GNU Wget proxy configuration

Wget Via Proxy: Commands, Authentication and .wgetrc

Run Wget via proxy using session environment variables, command options, or a protected .wgetrc. These examples cover HTTP and HTTPS retrievals, authentication, bypass lists, testing, cleanup, and common proxy failures.

Quick answer: set http_proxy and https_proxy to the proxy URL, optionally set no_proxy, then run Wget normally. For a persistent user-level setup, add equivalent values to ~/.wgetrc and restrict the file if it contains credentials. Use explicit timeouts and a small test before downloading a large resource.

Use Wget through a proxy for one shell session

export http_proxy="http://proxy.example.net:8080"
export https_proxy="http://proxy.example.net:8080"
export no_proxy="localhost,127.0.0.1,.internal.example"

wget https://example.com/file.txt

The GNU Wget manual documents http_proxy, https_proxy, ftp_proxy, and no_proxy. The values are proxy URLs. The no_proxy value is a comma-separated list of hosts or domain suffixes that should connect directly.

Environment variables are convenient for a terminal, container, or CI job. They also affect every compatible child process in that environment, so unset them when the work is complete:

unset http_proxy https_proxy ftp_proxy no_proxy

Authenticate Wget to a proxy

For a controlled test, Wget supports proxy username/password options:

wget \
  --proxy-user="username" \
  --proxy-password="password" \
  https://example.com/file.txt

Do not place real secrets in documentation. Application code needs the same discipline; our PHP proxy authentication guide shows a safer configuration pattern. Command-line values can appear in shell history or process listings. In automation, load credentials from a protected secret source and prevent command echo. The GNU manual notes that Wget’s proxy authorization implements Basic authentication, so use an encrypted destination connection and a trusted proxy path where appropriate.

An authenticated proxy URL is also recognized:

export https_proxy="http://username:password@proxy.example.net:8080"
wget https://example.com/file.txt

This form is compact but easy to leak in environment dumps, history, logs, and diagnostics. Prefer separate protected configuration when possible.

Configure .wgetrc

For a persistent per-user setup, edit ~/.wgetrc:

use_proxy = on
http_proxy = http://proxy.example.net:8080
https_proxy = http://proxy.example.net:8080
no_proxy = localhost,127.0.0.1,.internal.example

proxy_user = username
proxy_password = password

If the file contains credentials, restrict access:

chmod 600 ~/.wgetrc

Do not commit .wgetrc to a repository or include it in a public system image. For shared servers, prefer a job-specific environment or a protected configuration owned by the service account.

Enable or disable proxy use explicitly

Wget can ignore configured proxies for a command:

wget --no-proxy https://example.com/file.txt

You can also set the startup option use_proxy = off. This is useful for a diagnostic comparison: run the same permitted URL directly and through the proxy, then compare DNS, connection time, response, and exit IP. For the equivalent workflow with richer timing and transport diagnostics, use our cURL proxy examples.

Add useful timeouts and retries

wget \
  --connect-timeout=10 \
  --read-timeout=30 \
  --timeout=30 \
  --tries=2 \
  https://example.com/file.txt

Use modest retry counts. Aggressive retries can multiply load and hide the original error. If the proxy or target is unavailable, capture one diagnostic attempt, classify it, and stop before a large job repeats the failure.

Verify that Wget uses the proxy

Download a public IP response to standard output:

wget -qO- https://api.ipify.org?format=json

Compare the result with the purchased endpoint and the IP Location Checker. Then run a small request against the real permitted target. A public IP check proves the route changed; it does not prove that the destination accepts the request.

HTTPS through an HTTP proxy

When https_proxy points to an HTTP proxy, Wget commonly asks the proxy to establish a tunnel to the HTTPS destination. TLS then protects the connection between Wget and the destination through that tunnel. The proxy still handles the connection and can see destination metadata. Do not disable certificate validation to make a proxy error disappear; fix trust, hostname, time, or interception issues instead.

Common Wget proxy problems

Wget ignores the proxy

Check variable names and scope, no_proxy, use_proxy, command overrides, and whether the environment reached the Wget process. Print only non-secret configuration.

407 Proxy Authentication Required

Confirm username/password, Basic-auth compatibility, source-IP authorization, and whether the credentials belong to the proxy rather than the destination.

Unable to resolve proxy host

Check spelling and DNS from the same shell. A destination DNS test does not prove the proxy hostname resolves.

Connection timed out

Confirm host, port, firewall, route, and endpoint status with the Proxy Tester. Compare direct and proxy response time.

Certificate error

Check the destination hostname, certificate chain, system clock, CA store, and whether the network uses authorized TLS inspection. Avoid --no-check-certificate as a permanent fix.

Wget proxy checklist

  • Use a complete proxy URL with the correct port.
  • Set both http_proxy and https_proxy when needed.
  • Define no_proxy narrowly.
  • Protect .wgetrc with mode 600 if it holds secrets.
  • Use small timeouts and limited retries for tests.
  • Verify the exit IP and the real target.
  • Unset session variables after the job.
  • Never publish credentials or diagnostic logs containing secrets.

Wget proxy FAQ

Which environment variables does Wget use?

Common variables are http_proxy, https_proxy, ftp_proxy, and no_proxy.

Can Wget store proxy settings permanently?

Yes. Add use_proxy and proxy URLs to ~/.wgetrc. Protect the file if it includes credentials.

How do I bypass the proxy for one command?

Use wget --no-proxy URL, or configure a matching no_proxy entry.

Why does Wget work directly but fail through the proxy?

Check endpoint reachability, authentication, protocol, tunnel/TLS behavior, DNS, and the target’s response to the proxy IP.

Start with a small Wget proxy test

Set the environment, verify the exit IP, download one permitted resource, and keep credentials out of logs. For command-line alternatives, see the cURL proxy guide, HTTP proxies, and SOCKS proxies.

Scroll to Top