[BUG] HEAD requests being denied by the github proxy in web code
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
In a Claude Code cloud/web session with network egress set to "All domains" (full outbound access), buck2 cannot download any GitHub-hosted release archive. Every such fetch fails on the HTTP HEAD precheck:
Error performing http_head request: HTTP Client Error (401 Unauthorized)
when querying URI: https://github.com/.../releases/download/...
buck2's built-in http_archive / download_file rules issue an HTTP HEAD before the GET. GitHub release URLs 302-redirect to a presigned release-assets.githubusercontent.com URL signed for GET, not HEAD. In a cloud session that HEAD returns 401, even though:
- the allowlist is wide open ("All domains"), and a plain GET of the same URL returns 200 in the same session, and
- the identical buck2 build succeeds at setup time (root setup script, before the agent session, when the egress proxy is not in front).
So this is not a domain-allowlist problem — it is specific to the HEAD method against GitHub's signed asset URLs as they traverse the session egress path. Only GitHub-hosted archives are affected; non-GitHub downloads (e.g. the Rust toolchain dist from static.rust-lang.org, no
presign redirect) work fine in-session. This breaks any tool that HEAD-prechecks GitHub release assets (buck2 here; Bazel http_archive and others share the pattern).
What Should Happen?
In a cloud session with egress = "All domains", an HTTP HEAD to a GitHub release asset should behave the same as a direct (unproxied) connection, so tools that precheck with HEAD work. Concretely, buck2 build //tools:\<http-archive-based-tool\> should succeed in-session, matching setup-time behavior.
Error Messages/Logs
Error performing http_head request: HTTP Client Error (401 Unauthorized)
when querying URI: https://github.com/<owner>/<repo>/releases/download/<tag>/<asset>
Isolating evidence (all in-session, through the egress proxy):
$ curl -fsSL "https://github.com/<owner>/<repo>/releases/download/<tag>/<asset>" -o /tmp/asset # 200, downloads
$ curl -sI "https://github.com/<owner>/<repo>/releases/download/<tag>/<asset>" # 302 -> release-assets.githubusercontent.com/...?<sig>
$ curl -sI "https://release-assets.githubusercontent.com/.../<asset>?<signature>" # 401 (HEAD on GET-signed URL)
At setup time (proxy not in front) the same buck2 build logged BUILD SUCCEEDED, Network: Down 8.8MiB.
Steps to Reproduce
- Start a Claude Code cloud/web session with network egress = "All domains".
- In a buck2 repo with a GitHub-release http_archive target, run buck2 build //tools:\<http-archive-based-tool\>.
- Observe failure: Error performing http_head request: HTTP Client Error (401 Unauthorized) against the github.com/.../releases/download/... URL.
- Confirm egress isn't the cause: same session, curl -fsSL <same-release-url> → 200, while curl -sI <the 302-target release-assets URL> → 401.
- Confirm it's the proxy path: the identical buck2 build run in the setup script (before the agent session) succeeds.
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.187
Platform
Other
Operating System
Ubuntu/Debian Linux
Terminal/Shell
Other
Additional Information
_No response_