Cannot fetch Rust/Cargo packages through intercepting proxy

Hey all, i am working in an enterprise environment where there is an tls intercepting proxy between the nix build host and the internet. I wanted to build a rust package with “buildRustPackage”, however i cannot get it to run through the proxy. On the host i tried to set every Environment variable to the prepared cacert package instead of the default one:

  • CURL_CA_BUNDLE
  • SSL_CERT_FILE
  • NIX_SSL_CERT_FILE
  • CARGO_HTTP_CAINFO

however everything seems to be ignored by buildRustPackage . Overriding cacert or even cargo via an overlay is not really an option for me as it would mean a mass rebuild.
Has anyone managed to work around this or found a good solution such as overriding the rust environment only?

I opened an issue almost 1.5 years ago:

According to the note in nixpkgs/cargo.nix at a0dbe47318bbab7559ffbfa7c4872a517833409f · NixOS/nixpkgs · GitHub nixpkgs sets CARGO_HTTP_CAINFO and SSL_CERT_FILE to cacert but there is no obvious way to override this behavior

Any help would be greatly appreciated!

I did something similar for fetchFromGitHub to add some root CAs.

First I needed to change some impureENVs fetchgit: add support for netrc file through impure NIX_GIT_SSL_CAINF… · NixOS/nixpkgs@6f53c06 · GitHub, then I modified the nix-daemon.service and added the ENV to the right CAs and then added them to the buildSandbox. You probably need to do something similar for rust.

1 Like

@Sandro good to know you found a real solution for github. I’ve added a workaround for my issue in Unable to fetch Rust/Cargo dependencies through TLS-intercepting proxy · Issue #89526 · NixOS/nixpkgs · GitHub . Some “real” certificate support would be great for cargo though :slight_smile:

EDIT: any chance for some documentation on how to handle restrictive networks, proxies and TLS intercepting proxies? Like which env vars to set, how to configure the nix-daemon, etc? I saw stdenv also has support for "GIT_PROXY_COMMAND" and "SOCKS_SERVER", i never knew!