GNU Wget proxy configuration
Wget Via Proxy: Commands, Authentication and .wgetrc
Run Wget via proxy using session environment variables, command options, or a protected .wgetrc. These examples cover HTTP and HTTPS retrievals, authentication, bypass lists, testing, cleanup, and common proxy failures.
Quick answer: set http_proxy and https_proxy to the proxy URL, optionally set no_proxy, then run Wget normally. For a persistent user-level setup, add equivalent values to ~/.wgetrc and restrict the file if it contains credentials. Use explicit timeouts and a small test before downloading a large resource.
Use Wget through a proxy for one shell session
export http_proxy="http://proxy.example.net:8080"
export https_proxy="http://proxy.example.net:8080"
export no_proxy="localhost,127.0.0.1,.internal.example"
wget https://example.com/file.txt
The GNU Wget manual documents http_proxy, https_proxy, ftp_proxy, and no_proxy. The values are proxy URLs. The no_proxy value is a comma-separated list of hosts or domain suffixes that should connect directly.
Environment variables are convenient for a terminal, container, or CI job. They also affect every compatible child process in that environment, so unset them when the work is complete:
unset http_proxy https_proxy ftp_proxy no_proxy
Authenticate Wget to a proxy
For a controlled test, Wget supports proxy username/password options:
wget \
--proxy-user="username" \
--proxy-password="password" \
https://example.com/file.txt
Do not place real secrets in documentation. Application code needs the same discipline; our PHP proxy authentication guide shows a safer configuration pattern. Command-line values can appear in shell history or process listings. In automation, load credentials from a protected secret source and prevent command echo. The GNU manual notes that Wget’s proxy authorization implements Basic authentication, so use an encrypted destination connection and a trusted proxy path where appropriate.
An authenticated proxy URL is also recognized:
export https_proxy="http://username:password@proxy.example.net:8080"
wget https://example.com/file.txt
This form is compact but easy to leak in environment dumps, history, logs, and diagnostics. Prefer separate protected configuration when possible.
Configure .wgetrc
For a persistent per-user setup, edit ~/.wgetrc:
use_proxy = on
http_proxy = http://proxy.example.net:8080
https_proxy = http://proxy.example.net:8080
no_proxy = localhost,127.0.0.1,.internal.example
proxy_user = username
proxy_password = password
If the file contains credentials, restrict access:
chmod 600 ~/.wgetrc
Do not commit .wgetrc to a repository or include it in a public system image. For shared servers, prefer a job-specific environment or a protected configuration owned by the service account.
Enable or disable proxy use explicitly
Wget can ignore configured proxies for a command:
wget --no-proxy https://example.com/file.txt
You can also set the startup option use_proxy = off. This is useful for a diagnostic comparison: run the same permitted URL directly and through the proxy, then compare DNS, connection time, response, and exit IP. For the equivalent workflow with richer timing and transport diagnostics, use our cURL proxy examples.
Add useful timeouts and retries
wget \
--connect-timeout=10 \
--read-timeout=30 \
--timeout=30 \
--tries=2 \
https://example.com/file.txt
Use modest retry counts. Aggressive retries can multiply load and hide the original error. If the proxy or target is unavailable, capture one diagnostic attempt, classify it, and stop before a large job repeats the failure.
Verify that Wget uses the proxy
Download a public IP response to standard output:
wget -qO- https://api.ipify.org?format=json
Compare the result with the purchased endpoint and the IP Location Checker. Then run a small request against the real permitted target. A public IP check proves the route changed; it does not prove that the destination accepts the request.
HTTPS through an HTTP proxy
When https_proxy points to an HTTP proxy, Wget commonly asks the proxy to establish a tunnel to the HTTPS destination. TLS then protects the connection between Wget and the destination through that tunnel. The proxy still handles the connection and can see destination metadata. Do not disable certificate validation to make a proxy error disappear; fix trust, hostname, time, or interception issues instead.
Common Wget proxy problems
Wget ignores the proxy
Check variable names and scope, no_proxy, use_proxy, command overrides, and whether the environment reached the Wget process. Print only non-secret configuration.
407 Proxy Authentication Required
Confirm username/password, Basic-auth compatibility, source-IP authorization, and whether the credentials belong to the proxy rather than the destination.
Unable to resolve proxy host
Check spelling and DNS from the same shell. A destination DNS test does not prove the proxy hostname resolves.
Connection timed out
Confirm host, port, firewall, route, and endpoint status with the Proxy Tester. Compare direct and proxy response time.
Certificate error
Check the destination hostname, certificate chain, system clock, CA store, and whether the network uses authorized TLS inspection. Avoid --no-check-certificate as a permanent fix.
Wget proxy checklist
- Use a complete proxy URL with the correct port.
- Set both
http_proxyandhttps_proxywhen needed. - Define
no_proxynarrowly. - Protect
.wgetrcwith mode 600 if it holds secrets. - Use small timeouts and limited retries for tests.
- Verify the exit IP and the real target.
- Unset session variables after the job.
- Never publish credentials or diagnostic logs containing secrets.
Wget proxy FAQ
Which environment variables does Wget use?
Common variables are http_proxy, https_proxy, ftp_proxy, and no_proxy.
Can Wget store proxy settings permanently?
Yes. Add use_proxy and proxy URLs to ~/.wgetrc. Protect the file if it includes credentials.
How do I bypass the proxy for one command?
Use wget --no-proxy URL, or configure a matching no_proxy entry.
Why does Wget work directly but fail through the proxy?
Check endpoint reachability, authentication, protocol, tunnel/TLS behavior, DNS, and the target’s response to the proxy IP.
Start with a small Wget proxy test
Set the environment, verify the exit IP, download one permitted resource, and keep credentials out of logs. For command-line alternatives, see the cURL proxy guide, HTTP proxies, and SOCKS proxies.


