[BUG] claude code web sandbox: .NET NuGet Package Restore Fails Due to Proxy Authentication
Resolved 💬 3 comments Opened Nov 21, 2025 by howardalt Closed Nov 25, 2025
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
.NET SDK (dotnet restore) cannot download NuGet packages in Claude Code environments due to incompatibility with the JWT-authenticated proxy. This blocks the core development workflow of write → compile → test for .NET projects.
What Should Happen?
Should be able to build .NET 8 projects and run dotnet test (at least)
Error Messages/Logs
Here's the entire bug report that claude generated:
# Bug Report: .NET NuGet Package Restore Fails Due to Proxy Authentication
## Summary
.NET SDK (`dotnet restore`) cannot download NuGet packages in Claude Code environments due to incompatibility with the JWT-authenticated proxy. This blocks the core development workflow of write → compile → test for .NET projects.
## Environment
- **Claude Code Environment**: Web-based container
- **OS**: Ubuntu 24.04.3 LTS (Linux 4.4.0)
- **.NET SDK**: 8.0.416 (manually installed via dotnet-install.sh)
- **Architecture**: x86_64
- **Session**: claude/fix-dotnet8-build-01HesGuT52SVUEJ6KY21H1nA
Claude Code version: 2.0.34
Model: Claude Sonnet 4.5 (claude-sonnet-4-5-20250929)
Environment: Ubuntu 24.04.3 LTS
.NET SDK: 8.0.416
## Issue Description
While `curl` and `wget` successfully download content from nuget.org through the environment's proxy, .NET's `HttpClient` (used by NuGet) fails with `401 Unauthorized`. This prevents `dotnet restore` from downloading packages, making .NET development impossible.
## Steps to Reproduce
### 1. Install .NET SDK
wget https://dot.net/v1/dotnet-install.sh -O /tmp/dotnet-install.sh
chmod +x /tmp/dotnet-install.sh
/tmp/dotnet-install.sh --channel 8.0 --install-dir ~/.dotnet
export PATH="$HOME/.dotnet:$PATH"
dotnet --version # Confirms: 8.0.416
### 2. Verify curl works
curl -I https://api.nuget.org/v3/index.json
# Returns: HTTP/1.1 200 OK ✓
### 3. Attempt NuGet restore
# Create test project
mkdir /tmp/TestProject
cd /tmp/TestProject
cat > TestProject.csproj << 'EOF'
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="xunit" Version="2.9.0" />
</ItemGroup>
</Project>
EOF
dotnet restore
# FAILS with: error NU1301: Unable to load the service index for source https://api.nuget.org/v3/index.json
### 4. Test .NET HttpClient directly
// /tmp/ProxyTest/Program.cs
using System;
using System.Net;
using System.Net.Http;
using System.Threading.Tasks;
class Program
{
static async Task Main()
{
var proxyUrl = Environment.GetEnvironmentVariable("HTTP_PROXY");
var uri = new Uri(proxyUrl!);
var proxyAddress = $"{uri.Scheme}://{uri.Host}:{uri.Port}";
var proxy = new WebProxy(proxyAddress);
if (!string.IsNullOrEmpty(uri.UserInfo))
{
var parts = uri.UserInfo.Split(':', 2);
proxy.Credentials = new NetworkCredential(parts[0], parts.Length > 1 ? parts[1] : "");
}
var handler = new HttpClientHandler { Proxy = proxy, UseProxy = true };
using var client = new HttpClient(handler);
var response = await client.GetAsync("https://api.nuget.org/v3/index.json");
Console.WriteLine($"Status: {response.StatusCode}");
}
}
Result:
Error: The proxy tunnel request to proxy 'http://21.0.0.27:15004/' failed with status code '401'.
## Expected Behavior
`dotnet restore` should successfully download NuGet packages from nuget.org, just as `curl` and `wget` do.
## Actual Behavior
- **curl/wget**: ✓ Successfully connects through proxy
- **.NET HttpClient**: ✗ Returns 401 Unauthorized
- **NuGet restore**: ✗ Fails with NU1301 error
## Root Cause Analysis
The environment uses a custom proxy with JWT-based authentication:
HTTP_PROXY=http://container_name:jwt_TOKEN@21.0.0.99:15004
**Why curl works:**
- curl natively handles `username:password@host` proxy authentication
- Automatically includes proxy credentials in headers
**Why .NET fails:**
- .NET's HttpClient doesn't properly parse JWT from the username portion
- Sends invalid proxy authentication headers
- Proxy returns 401 Unauthorized
**Additional findings:**
- Without proxy, DNS resolution fails (requires proxy for all network access)
- Setting `NO_PROXY=*` doesn't help (no direct internet access)
- Tested with:
- Environment variables (`HTTP_PROXY`, `https_proxy`)
- NuGet.Config proxy settings
- Explicit `WebProxy` with `NetworkCredential`
- `PreAuthenticate = true`
- HTTP vs HTTPS requests
- All result in 401
## Impact
**Severity: High** - Blocks entire .NET development workflow
This prevents:
- ✗ Building .NET projects (missing dependencies)
- ✗ Running tests
- ✗ Installing new packages
- ✗ Verifying code compiles
The core promise of "write → compile → test" is broken for .NET developers.
