Proxies often require authentication to control access, apply usage policies, and protect network resources. The two most common auth modes are:
- IP allowlist (also called IP-based authentication)
- Username/password (credentials-based authentication)
This guide explains how each mode works, when to choose one over the other, and how to configure popular tools with practical examples.
How proxy authentication works (in brief)
- Client connects to the proxy at host:port.
- The proxy checks who you are:
- IP allowlist: it trusts your source IP.
- Username/password: it expects credentials (HTTP Proxy-Authorization header or SOCKS5 auth).
- After authentication, the proxy relays your request to the target site.
- HTTP: the proxy forwards the HTTP request.
- HTTPS: the client sends a CONNECT request; the TLS session is established end-to-end to the target site.
Authentication modes
IP allowlist (IP-based)
You register your public egress IP address with the proxy provider. Clients from that IP do not need to send credentials.
Benefits:
- Simple to operate; no secrets to store.
- Works with tools that cannot send proxy credentials.
- Minimizes risk of leaking credentials in logs.
Trade-offs:
- Requires stable, known egress IP(s).
- Not ideal for laptops on changing networks, mobile devices, or dynamic cloud egress.
- NAT or carrier-grade NAT can complicate identification.
Username/password
The client authenticates using credentials.
- HTTP/HTTPS proxies: the client sends a Proxy-Authorization header (commonly Basic auth).
- SOCKS5: the client negotiates username/password in the SOCKS5 handshake.
Benefits:
- Works from any network without pre-allowlisting IPs.
- Easy to rotate or revoke access per user/app.
- Often supports provider-specific options encoded in the username (for example, region or session hints).
Trade-offs:
- You must manage and protect secrets.
- Credentials can leak through URLs, command history, or logs if not handled carefully.
- Some environments require extra configuration to inject headers correctly.
Which mode should I choose?
Choose IP allowlist if:
- Your servers have static egress IPs.
- You want minimal configuration on clients.
- You need high-throughput automation with fewer moving parts.
Choose username/password if:
- Clients run from many networks (developers on laptops, CI, ephemeral cloud runners).
- You need per-user or per-application access control.
- Your IP changes frequently or you cannot control egress IP.
Tip: Some teams combine both. For example, use IP allowlist for production servers and credentials for developer or CI traffic.
Setup steps
Option A: Set up IP allowlist
- Find your current public egress IP:
- Linux/macOS:
curl -s https://api.ipify.org
- Windows PowerShell:
curl https://api.ipify.org
- Add that IP (or CIDR range) to your proxy provider's allowlist in the dashboard or via API.
- Wait for propagation (often immediate, sometimes a few minutes).
- Configure clients to use the proxy without credentials.
- Test with a simple request (examples below).
Option B: Set up username/password
- Create or obtain proxy credentials (username and password) from your provider.
- Store them securely (secret manager or environment variables; avoid committing to source control).
- Configure your client to send credentials to the proxy.
- Test with a simple request.
Examples
Replace the placeholder values below with your actual proxy host, port, username, and password.
cURL (HTTP/HTTPS)
curl -x http://proxy.example.com:3128 https://example.com
- Username/password (Basic over HTTP proxy):
curl -x http://user:pass@proxy.example.com:3128 https://example.com
- Verbose output for troubleshooting:
curl -v -x http://user:pass@proxy.example.com:3128 https://example.com
cURL (SOCKS5)
curl --socks5 proxy.example.com:1080 https://example.com
curl --socks5 user:pass@proxy.example.com:1080 https://example.com
Python (requests)
import requests
proxies = {
'http': 'http://proxy.example.com:3128',
'https': 'http://proxy.example.com:3128',
}
resp = requests.get('https://example.com', proxies=proxies, timeout=30)
print(resp.status_code)
import requests
proxies = {
'http': 'http://user:pass@proxy.example.com:3128',
'https': 'http://user:pass@proxy.example.com:3128',
}
resp = requests.get('https://example.com', proxies=proxies, timeout=30)
print(resp.status_code)
Node.js (axios + https-proxy-agent)
- IP allowlist or username/password (use a URL with or without credentials):
const axios = require('axios')
const { HttpsProxyAgent } = require('https-proxy-agent')
// Without credentials (IP allowlist)
// const proxyUrl = 'http://proxy.example.com:3128'
// With credentials
const proxyUrl = 'http://user:pass@proxy.example.com:3128'
const agent = new HttpsProxyAgent(proxyUrl)
axios.get('https://example.com', { httpsAgent: agent, proxy: false })
.then(res => console.log(res.status))
.catch(err => console.error(err.message))
Environment variables (system-wide)
export HTTP_PROXY=http://user:pass@proxy.example.com:3128
export HTTPS_PROXY=http://user:pass@proxy.example.com:3128
curl https://example.com
unset HTTP_PROXY HTTPS_PROXY
Browsers and GUI apps
- Configure the system proxy in your OS network settings (host and port). Browsers will prompt for credentials when needed.
- Avoid embedding credentials directly in URLs in a shared environment (for example, http://user:pass@host:port), as some tools will log or block these.
HTTPS and TLS considerations
- With an HTTP proxy, the Proxy-Authorization header is sent to the proxy before the CONNECT tunnel is established. If the proxy endpoint itself is plain HTTP, credentials traverse your network in cleartext to the proxy. Prefer a TLS-enabled proxy endpoint if your provider offers it.
- The proxy can see target hostnames and connection metadata, but cannot read HTTPS content inside the TLS tunnel.
- SOCKS5 supports username/password at the protocol level and does not use HTTP headers.
Rotating proxies and sticky sessions
Some providers let you encode options in the username, such as region or session affinity. Example (provider-specific):
curl -x http://user-session-123:pass@proxy.example.com:3128 https://example.com
Check your provider's documentation for supported parameters and formats.
Troubleshooting
- 407 Proxy Authentication Required
- For IP allowlist: your IP is not on the allowlist, or it changed.
- For credentials: username or password is wrong, or the client did not send Proxy-Authorization.
- 403 Forbidden
- You authenticated, but the proxy blocked the request (policy, plan limits, geo, or target restrictions).
- 401 Unauthorized from the target site
- This is not a proxy auth error; the destination site requires its own auth.
- Connection refused or timeout
- Wrong host/port, firewall blocking, or provider outage.
- DNS issues
- Ensure the client is sending a full URL for HTTP requests and using CONNECT for HTTPS. Try
curl -v to inspect the flow.
- Verify your egress IP
- Run
curl -x http://proxy.example.com:3128 https://api.ipify.org to see the IP as seen by the internet.
Tip: Be careful with curl -v or verbose logs; they can expose credentials if printed.
Security best practices
- Store credentials in a secret manager or environment variables; do not hard-code in source control.
- Avoid including credentials in URLs where they might end up in logs or browser history.
- Rotate credentials periodically and revoke unused accounts.
- Restrict by IP even when using credentials if your provider supports it (defense in depth).
- Grant the least privileges necessary for each user or application.
Quick checklist
- Decide on an auth mode (IP allowlist or username/password).
- Configure your provider and your clients.
- Test with a minimal request (curl is great for this).
- Monitor for 407/403 errors and adjust policies.
- Securely store and rotate any credentials you use.
