Investigate proxy issue preventing gradle wrapper url validation

[yeikel]

Code improvement description

We currently disable Gradle Wrapper distribution URL validation (--no-validate-url) as a workaround because the wrapper task’s URL validation fails when running behind Dependabot’s proxy.

https://github.com/dependabot/dependabot-core/blob/e7b8811f3496ae5e4d741dd246aab721884228b4/gradle/lib/dependabot/gradle/file_updater/wrapper_updater.rb#L126

Context / Background
When the Gradle wrapper task runs, Gradle validates the configured distribution URL by issuing a HEAD request, for example:

HEAD https://services.gradle.org/distributions/gradle-9.3.0-bin.zip

This head request then redirects to GitHub and ultimately fails with

WARN: Cannot read TLS response from mitm'd server tls: first record does not look like a TLS handshake

Logs

proxy | 2026/01/28 13:48:55 [025] HEAD https://services.gradle.org:443/distributions/gradle-9.3.0-bin.zip
proxy | 2026/01/28 13:48:55 [025] 307 https://services.gradle.org:443/distributions/gradle-9.3.0-bin.zip
proxy | 2026/01/28 13:48:55 [027] HEAD https://github.com:443/gradle/gradle-distributions/releases/download/v9.3.0/gradle-9.3.0-bin.zip
proxy | 2026/01/28 13:48:55 [027] * authenticating git server request (host: github.com)
proxy | 2026/01/28 13:48:55 [027] 302 https://github.com:443/gradle/gradle-distributions/releases/download/v9.3.0/gradle-9.3.0-bin.zip
proxy | 2026/01/28 13:48:55 [029] HEAD https://objects.githubusercontent.com:443/github-production-release-asset-2e65be/696192900/b5669ad6-764c-4b3a-a4eb-d6e13f57ec47?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20260128%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20260128T134856Z&X-Amz-Expires=1800&X-Amz-Signature=63661c31353f570bf663e5fcab68ebc77bb23b0b7ff5c9f390ef8b559a1d23ac&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dgradle-9.3.0-bin.zip&response-content-type=application%2Foctet-stream
proxy | 2026/01/28 13:48:55 [029] WARN: Cannot read TLS response from mitm'd server tls: first record does not look like a TLS handshake
proxy | 2026/01/28 13:48:55 [031] HEAD https://objects.githubusercontent.com:443/github-production-release-asset-2e65be/696192900/b5669ad6-764c-4b3a-a4eb-d6e13f57ec47?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20260128%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20260128T134856Z&X-Amz-Expires=1800&X-Amz-Signature=63661c31353f570bf663e5fcab68ebc77bb23b0b7ff5c9f390ef8b559a1d23ac&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dgradle-9.3.0-bin.zip&response-content-type=application%2Foctet-stream
proxy | 2026/01/28 13:48:55 [031] WARN: Cannot read TLS response from mitm'd server tls: first record does not look like a TLS handshake

To keep updates working, we pass --no-validate-url and set validateDistributionUrl=false, which skips the distribution URL validation step.

This workaround only seems necessary due to a proxy-related issue. When running without the Dependabot proxy (for example, through my own proxy), the validation works as expected.

[yeikel]

@JamieMagee I noticed that the proxy server is now open source 🚀

Do you have the ability to move this issue over that repo? (transfer?)

I'll definitely take a closer look now that this is open source

[JamieMagee]

Haha, nothing gets past you! It's been open source for all of 30 minutes 😄 The announcement is coming tomorrow.

I'll transfer this issue there now and take a look through the other issues in dependabot-core for candidates to move.

