starred/PeerTube

Fork 0

mirror of https://github.com/Chocobozzz/PeerTube.git synced 2026-03-02 22:57:11 -05:00

Something adds extra characters to http proxy auth header #6423

New issue

Open

opened 2026-02-22 12:53:46 -05:00 by deekerman · 5 comments

deekerman commented

2026-02-22 12:53:46 -05:00

Owner

Originally created by @Herover on GitHub (Jan 23, 2026).

Describe the current behavior

After adding the HTTP_PROXY env variable, PeerTube seems to use a wrong proxy-authorization header for object storage and talking with federated servers, but does use correct header for http youtube imports. Using Wireshark on the proxy server, I see a correctly encoded base64 string with the correct username:password part when decoded, but the decoded string also contains a newline followed by a number of white spaces (it seemed to vary between 4-6 when I tested, and changed depending on restarts) at the end (eg. 0x0a 0x20 0x20 0x20 0x20). Testing using curl from the same host works perfectly.

Object storage jobs gives this stack trace in the error log

Error: Bad response: 407
    at ClientRequest.<anonymous> (file:///app/dist/core/helpers/hpagent.js:103:26)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:524:28)
    at Socket.socketOnData (node:_http_client:584:11)
    at Socket.emit (node:events:524:28)
    at addChunk (node:internal/streams/readable:561:12)
    at readableAddChunkPushByteMode (node:internal/streams/readable:512:3)
    at Readable.push (node:internal/streams/readable:392:5)
    at TCP.onStreamRead (node:internal/stream_base_commons:191:23)

while requests to federated give this

warn[1/22/2026, 7:00:55 PM] Cannot execute processUpdateVideo with many retries.

{
  "err": {
    "stack": "RequestError: Bad response: 407\n    at ClientRequest.<anonymous> (file:///app/node_modules/.pnpm/got@14.6.3/node_modules/got/dist/source/core/index.js:870:107)\n    at Object.onceWrapper (node:events:639:26)\n    at ClientRequest.emit (node:events:536:35)\n    at emitErrorEvent (node:_http_client:101:11)\n    at _destroy (node:_http_client:884:9)\n    at onSocketNT (node:_http_client:904:5)\n    at process.processTicksAndRejections (node:internal/process/task_queues:83:21)\n    at ClientRequest.<anonymous> (file:///app/dist/core/helpers/hpagent.js:103:26)\n    at Object.onceWrapper (node:events:639:26)\n    at ClientRequest.emit (node:events:524:28)\n    at Socket.socketOnData (node:_http_client:584:11)\n    at Socket.emit (node:events:524:28)\n    at addChunk (node:internal/streams/readable:561:12)\n    at readableAddChunkPushByteMode (node:internal/streams/readable:512:3)\n    at Readable.push (node:internal/streams/readable:392:5)\n    at TCP.onStreamRead (node:internal/stream_base_commons:191:23)",
    "message": "Bad response: 407",
    "name": "RequestError",
    "requestHeaders": {
      "user-agent": "PeerTube/8.0.1 (+https://peertube.dk)",
      "date": "Thu, 22 Jan 2026 18:00:55 GMT",
      "accept": "application/activity+json, application/ld+json",
      "accept-encoding": "gzip, deflate, br",
      "host": "neat.tube",
      "signature": "-----"
    },
    "requestUrl": "https://neat.tube/accounts/-----",
    "requestMethod": "GET"
  }
}

Corresponding errors are also visible on the proxy server (Squid).

The environment variable looks like HTTP_PROXY="http://user:paaaaaaaaaaaaaaaaaaasword@IP_address:12345" without any obvious reasons that it should contain newlines or white spaces.

Steps to reproduce

Set HTTP_PROXY="http://user:paaaaaaaaaaaaaaaaaaasword@IP_address:12345" to a http proxy
Restart PeerTube
Click around a bit to cause requests to external servers
Look for Bad response: 407 errors in the logs on the admin page (severity error for object storage, warning for ex. processUpdateVideo) or in the terminal
Optionally look in the proxy logs/capture network packets if you see above error.

