Automating proxy configuration across multiple applications without plaintext password

Question

More generally than the post described here: Using bash functionality in rc files

I would like to set an appropriate proxy configuration for all/multiple applications including but not limited to: snap/apt/cpan/pip/wget/curl. Moreover, I would like to avoid having my proxy password displayed anywhere in plaintext. How/is it possible to achieve this?

This post implies that every system process will be configured for proxy via /etc/environment. I have not had such success (see EDIT), so I am currently under the assumption that all proxy configurations must be made per application. Regarding the linked post, and the use of secret-tool, it seems to me that this assumes the file defining the proxy configuration(s) can evaluate bash expressions (which hasn't been my experience with the .curlrc/.wgetrc files).

EDIT:

With the contents of etc/environment equal to:

http_proxy=http://user:[email protected]:80
https_proxy=http://user:[email protected]:80

and the contents of my .curlrc file equal to:

proxy=http://user:[email protected]:80

I can run:

curl https://unix.stackexchange.com/posts/752654/edit --output test.html
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 70115    0 70115    0     0    99k      0 --:--:-- --:--:-- --:--:--   99k

which generates test.html as expected.

Without changing the contents of /etc/environment and removing the .curlrc file, the download hangs indefinitely:

curl https://unix.stackexchange.com/posts/752654/edit --output test.html
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:25 --:--:--     0

I'm using RHEL on WSL.

Answer 1

Question #1: I would like to set an appropriate proxy configuration for all/multiple applications including but not limited to: snap/apt/cpan/pip/wget/curl. Moreover,

Answer: the env var http_proxy and https_proxy usually do the job, if you set them, based on how you login certain "login" files are parsed based on your setup. a strace on bash shows:

• openat(AT_FDCWD, "/etc/bash.bashrc", O_RDONLY) = 3
• openat(AT_FDCWD, "$HOME/.bashrc", O_RDONLY) = 3

strace on bash -l shows:

• openat(AT_FDCWD, "/etc/profile", O_RDONLY) = 3
• openat(AT_FDCWD, "/etc/bash.bashrc", O_RDONLY) = 3
• openat(AT_FDCWD, "/etc/profile.d/", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
• openat(AT_FDCWD, "/etc/profile.d/*.sh", O_RDONLY) = 3
• openat(AT_FDCWD, "$HOME/.bash_profile", O_RDONLY) = -1 ENOENT (No such file or directory)
• openat(AT_FDCWD, "$HOME/.bash_login", O_RDONLY) = -1 ENOENT (No such file or directory)
• openat(AT_FDCWD, "$HOME/.profile", O_RDONLY) = 3
• openat(AT_FDCWD, "$HOME/.bashrc", O_RDONLY) = 3

So those file you can use to export the variables.

Question #2: I would like to avoid having my proxy password displayed anywhere in plaintext. How/is it possible to achieve this?

Answer: you will not get around the passwords to be somewhere in plaintext. In order to not have it everywhere you may consider using a local tinyproxy setup, with a peer configuration to your real proxy, then your credentails are stored in the tinyproxy config, but your var stay clean, like http_proxy=http://localhost:port.