do be explicit ?

Proxy configuration is bzr specific and is used solely for accessing to source repositories. In subversion server configuration is contained in "servers" file. Servers are grouped into sections with wildcards if required like *.sourceforge.net etc. Then each section has its own http_proxy settings.

FF and IE use only one HTTP/HTTPS protocol and can authenticate with the proxy via SSPI. There is no problem with them. For other services I need to run local authorization proxy server. FF uses standard PAC (proxy autoconfiguration) file to distinguish between local and external addresses (there are also PhProxy and FoxyProxy extensions). Domain proxy is also a content-filtering proxy and from time to time I need to wrap connection in tunnel to bypass HTTP filters. Tunnel made with a PyTTY with SOCKS turned on.

http:// doesn't work because of https://bugs.launchpad.net/bzr/+bug/241698 so I used nosmart+http://

I was able to use http:// protocols after I've setup environment variables to point local authorization proxy server, but what I would like from this bugreport is to provide some arguments that bzr specific proxy/connection/server configuration should be contained in its own configuration file.

Ok, so a possible solution will be to allow specifying http[s]_proxy in locations.conf/branch.conf and leave credentials in authentication.conf (or not, user choice) and gives these definitions priority over environment variables (not trivial but doable).

Your setup is rather unusual since you seem to encounter a lot of problems to go through your proxy. Generally we avoid out-smarting the network connection itself to keep both usage and code simple.

What do you call 'local authorization proxy' ? What software do you use for that ?

By PyTTY did you mean PuTTY ? AIUI, this is another case where you have to work around your proxy limitations (or bzr lack of support for it).

Will adding support for NTLM to urllib provide a alternative solution ; i.e. will you still need to use two different proxies or will that be enough to just use your proxy (are have you already encounter content-filtering problems when accessing bzr remote branches) ?

'local authorization proxy' is NTLMaps - http://ntlmaps.sourceforge.net/ - it uses domain password to authenticate to parent proxy. One annoyance though is that it asks password every time, but at least it doesn't stored anywhere. It provides plain proxy interface for programs that doesn't support proxy authorization at all.

PyTTY is indeed PuTTY. It provides SOCKS server to tunnel requests over SSH connections. I believe bzr has similar bzr+ssh:// scheme, but it needs tunneling anyway through 80 or 443 port, because domain proxy bans connections on SSH port 22.

I haven't encountered content-filtering problems with bzr yet, because I've started to use it a couple days ago, but there were such problems with svn. Good svn has a detailed connection log to debug the problem, but it still took a long time to pinpoint the problem. If bzr uses plain HTTP requests with URLs that can contain words that can be filtered or request content can be matched by proxy filter then there are chances that at some point I will need to tunnel this connection too.

Thanks for the detailed reply, things are clearer now.

I think this bug should be splitted to address the two identified problems:

- this bug should be about allowing specifying proxies at the location level (either in locations.conf or branch.conf),

- bug #244879 is about supporting NTLM in the urllib implementation.

As noted in bug #177643, handling proxies without relying on env variables for pycurl will be tricky.

About detailed log, using -Dhttp on the failing bzr commands should provides enough information to debug, if it doesn't... file a bug and we'll add the necessary traces (we already log all requests and headers sent and received, but if you need more, just say so).

I'll mark this bugs as confirmed.

Thanks for filing another bugreport. -Dhttp seems to be useful. Too bad it not documented neither in some "troubleshooting" chapter nor in config files.

You're right, it appears in:
  bzr help global-options

with all the debug options available for troubleshooting.

May be we should have a "troubleshooting" help topic mentioning these flags and how to find and use .bzr.log

This proxy thing is very annoying as I'm using Windows and now I'm stuck in setting some environment variable instead of using Bazaar. Proxy definition in config file would be much better. Thank you.

I don't understand because I have the opposite problem : I don't want to use a proxy with bzr but bzr use Internet Explorer configuration :
https://bugs.edge.launchpad.net/bzr/+bug/330570