Cannot fetch Rust/Cargo packages through intercepting proxy

Hey all, i am working in an enterprise environment where there is an tls intercepting proxy between the nix build host and the internet. I wanted to build a rust package with “buildRustPackage”, however i cannot get it to run through the proxy. On the host i tried to set every Environment variable to the prepared cacert package instead of the default one:


however everything seems to be ignored by buildRustPackage . Overriding cacert or even cargo via an overlay is not really an option for me as it would mean a mass rebuild.
Has anyone managed to work around this or found a good solution such as overriding the rust environment only?

I opened an issue almost 1.5 years ago:

According to the note in nixpkgs sets CARGO_HTTP_CAINFO and SSL_CERT_FILE to cacert but there is no obvious way to override this behavior

Any help would be greatly appreciated!

I did something similar for fetchFromGitHub to add some root CAs.

First I needed to change some impureENVs, then I modified the nix-daemon.service and added the ENV to the right CAs and then added them to the buildSandbox. You probably need to do something similar for rust.

1 Like

@Sandro good to know you found a real solution for github. I’ve added a workaround for my issue in Unable to fetch Rust/Cargo dependencies through TLS-intercepting proxy · Issue #89526 · NixOS/nixpkgs · GitHub . Some “real” certificate support would be great for cargo though :slight_smile:

EDIT: any chance for some documentation on how to handle restrictive networks, proxies and TLS intercepting proxies? Like which env vars to set, how to configure the nix-daemon, etc? I saw stdenv also has support for "GIT_PROXY_COMMAND" and "SOCKS_SERVER", i never knew!

@Sandro How did you make the fetcher read the cert? I’m trying to do something similiar in fetchCargoTarball but it seems that in the sandbox the fetcher can’t access anything. Could you please give me some hints? Thanks!

Probably that specific fetcher needs some adjustment.

Do you mean that the snadbox can be bypassed somehow?

No, I mean that this fetcher is probably missing options to add the extra certificates or the tool is using it’s own ssl store and we need to add some flag to it. But I don’t know for sure because I didn’t look into it.

I can’t access the path I passed to the fetcher. Anyway, I’ll open an MR when I finish it and you may be interested in reviewing it. :wink: