search

rust-lang / cargo

The Rust package manager
https://doc.rust-lang.org/cargo
Apache License 2.0
12.79k stars 2.42k forks source link

Cargo behind Windows Defender Firewall guide? #13338

Open komlevv opened 9 months ago

komlevv commented 9 months ago

Hello and thank you for developing Cargo. Wonder if you have any guidelines for setting up Windows Defender Firewall to work with Cargo?

Problem

My setup: I have Windows Defender Firewall managed by Local Group Policy with defaults set to Block outbound unless there's an Allow rule, allowed both cargo executable and a curl executable throught with unrestricted outbound connections (any port, any protocol), yet the software does not seem to connect. If I allow all outbound connections(disabling the Firewall), it does connect without issue. 

Default host: x86_64-pc-windows-msvc
stable-x86_64-pc-windows-msvc (default)
rustc 1.75.0 (82e1608df 2023-12-21)
Two cargo.exe binaries in `.cargo/bin` and `c:\Users\%username%\.rustup\toolchains\stable-x86_64-pc-windows-msvc\bin\`
cargo 1.75.0 (1d8b05cdd 2023-11-20)
release: 1.75.0
commit-hash: 1d8b05cdd1287c64467306cf3ca2c8ac60c11eb0
commit-date: 2023-11-20
host: x86_64-pc-windows-msvc
libgit2: 1.7.1 (sys:0.18.1 vendored)
libcurl: 8.4.0-DEV (sys:0.4.68+curl-8.4.0 vendored ssl:Schannel)
os: Windows 10.0.19045 (Windows 10 Pro) [64-bit]

When I try to connect with cargo install ... I get the following error

Updating crates.io index
warning: spurious network error (3 tries remaining): [7] Couldn't connect to server (Failed to connect to index.crates.io port 443 after 3 ms: Couldn't connect to server)
warning: spurious network error (2 tries remaining): [7] Couldn't connect to server (Failed to connect to index.crates.io port 443 after 0 ms: Couldn't connect to server)
error: failed to query replaced source registry `crates-io`

Caused by:
  download of config.json failed

Caused by:
  failed to download from `https://index.crates.io/config.json`

Caused by:
  [7] Couldn't connect to server (Failed to connect to index.crates.io port 443 after 0 ms: Couldn't connect to server)

yet command-line curl works

>curl https://index.crates.io/config.json
{
  "dl": "https://crates.io/api/v1/crates",
  "api": "https://crates.io"
}

curl setup

C:\Windows\System32\curl.exe
curl --version
curl 8.4.0 (Windows) libcurl/8.4.0 Schannel WinIDN
Release-Date: 2023-10-11
Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp
Features: AsynchDNS HSTS HTTPS-proxy IDN IPv6 Kerberos Largefile NTLM SPNEGO SSL SSPI threadsafe Unicode UnixSockets

.cargo/config.toml

[http]
check-revoke = false

setting revoke to false in config or CARGO_HTTP_CHECK_REVOKE=false env var produces no results

So my guess there is something native to Windows cargo is using to connect besides the cargo.exe and curl.exe. Could you point me to the right direction?

Found similar issues, not solved: https://github.com/rust-lang/cargo/issues/11344 https://users.rust-lang.org/t/cargo-install-spurious-network-error/83829

Notes

Also tried on a fresh Win 10 installation, with default Windows Firewall rules all enabled, with policy for Outbound set to Block, and both cargo and curl explicitly allowed - same result. Tried git-fetch-with-cli option - same result (git clone over https works fine).

rustup-init.exe fails to connect too, even thought it's explicitly allowed throught the Firewall:

error: could not download file from 'https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256' to 'C:\Users\zalup\.rustup\tmp\xc7ngx_ynwmtawtg_file': failed to make network request: error sending request for url (https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256): error trying to connect: tcp connect error: An attempt was made to access a socket in a way forbidden by its access permissions. (os error 10013): error trying to connect: tcp connect error: An attempt was made to access a socket in a way forbidden by its access permissions. (os error 10013): tcp connect error: An attempt was made to access a socket in a way forbidden by its access permissions. (os error 10013): An attempt was made to access a socket in a way forbidden by its access permissions. (os error 10013)

Only workaround found so far is to use a local passthrough proxy https://github.com/rust-lang/cargo/issues/12296#issuecomment-1636517717

hp8wvvvgnj6asjm7 commented 9 months ago

they don't tell us that there is two cargo exe in the user folder. One in user/.cargo/bin and another one in rustup toolchains!

komlevv commented 9 months ago

One in user/.cargo/bin and another one in rustup toolchains

added both to the firewall exceptions, but it didn't work either.

the only thing that works for me so far is setting up a passthrough proxy on localhost (which is allowed through firewall) and setting config.toml to redirect the traffic through it

[http]
proxy = "127.0.0.1:port"
Vladimir-Kondratiev commented 6 months ago

You can use live_tcp_udp_watch to find out correct file. For win10: C:/Users/$USERNAME/.rustup/toolchains/stable-x86_64-pc-windows-msvc/bin/cargo.exe