[yeikel]

Haha, nothing gets past you! It's been open source for all of 30 minutes 😄

I follow you on GitHub and spotted the activity 😅

[yeikel]

Well, the good news is that I was able to reproduce the problem running the proxy directly. It is still unclear what the issue is

2026/02/02 21:55:46 [026] 302 https://github.com:443/gradle/gradle-distributions/releases/download/v9.3.1/gradle-9.3.1-bin.zip
2026/02/02 21:55:46 [029] HEAD https://objects.githubusercontent.com:443/github-production-release-asset-2e65be/696192900/2325dbaf-a499-464d-a105-a1654b028ea5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20260203%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20260203T025545Z&X-Amz-Expires=1800&X-Amz-Signature=88b663d6e5f10207dea4562159045c198784a86ef9e4b43b9b2869c6ce9e8384&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dgradle-9.3.1-bin.zip&response-content-type=application%2Foctet-stream
2026/02/02 21:55:46 [029] 401 https://objects.githubusercontent.com:443/github-production-release-asset-2e65be/696192900/2325dbaf-a499-464d-a105-a1654b028ea5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20260203%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20260203T025545Z&X-Amz-Expires=1800&X-Amz-Signature=88b663d6e5f10207dea4562159045c198784a86ef9e4b43b9b2869c6ce9e8384&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dgradle-9.3.1-bin.zip&response-content-type=application%2Foctet-stream
2026/02/03 02:55:53 Skipping sending metrics because api endpoint is empty

[yeikel]

The issue seems to be because:

1. When a client sends a HEAD request to https://github.com:443/gradle/gradle-distributions/releases/download/v9.3.0/gradle-9.3.0-bin.zip, the proxy detects the github.com host and injects the git credentials using basic auth:

proxy/internal/handlers/git_server.go

Lines 264 to 268 in b4a5089

	if _, pw, ok := req.BasicAuth(); ok && pw != "" {
	return req, nil
	}
	creds := getCredentialsForRequest(req, h.credentials, gitExtractOrgAndRepo)

2. This results in a request with basic auth, and the GitHub API appears to respond differently if auth is presented(even if it is valid or if the destination is public and does not need auth)

For example:

• HEAD request without auth: https://github.com:443/gradle/gradle-distributions/releases/download/v9.3.0/gradle-9.3.0-bin.zip → Redirects to https://release-assets.githubusercontent.com/github-production-release-asset..., which resolves correctly.
• HEAD request with a PAT: Same URL → Redirects to https://objects.githubusercontent.com/…, which doesn’t resolve and consistently returns a 401.

This seems to be a very specific GitHub implementation detail that I am not familiar with yet, and it’s unclear how to work around it. Disabling auth in the snippet above “fixes” the issue, but of course, that would break cases where the proxy needs authentication to download an artifact.

I plan to try reproducing and testing how this behaves when there is a need to pass auth to download an artifact. Sharing the findings early in case anyone has encountered this behavior before.

Relevant logs:

Before(it contains the auth)

2026/02/03 00:34:21 [002] HEAD https://services.gradle.org:443/distributions/gradle-9.2.0-bin.zip
2026/02/03 00:34:21 [002] 307 https://services.gradle.org:443/distributions/gradle-9.2.0-bin.zip
2026/02/03 00:34:21 [005] HEAD https://github.com:443/gradle/gradle-distributions/releases/download/v9.2.0/gradle-9.2.0-bin.zip
2026/02/03 00:34:21 [005] * authenticating git server request (host: github.com)
2026/02/03 00:34:21 [005] 302 https://github.com:443/gradle/gradle-distributions/releases/download/v9.2.0/gradle-9.2.0-bin.zip
2026/02/03 00:34:21 [008] HEAD https://objects.githubusercontent.com:443/github-production-release-asset-2e65be/696192900/59c24fc6-8617-4334-917a-58d539c557d3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20260203%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20260203T053421Z&X-Amz-Expires=1800&X-Amz-Signature=0961aab464556bf7917368ab9a462a6f67c6ac55d23dfdb8813d105d386ebb5d&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dgradle-9.2.0-bin.zip&response-content-type=application%2Foctet-stream
2026/02/03 00:34:22 [008] 401 https://objects.githubusercontent.com:443/github-production-release-asset-2e65be/696192900/59c24fc6-8617-4334-917a-58d539c557d3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20260203%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20260203T053421Z&X-Amz-Expires=1800&X-Amz-Signature=0961aab464556bf7917368ab9a462a6f67c6ac55d23dfdb8813d105d386ebb5d&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dgradle-9.2.0-bin.zip&response-content-type=application%2Foctet-stream