## Workarounds (all inadequate)
1. **Manually download with curl** - Not scalable for 50+ packages with transitive dependencies
2. **Pre-cache packages** - Requires external environment, defeats purpose
3. **Use Azure DevOps for builds** - Requires pushing, loses local verification
4. **Static analysis only** - Cannot verify compilation
## Proposed Solutions
### Option A: Fix proxy authentication for .NET
Configure the proxy to accept .NET's HttpClient authentication format, or create a proxy compatibility layer.
### Option B: Pre-populate NuGet cache
For common .NET SDKs, pre-download and cache packages in container images:
# In container setup
dotnet restore /path/to/common-packages.csproj
# Cache persists in ~/.nuget/packages/
### Option C: Provide alternative package source
Set up an internal NuGet feed that doesn't require the problematic proxy authentication.
### Option D: Document limitation
If unfixable, document that .NET development requires pre-cached packages or external CI/CD.
## Reproducibility
**100%** - Occurs every time NuGet attempts to download packages
## Related Information
- GitHub issues URL: https://github.com/anthropics/claude-code/issues
- Similar proxy issues likely affect other ecosystems using HttpClient-based package managers
- Python pip with HTTPS may have similar issues (not tested)
## Test Files
The following test files can reproduce the issue:
**TestProject.csproj** (minimal .NET project)
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="xunit" Version="2.9.0" />
</ItemGroup>
</Project>
**ProxyTest Program.cs** (HttpClient test)
// See code in "Test .NET HttpClient directly" section above
## Additional Context
- .NET 8 SDK installs successfully
- Simple programs without external dependencies compile and run fine
- The proxy JWT token format: `container_id:jwt_eyJ...`
- Proxy endpoint: `21.0.0.27:15004` or `21.0.0.99:15004`
## Request
Please prioritize fixing proxy authentication compatibility for .NET HttpClient, as this is a critical blocker for .NET development in Claude Code environments.
Steps to Reproduce
Steps to Reproduce
1. Install .NET SDK
wget https://dot.net/v1/dotnet-install.sh -O /tmp/dotnet-install.sh
chmod +x /tmp/dotnet-install.sh
/tmp/dotnet-install.sh --channel 8.0 --install-dir ~/.dotnet
export PATH="$HOME/.dotnet:$PATH"
dotnet --version # Confirms: 8.0.416
2. Verify curl works
curl -I https://api.nuget.org/v3/index.json
# Returns: HTTP/1.1 200 OK ✓
3. Attempt NuGet restore
# Create test project
mkdir /tmp/TestProject
cd /tmp/TestProject
cat > TestProject.csproj << 'EOF'
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="xunit" Version="2.9.0" />
</ItemGroup>
</Project>
EOF
dotnet restore
# FAILS with: error NU1301: Unable to load the service index for source https://api.nuget.org/v3/index.json
4. Test .NET HttpClient directly
// /tmp/ProxyTest/Program.cs
using System;
using System.Net;
using System.Net.Http;
using System.Threading.Tasks;
class Program
{
static async Task Main()
{
var proxyUrl = Environment.GetEnvironmentVariable("HTTP_PROXY");
var uri = new Uri(proxyUrl!);
var proxyAddress = $"{uri.Scheme}://{uri.Host}:{uri.Port}";
var proxy = new WebProxy(proxyAddress);
if (!string.IsNullOrEmpty(uri.UserInfo))
{
var parts = uri.UserInfo.Split(':', 2);
proxy.Credentials = new NetworkCredential(parts[0], parts.Length > 1 ? parts[1] : "");
}
var handler = new HttpClientHandler { Proxy = proxy, UseProxy = true };
using var client = new HttpClient(handler);
var response = await client.GetAsync("https://api.nuget.org/v3/index.json");
Console.WriteLine($"Status: {response.StatusCode}");
}
}
Result:
Error: The proxy tunnel request to proxy 'http://21.0.0.27:15004/' failed with status code '401'.
Expected Behavior
dotnet restore should successfully download NuGet packages from nuget.org, just as curl and wget do.
Actual Behavior
- curl/wget: ✓ Successfully connects through proxy
- .NET HttpClient: ✗ Returns 401 Unauthorized
- NuGet restore: ✗ Fails with NU1301 error
Root Cause Analysis
The environment uses a custom proxy with JWT-based authentication:
HTTP_PROXY=http://container_name:jwt_TOKEN@21.0.0.99:15004
Why curl works:
- curl natively handles
username:password@hostproxy authentication - Automatically includes proxy credentials in headers
Why .NET fails:
- .NET's HttpClient doesn't properly parse JWT from the username portion
- Sends invalid proxy authentication headers
- Proxy returns 401 Unauthorized
Additional findings:
- Without proxy, DNS resolution fails (requires proxy for all network access)
- Setting
NO_PROXY=*doesn't help (no direct internet access) - Tested with:
- Environment variables (
HTTP_PROXY,https_proxy) - NuGet.Config proxy settings
- Explicit
WebProxywithNetworkCredential PreAuthenticate = true- HTTP vs HTTPS requests
- All result in 401
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
v2.0.34
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
Other
Additional Information
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