Describe the expected behavior

PeerTube should use correct authorization header value.

Additional information

PeerTube instance:
- URL: peertube.dk
- Version: 8.0.1
- NodeJS version: v20.20.0
- Ffmpeg version: 7.1.3-0+deb13u1
Browser name, version and platforms on which you could reproduce the bug: Docker image chocobozzz/peertube:v8.0.1-trixie on a Debian 6.1.159-1 (2025-12-30) x86_64 host
Link to browser console log if relevant:
Link to server log if relevant (journalctl or /var/www/peertube/storage/logs/):

Additional note: I found that I only actually need the http imports to use a proxy, so I'm no longer using this env variable.

Originally created by @Herover on GitHub (Jan 23, 2026). ### Describe the current behavior After adding the HTTP_PROXY env variable, PeerTube seems to use a wrong `proxy-authorization` header for object storage and talking with federated servers, but does use correct header for http youtube imports. Using Wireshark on the proxy server, I see a correctly encoded base64 string with the correct username:password part when decoded, but the decoded string also contains a newline followed by a number of white spaces (it seemed to vary between 4-6 when I tested, and changed depending on restarts) at the end (eg. `0x0a 0x20 0x20 0x20 0x20`). Testing using curl from the same host works perfectly. Object storage jobs gives this stack trace in the error log ``` Error: Bad response: 407 at ClientRequest.<anonymous> (file:///app/dist/core/helpers/hpagent.js:103:26) at Object.onceWrapper (node:events:639:26) at ClientRequest.emit (node:events:524:28) at Socket.socketOnData (node:_http_client:584:11) at Socket.emit (node:events:524:28) at addChunk (node:internal/streams/readable:561:12) at readableAddChunkPushByteMode (node:internal/streams/readable:512:3) at Readable.push (node:internal/streams/readable:392:5) at TCP.onStreamRead (node:internal/stream_base_commons:191:23) ``` while requests to federated give this ``` warn[1/22/2026, 7:00:55 PM] Cannot execute processUpdateVideo with many retries. { "err": { "stack": "RequestError: Bad response: 407\n at ClientRequest.<anonymous> (file:///app/node_modules/.pnpm/got@14.6.3/node_modules/got/dist/source/core/index.js:870:107)\n at Object.onceWrapper (node:events:639:26)\n at ClientRequest.emit (node:events:536:35)\n at emitErrorEvent (node:_http_client:101:11)\n at _destroy (node:_http_client:884:9)\n at onSocketNT (node:_http_client:904:5)\n at process.processTicksAndRejections (node:internal/process/task_queues:83:21)\n at ClientRequest.<anonymous> (file:///app/dist/core/helpers/hpagent.js:103:26)\n at Object.onceWrapper (node:events:639:26)\n at ClientRequest.emit (node:events:524:28)\n at Socket.socketOnData (node:_http_client:584:11)\n at Socket.emit (node:events:524:28)\n at addChunk (node:internal/streams/readable:561:12)\n at readableAddChunkPushByteMode (node:internal/streams/readable:512:3)\n at Readable.push (node:internal/streams/readable:392:5)\n at TCP.onStreamRead (node:internal/stream_base_commons:191:23)", "message": "Bad response: 407", "name": "RequestError", "requestHeaders": { "user-agent": "PeerTube/8.0.1 (+https://peertube.dk)", "date": "Thu, 22 Jan 2026 18:00:55 GMT", "accept": "application/activity+json, application/ld+json", "accept-encoding": "gzip, deflate, br", "host": "neat.tube", "signature": "-----" }, "requestUrl": "https://neat.tube/accounts/-----", "requestMethod": "GET" } } ``` Corresponding errors are also visible on the proxy server (Squid). The environment variable looks like `HTTP_PROXY="http://user:paaaaaaaaaaaaaaaaaaasword@IP_address:12345"` without any obvious reasons that it should contain newlines or white spaces. ### Steps to reproduce 1. Set `HTTP_PROXY="http://user:paaaaaaaaaaaaaaaaaaasword@IP_address:12345"` to a http proxy 2. Restart PeerTube 3. Click around a bit to cause requests to external servers 4. Look for `Bad response: 407` errors in the logs on the admin page (severity error for object storage, warning for ex. `processUpdateVideo`) or in the terminal 5. Optionally look in the proxy logs/capture network packets if you see above error. ### Describe the expected behavior PeerTube should use correct authorization header value. ### Additional information * PeerTube instance: * URL: peertube.dk * Version: 8.0.1 * NodeJS version: v20.20.0 * Ffmpeg version: 7.1.3-0+deb13u1 * Browser name, version and platforms on which you could reproduce the bug: Docker image chocobozzz/peertube:v8.0.1-trixie on a Debian 6.1.159-1 (2025-12-30) x86_64 host * Link to browser console log if relevant: * Link to server log if relevant (`journalctl` or `/var/www/peertube/storage/logs/`): Additional note: I found that I only actually need the http imports to use a proxy, so I'm no longer using this env variable.

