forked from jeroen/curl
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwindows.Rmd
141 lines (100 loc) · 6.83 KB
/
windows.Rmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
---
title: "Proxies and Certificates on Windows Networks"
output:
html_document:
fig_caption: false
toc: true
toc_float:
collapsed: false
smooth_scroll: false
toc_depth: 3
vignette: >
%\VignetteIndexEntry{Proxies and Certificates on Windows Networks}
%\VignetteEngine{knitr::rmarkdown}
%\VignetteEncoding{UTF-8}
---
This document describes a few notes specifically for Windows users on networks with custom certificates or proxy settings. For regular Windows users, things should work out of the box.
```{r setup}
library(curl)
```
## Multiple SSL Backends
In order to make SSL (https) connections, libcurl uses an SSL backend. Currently the Windows version of the `curl` package supports two SSL backends: __OpenSSL__ and __Windows Secure Channel__. Only one can be enabled, which is determined when the curl package is first loaded in your R session.
| | Secure Channel | OpenSSL |
|------------------------------------|---------------------------------|------------------------|
| __trust certificates__ | Windows Cert Store | `curl-ca-bundle.crt` file |
| __works on corporate networks__ | Usually Yes | Maybe not |
| __support http proxy server__ | Yes | Yes |
| __support https proxy server__ | No | Yes |
| __support client certificate authentication__ | No | Yes |
The default backend on Windows 7 and up is Secure Channel. This uses the native Windows SSL API and certificates, which is the safest choice for most users.
To switch to OpenSSL, you need to set an environment variable [`CURL_SSL_BACKEND`](https://curl.se/libcurl/c/libcurl-env.html) to `"openssl"` when starting R. A good place to set this is in your `.Renviron` file in your user home (Documents) directory; the `?Startup` manual has more details.
```
CURL_SSL_BACKEND=openssl
```
Optionally, you can also set `CURL_CA_BUNDLE` here to use a custom trust bundle. If `CURL_CA_BUNDLE` is not set, we use `curl-ca-bundle.crt` which is included with R for Windows. When using Schannel, no trust bundle is needed because we use the certificates from the native Windows cert store.
Have a look at `curl::curl_version()` to see which ssl backends are available and which one is in use.
```r
curl::curl_version()
#> $version
#> [1] "7.64.1"
#>
#> $ssl_version
#> [1] "(OpenSSL/1.1.1a) Schannel"
#>
#> $libz_version
#> [1] "1.2.8"
#> ...
```
The part in parentheses means this backend is available but currently not in use. Hence the output above means that the current active backend is Secure Channel, but OpenSSL is also supported.
It is not possible to change the SSL backend once the `curl` package has been loaded.
## Using a Proxy Server
Windows proxy servers are a complicated topic because depending on your corporate network configuration, different settings may be needed. If your company uses proxies with custom certificates, this might also interact with the previous topic.
Proxy settings can either be configured in the handle for a single request, or globally via environment variables. This is explained in detail on the curl website detail in the manual pages for [CURLOPT_PROXY](https://curl.se/libcurl/c/CURLOPT_PROXY.html) and [libcurl-env](https://curl.se/libcurl/c/libcurl-env.html).
If you know the address of your proxy server you can set it via the `curlopt_proxy` option:
```r
h <- new_handle(proxy = "http://proxyserver:8080", verbose = TRUE)
req <- curl_fetch_memory("https://httpbin.org/get", handle = h)
#> Verbose output here...
```
The example above should yield some verbose output indicating if the proxy connection was successful.
If this did not work, study the verbose output from above to see what seems to be the problem. Note that curl supports many options related to proxies (types, auth, etc), the details of which you can find on the libcurl homepage.
```{r}
curl_options('proxy')
```
To use a global proxy server for all your requests, you can set the environment variable `http_proxy` (lowercase!) or `https_proxy` or `ALL_PROXY`. See [this page](https://curl.se/libcurl/c/libcurl-env.html) for details. This variable may be set or changed in R at runtime, for example:
```r
Sys.setenv(ALL_PROXY = "http://proxy.mycorp.com:8080")
req <- curl_fetch_memory("https://httpbin.org/get")
#> verbose output here...
```
To use a default proxy server for all your R sessions, a good place to set this environment variable is in your `.Renviron` as explained above:
```
ALL_PROXY="http://proxy.mycorp.com:8080"
```
An additional benefit of setting these environment variables is that they are also supported by base R `download.file` and `install.packages`. The manual page for `?download.file` has a special section on "Setting Proxies" which explains this.
## Discovering Your Proxy Server
If you don't know what your proxy server is, the `curl` package has a few utilities that interact with Internet Explorer to help you find out. First have a look at `ie_proxy_info()` to see IE settings:
```r
curl::ie_proxy_info()
#> $AutoDetect
#> [1] FALSE
#>
#> $AutoConfigUrl
#> [1] "http://173.45.10.27:8543/proxypac.pac"
#>
#> $Proxy
#> [1] "173.45.10.27:3228"
#>
#> $ProxyBypass
#> [1] "10.*;173.*;mail.mycorp.org;autodiscover.mycorp.org;ev.mycorp.org;ecms.mycorp.org"
```
There are a few settings here, such as default proxy server and a list of hosts which do _not_ need proxying, usually hosts within the corporate intranet (these can probably be used in [`CURLOPT_NOPROXY`](https://curl.se/libcurl/c/CURLOPT_NOPROXY.html)).
The most complicated case is when your network uses different proxy servers for different target urls. The `AutoConfigUrl` field above refers to a [proxy auto config](https://en.wikipedia.org/wiki/Proxy_auto-config) (PAC) script that Internet Explorer has to run to find out which proxy server it has to use for a given host. The `curl` package exposes another function which calls out to Internet Explorer do it's thing and tell us the appropriate proxy server for a given host:
```r
curl::ie_get_proxy_for_url("https://www.google.com")
#> [1] "http://173.45.10.27:3228"
curl::ie_get_proxy_for_url("http://mail.mycorp.org")
#> NULL
```
The exact logic that Windows uses to derive the appropriate proxy server for a given host from the settings above is very complicated and may involve some trial and error until something works.
Currently `curl` does not automatically set IE proxies, so you need to manually set these in the handles or environment variables. One day we could try to make the `curl` package automatically discover and apply Windows proxy settings. However to make sure we cover all edge cases we need more examples from users in real world corporate networks.