After(disabling auth for the host)

2026/02/03 00:31:51 Listening (:1080)
2026/02/03 00:32:00 [002] HEAD https://services.gradle.org:443/distributions/gradle-9.2.0-bin.zip
2026/02/03 00:32:00 [002] 307 https://services.gradle.org:443/distributions/gradle-9.2.0-bin.zip
2026/02/03 00:32:00 [005] HEAD https://github.com:443/gradle/gradle-distributions/releases/download/v9.2.0/gradle-9.2.0-bin.zip
2026/02/03 00:32:00 [005] 302 https://github.com:443/gradle/gradle-distributions/releases/download/v9.2.0/gradle-9.2.0-bin.zip
2026/02/03 00:32:01 [008] HEAD https://release-assets.githubusercontent.com:443/github-production-release-asset/696192900/59c24fc6-8617-4334-917a-58d539c557d3?sp=r&sv=2018-11-09&sr=b&spr=https&se=2026-02-03T06%3A21%3A29Z&rscd=attachment%3B+filename%3Dgradle-9.2.0-bin.zip&rsct=application%2Foctet-stream&skoid=96c2d410-5711-43a1-aedd-ab1947aa7ab0&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skt=2026-02-03T05%3A21%3A07Z&ske=2026-02-03T06%3A21%3A29Z&sks=b&skv=2018-11-09&sig=NoB3w7bS5k%2BkYBIBADS%2Bz%2FHq6kXbJ58%2B5pYCrkeLMhs%3D&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmVsZWFzZS1hc3NldHMuZ2l0aHVidXNlcmNvbnRlbnQuY29tIiwia2V5Ijoia2V5MSIsImV4cCI6MTc3MDEwMDIxMywibmJmIjoxNzcwMDk2NjEzLCJwYXRoIjoicmVsZWFzZWFzc2V0cHJvZHVjdGlvbi5ibG9iLmNvcmUud2luZG93cy5uZXQifQ.9YoIIaRIZtanzqTGWkJJZo9Txun_K-kTFdredncQiWI&response-content-disposition=attachment%3B%20filename%3Dgradle-9.2.0-bin.zip&response-content-type=application%2Foctet-stream
2026/02/03 00:32:01 [008] 200 https://release-assets.githubusercontent.com:443/github-production-release-asset/696192900/59c24fc6-8617-4334-917a-58d539c557d3?sp=r&sv=2018-11-09&sr=b&spr=https&se=2026-02-03T06%3A21%3A29Z&rscd=attachment%3B+filename%3Dgradle-9.2.0-bin.zip&rsct=application%2Foctet-stream&skoid=96c2d410-5711-43a1-aedd-ab1947aa7ab0&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skt=2026-02-03T05%3A21%3A07Z&ske=2026-02-03T06%3A21%3A29Z&sks=b&skv=2018-11-09&sig=NoB3w7bS5k%2BkYBIBADS%2Bz%2FHq6kXbJ58%2B5pYCrkeLMhs%3D&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmVsZWFzZS1hc3NldHMuZ2l0aHVidXNlcmNvbnRlbnQuY29tIiwia2V5Ijoia2V5MSIsImV4cCI6MTc3MDEwMDIxMywibmJmIjoxNzcwMDk2NjEzLCJwYXRoIjoicmVsZWFzZWFzc2V0cHJvZHVjdGlvbi5ibG9iLmNvcmUud2luZG93cy5uZXQifQ.9YoIIaRIZtanzqTGWkJJZo9Txun_K-kTFdredncQiWI&response-content-disposition=attachment%3B%20filename%3Dgradle-9.2.0-bin.zip&response-content-type=application%2Foctet-stream