deekerman added the

Status: To Reproduce

label

2026-02-22 12:53:46 -05:00

deekerman commented

2026-02-22 12:53:58 -05:00

Author

Owner

@Chocobozzz commented on GitHub (Jan 23, 2026):

Can you paste the log that starts with Using proxy ...?

Can you also provide the alphabet range of your username and password? Some special characters may be the issue

@Chocobozzz commented on GitHub (Jan 23, 2026): Can you paste the log that starts with `Using proxy ...`? Can you also provide the alphabet range of your username and password? Some special characters may be the issue

deekerman commented

2026-02-22 12:53:59 -05:00

Author

Owner

@Herover commented on GitHub (Jan 23, 2026):

{"level":"info","message":"Using proxy http://username:password@IP_address:12345.","label":"peertube.dk:443","tags":["request"],"timestamp":"2026-01-22T18:00:45.215Z"}

(anonymized the username,password,ip address, but nothing else is changed)

@Herover commented on GitHub (Jan 23, 2026): `{"level":"info","message":"Using proxy http://username:password@IP_address:12345.","label":"peertube.dk:443","tags":["request"],"timestamp":"2026-01-22T18:00:45.215Z"}` (anonymized the username,password,ip address, but nothing else is changed)

deekerman commented

2026-02-22 12:53:59 -05:00

Author

Owner

@Herover commented on GitHub (Jan 23, 2026):

The username is just a short all lowercase a-z single word, password is lower case, upper case and numbers ex. j5ghwEV4cydWDfXYoGl7BUdqeA3DDYEWkEoZ9ojD

@Herover commented on GitHub (Jan 23, 2026): The username is just a short all lowercase a-z single word, password is lower case, upper case and numbers ex. j5ghwEV4cydWDfXYoGl7BUdqeA3DDYEWkEoZ9ojD

deekerman commented

2026-02-22 12:53:59 -05:00

Author

Owner

@Chocobozzz commented on GitHub (Jan 23, 2026):

I'm sorry I don't have any clue. Can you try to debug https://github.com/Chocobozzz/PeerTube/blob/develop/server/core/helpers/hpagent.ts#L47 directly on your server?

@Chocobozzz commented on GitHub (Jan 23, 2026): I'm sorry I don't have any clue. Can you try to debug https://github.com/Chocobozzz/PeerTube/blob/develop/server/core/helpers/hpagent.ts#L47 directly on your server?

deekerman commented

2026-02-22 12:53:59 -05:00

Author

Owner

@ayaadev commented on GitHub (Jan 26, 2026):

Hi there. I just wanted to bump this as I likely have the same issue. Here's an extract of what all of my warning logs look like:

warn[TIMESTAMP] Cannot process remote image https://tilvids.com/lazy-static/thumbnails/UUID.jpg.

