[BUG] HEAD requests being denied by the github proxy in web code

Open 💬 0 comments Opened Jun 24, 2026 by rsJames-ttrpg

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

In a Claude Code cloud/web session with network egress set to "All domains" (full outbound access), buck2 cannot download any GitHub-hosted release archive. Every such fetch fails on the HTTP HEAD precheck:

Error performing http_head request: HTTP Client Error (401 Unauthorized)
when querying URI: https://github.com/.../releases/download/...

buck2's built-in http_archive / download_file rules issue an HTTP HEAD before the GET. GitHub release URLs 302-redirect to a presigned release-assets.githubusercontent.com URL signed for GET, not HEAD. In a cloud session that HEAD returns 401, even though:

  • the allowlist is wide open ("All domains"), and a plain GET of the same URL returns 200 in the same session, and
  • the identical buck2 build succeeds at setup time (root setup script, before the agent session, when the egress proxy is not in front).

So this is not a domain-allowlist problem — it is specific to the HEAD method against GitHub's signed asset URLs as they traverse the session egress path. Only GitHub-hosted archives are affected; non-GitHub downloads (e.g. the Rust toolchain dist from static.rust-lang.org, no
presign redirect) work fine in-session. This breaks any tool that HEAD-prechecks GitHub release assets (buck2 here; Bazel http_archive and others share the pattern).

What Should Happen?

In a cloud session with egress = "All domains", an HTTP HEAD to a GitHub release asset should behave the same as a direct (unproxied) connection, so tools that precheck with HEAD work. Concretely, buck2 build //tools:\<http-archive-based-tool\> should succeed in-session, matching setup-time behavior.

Error Messages/Logs

Error performing http_head request: HTTP Client Error (401 Unauthorized)
  when querying URI: https://github.com/<owner>/<repo>/releases/download/<tag>/<asset>

  Isolating evidence (all in-session, through the egress proxy):

  $ curl -fsSL "https://github.com/<owner>/<repo>/releases/download/<tag>/<asset>" -o /tmp/asset   # 200, downloads
  $ curl -sI   "https://github.com/<owner>/<repo>/releases/download/<tag>/<asset>"                  # 302 -> release-assets.githubusercontent.com/...?<sig>
  $ curl -sI   "https://release-assets.githubusercontent.com/.../<asset>?<signature>"               # 401  (HEAD on GET-signed URL)

  At setup time (proxy not in front) the same buck2 build logged BUILD SUCCEEDED, Network: Down 8.8MiB.

Steps to Reproduce

  1. Start a Claude Code cloud/web session with network egress = "All domains".
  2. In a buck2 repo with a GitHub-release http_archive target, run buck2 build //tools:\<http-archive-based-tool\>.
  3. Observe failure: Error performing http_head request: HTTP Client Error (401 Unauthorized) against the github.com/.../releases/download/... URL.
  4. Confirm egress isn't the cause: same session, curl -fsSL <same-release-url> → 200, while curl -sI <the 302-target release-assets URL> → 401.
  5. Confirm it's the proxy path: the identical buck2 build run in the setup script (before the agent session) succeeds.

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.187

Platform

Other

Operating System

Ubuntu/Debian Linux

Terminal/Shell

Other

Additional Information

_No response_

View original on GitHub ↗