Explain Codes LogoExplain Codes Logo

Using pip behind a proxy with CNTLM

python
proxy-engineering
pip
environment-variables
Nikita BarsukovbyNikita Barsukov·Mar 9, 2025
TLDR

Here's a quick setup for pip with a CNTLM proxy:

Unix Shell:

# Because "echo" doesn't install packages
export http_proxy=http://127.0.0.1:3128 https_proxy=http://127.0.0.1:3128
pip install package-name

Windows CMD:

:: Because who needs quote marks anyway?
set http_proxy=http://127.0.0.1:3128 && set https_proxy=http://127.0.0.1:3128 && pip install package-name

Replace 127.0.0.1:3128 with your CNTLM proxy's IP and port. This rides pip through CNTLM, enabling package installations behind your proxy.

Setting up CNTLM and pip

Configuring CNTLM

Before crossing the pip bridge, ensure that your CNTLM troll is awake and on duty. Update your cntlm.ini with domain, username, and password hashes. Verify the settings via cntlm -I -M http://google.com on Unix or cntlm.exe -c cntlm.ini -I -M http://google.com on Windows.

Safeguarding credentials

Passwords are like underwear; keep them secure and avoid showcasing them in public. Generate hashes for your cntlm.ini via cntlm -H. If your organization requires, work the corporate root certificate into pip's cacert.pem.

Mastering environment variables

The environment variables http_proxy and https_proxy will be your strongest cards against pip's --proxy option. And remember, https:// is the safest ride. Using sudo? Go with sudo -E for a seamless package installation.

Fine-tunning pip configurations

If you're a frequent player, consider having pip remember your proxy. Include in pip.conf (Unix) or pip.ini (Windows):

[global]
proxy = http://127.0.0.1:3128

Adjust the address and port to your CNTLM.

Resolving connection errors

If you're seeing "Connection to proxy failed", it's time to revisit your cntlm.ini. Having SSL issues? Zap in your organization's root certificate into cacert.pem.

Updating packages with a proxy

For a package refresh, use pip install -U package-name. Have your proxy configurations ready before running this command.

Alternatives to CNTLM

Faced with a CNTLM hiccup? Refer to alternative setups, like using .netrc or searching for comprehensive Windows and Ubuntu/Linux setup tutorials.

Pro tips and tricks

Say no to plaintext credentials

Hashed credentials are your best friends and your foes' worst enemies. Keep them in your secured fortress of configuration files.

Appropriate use of proxy notations

Be meticulous with your proxy URI syntax. A small error can lead down a rabbit hole of debugging.

Remember to test

Don't wait for a flaming wreck. Conduct routine tests on your CNTLM configuration.

Keep pip updated

Make sure pip is on its best behavior by regularly updating it using -U.

Different proxies for different virtual environments

Running multiple projects? Be sure to configure your proxy in every virtual environment.

explain-codes / Python / Using pip behind a proxy with CNTLM
Linked

Pip install fails with "connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)"

Pip install from git repo branch

Certificate verify failed: unable to get local issuer certificate

Insecureplatformwarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately

How to install Python package from GitHub?

How do I disable the security certificate check in Python requests

Importerror: No module named Crypto.Cipher

Setting up CNTLM and pipPro tips and tricks
Linked

Pip install fails with "connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)"

Pip install from git repo branch

Certificate verify failed: unable to get local issuer certificate

Insecureplatformwarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately

How to install Python package from GitHub?

How do I disable the security certificate check in Python requests

Importerror: No module named Crypto.Cipher