{
  "err": {
    "stack": "RequestError: Bad response: 407\n    at ClientRequest.<anonymous> (file:///app/node_modules/.pnpm/got@14.6.3/node_modules/got/dist/source/core/index.js:870:107)\n    at Object.onceWrapper (node:events:639:26)\n    at ClientRequest.emit (node:events:536:35)\n    at emitErrorEvent (node:_http_client:101:11)\n    at _destroy (node:_http_client:884:9)\n    at onSocketNT (node:_http_client:904:5)\n    at process.processTicksAndRejections (node:internal/process/task_queues:83:21)\n    at ClientRequest.<anonymous> (file:///app/dist/core/helpers/hpagent.js:103:26)\n    at Object.onceWrapper (node:events:639:26)\n    at ClientRequest.emit (node:events:524:28)\n    at TLSSocket.socketOnData (node:_http_client:584:11)\n    at TLSSocket.emit (node:events:524:28)\n    at addChunk (node:internal/streams/readable:561:12)\n    at readableAddChunkPushByteMode (node:internal/streams/readable:512:3)\n    at Readable.push (node:internal/streams/readable:392:5)\n    at TLSWrap.onStreamRead (node:internal/stream_base_commons:191:23)",
    "message": "Bad response: 407"
  }
}

I can confirm that the environment variables inside the container, HTTP_PROXY and HTTPS_PROXY, match what I set in the .env file.

The username is just a short all lowercase a-z single word, password is lower case, upper case and numbers ex. j5ghwEV4cydWDfXYoGl7BUdqeA3DDYEWkEoZ9ojD

That is the same format for my HTTP proxy as well. Perhaps that's a common denominator?

This is also being discussed at Framacolibri: https://framacolibri.org/t/http-proxies-are-unauthenticated-despite-correct-details/31221/4

@ayaadev commented on GitHub (Jan 26, 2026): Hi there. I just wanted to bump this as I likely have the same issue. Here's an extract of what all of my warning logs look like: ``` warn[TIMESTAMP] Cannot process remote image https://tilvids.com/lazy-static/thumbnails/UUID.jpg. { "err": { "stack": "RequestError: Bad response: 407\n at ClientRequest.<anonymous> (file:///app/node_modules/.pnpm/got@14.6.3/node_modules/got/dist/source/core/index.js:870:107)\n at Object.onceWrapper (node:events:639:26)\n at ClientRequest.emit (node:events:536:35)\n at emitErrorEvent (node:_http_client:101:11)\n at _destroy (node:_http_client:884:9)\n at onSocketNT (node:_http_client:904:5)\n at process.processTicksAndRejections (node:internal/process/task_queues:83:21)\n at ClientRequest.<anonymous> (file:///app/dist/core/helpers/hpagent.js:103:26)\n at Object.onceWrapper (node:events:639:26)\n at ClientRequest.emit (node:events:524:28)\n at TLSSocket.socketOnData (node:_http_client:584:11)\n at TLSSocket.emit (node:events:524:28)\n at addChunk (node:internal/streams/readable:561:12)\n at readableAddChunkPushByteMode (node:internal/streams/readable:512:3)\n at Readable.push (node:internal/streams/readable:392:5)\n at TLSWrap.onStreamRead (node:internal/stream_base_commons:191:23)", "message": "Bad response: 407" } } ``` I can confirm that the environment variables inside the container, `HTTP_PROXY` and `HTTPS_PROXY`, match what I set in the `.env` file. > The username is just a short all lowercase a-z single word, password is lower case, upper case and numbers ex. j5ghwEV4cydWDfXYoGl7BUdqeA3DDYEWkEoZ9ojD That is the same format for my HTTP proxy as well. Perhaps that's a common denominator? This is also being discussed at Framacolibri: https://framacolibri.org/t/http-proxies-are-unauthenticated-despite-correct-details/31221/4