graphDB User/PW proxy settings lead to statuscode 407

Question

I'm trying to run following SPARQL-query on my local graphDB-Instance (GraphDB Free 9.4.1 on Windows).

PREFIX wd: <http://www.wikidata.org/entity/>
PREFIX wdt: <http://www.wikidata.org/prop/direct/> 
PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#>
SELECT * WHERE {
    SERVICE <https://query.wikidata.org/sparql> {
        ?subj wdt:P31 wd:Q744913 ;
            wdt:P625 ?coord ;
            rdfs:label ?label
        FILTER (lang(?label) = "en")
    }
}

The query works without a problem on my personal computer. But within my companies network, it doesn't, because we have a proxy.

I checked my proxy settings with a RDF4J-Java programm and they work perfectly fine.

[...]
System.setProperty("https.proxyHost", "<company_proxy>");
System.setProperty("https.proxyPort", "<company_proxy_port>");
System.setProperty("https.nonProxyHost", "localhost|127.0.0.1|<company_list>");
System.setProperty("https.proxyUser", "<user>");      
System.setProperty("https.proxyPassword", "<password>");  
[...]

I tried to set the same settings for GraphDB with different approaches

• via the UI
• via the C:\Users\XXXX\AppData\Local\GraphDB Free\runtime\conf\net configuration-file
• via the C:\Users\XXXX\AppData\Roaming\GraphDB\conf\proxy.properties configuration-file
• via the C:\Users\XXXX\AppData\Local\GraphDB Free\app\ configuration-file

All do something to the configuration, meaning I now see an error message and don't have a connection timeout anymore. Since I validated the settings with RDF4J I am guessing the problem is how I apply the configuration or there is a problem with parsing the configuration.

Edit: I get an statuscode 407, Proxy Authentication Required. I'm guessing, that graphDB doesn't accept the properties https.proxyUser and https.proxyPassword.

Did anybody had the same issue and has a solution? Or how could I debug this problem further?

ps. my password contains the '!' character. might this be the problem? I tried every escape mechanism i could think of (!, ^!, ^^!, all in "") but neither did work.

Edit 2.0: The guys from ontotext found a bug and it was fixed with the release 9.5.0-TR14. The proxy-configuration mentioned in this questions works now.

Answer 1

To closest possible scenario to simulate the issue with your proxy server was:

1. Download and install mitmproxy server
2. Trust the mitmproxy's certificate for all Java programs so GraphDB can use HTTPS connections to the proxy

# ~/.mitmproxy/mitmproxy-ca-cert.cer is the certificate shipped with the proxy
sudo keytool -importcert -file ~/.mitmproxy/mitmproxy-ca-cert.cer -alias mitmproxy -keystore $JAVA_HOME/jre/lib/security/cacerts

3. Start the proxy server with username and password

# The proxy will require username and password
mitmproxy --set proxyauth=testUser:testPassword  

4. Start GraphDB and point it to the local mitmproxy server:

# Point the Apache HTTP Client to use the mitmproxy
./graphdb -Dhttps.proxyHost=localhost -Dhttps.proxyPort=8080 -Dhttps.proxyUser=testUser -Dhttps.proxyPassword=testPassword

At this point, I was able to reproduce the HTTP 407 error, where the HTTPS client of GraphDB fails to negotiate the authenticating process with the proxy server. The same process works fine for the HTTP protocol, so this is how I have reached a workaround, which overcomes this glitch by specifying both the https.proxyUser and its http.proxyUser equivalent. The example works fine with your query and the mitmproxy server:

# Setup not only HTTPS but also HTTP connection
/graphdb -Dhttps.proxyHost=localhost -Dhttps.proxyPort=8080 -Dhttps.proxyUser=testUser -Dhttps.proxyPassword=testPassword -Dhttp.proxyHost=localhost -Dhttp.proxyPort=8080 -Dhttp.proxyUser=testUser -Dhttp.proxyPassword=testPassword

Answer 2

What you can try doing is setting up the 'graphdb.workbench.external-url' parameter to whatever URL/subpath your instance should reside at. This parameter is used for rewriting incoming requests and can help with API calls.