Setting up proxy authentication is where most first-timers get stuck. There are two methods IP Whitelist and Username:Password and each has tradeoffs that aren't obvious until you've been burned by the wrong choice. This guide covers both, with working code examples and the security practices your future self will thank you for.
The Two Auth Methods
Proxy providers authenticate connections in one of two ways: they either check the IP address of the machine making the request (IP Whitelist), or they validate a username and password embedded in the proxy URL (Username:Password). Some providers support both.
Method 1: IP Whitelist
IP whitelisting tells the proxy server: "Only accept connections from these specific IP addresses." No credentials are needed in the request if your IP is on the allowlist, you're in.
Pros:
- No credentials in your code nothing to leak in a git commit
- Cleaner proxy URLs (no user:pass@ required)
- Works great for server deployments with static IPs
- One less thing to rotate when credentials expire
Cons:
- Breaks immediately when your IP changes (home ISP, dynamic corporate IP, coffee shop)
- Doesn't work for distributed scraping across multiple machines without managing a whitelist
- CI/CD pipelines often get new IPs per build whitelisting becomes a maintenance nightmare
- If someone else gets your whitelisted IP (ISP reassignment), they get free proxy access
How to Set Up IP Whitelisting on ZentisLabs:
- Log in to your ZentisLabs dashboard
- Navigate to Settings IP Whitelist
- Click Add IP Address it will auto-detect your current IP
- Add additional IPs manually (server IPs, team member IPs)
- Save. Access is granted within 30 seconds.
import requests
# With IP whitelist NO credentials needed
proxies = {
"http": "http://gate.zentislabs.com:7777",
"https": "http://gate.zentislabs.com:7777",
}
r = requests.get("https://httpbin.org/ip", proxies=proxies)
print(r.json()) # Works because your server IP is whitelistedMethod 2: Username:Password
Username:Password auth embeds credentials directly in the proxy URL. The proxy server validates these on every connection.
Pros:
- Works from any IP laptops, cloud functions, CI/CD, distributed workers
- Easy to revoke: rotate the password and all old credentials stop working
- Multiple credential sets for different projects/teams
- No IP management overhead
Cons:
- Credentials in proxy URL = easy to accidentally log or leak
- URL-encoded format confuses some HTTP libraries with special characters
- Requires credential management at scale (rotation, storage)
Where to Find Your Credentials on ZentisLabs:
- Dashboard Proxies Credentials
- Copy your
usernameandpassword - Optionally generate sub-credentials per project
Code Examples
Python Both Methods
import requests
import os
# Method 1: IP Whitelist (clean, no creds)
proxies_whitelist = {
"http": "http://gate.zentislabs.com:7777",
"https": "http://gate.zentislabs.com:7777",
}
# Method 2: Username:Password (load from env NEVER hardcode)
PROXY_USER = os.environ["ZentisLabs_USER"] # e.g. "user_abc123"
PROXY_PASS = os.environ["ZentisLabs_PASS"] # e.g. "p4ssw0rd"
proxies_auth = {
"http": f"http://{PROXY_USER}:{PROXY_PASS}@gate.zentislabs.com:7777",
"https": f"http://{PROXY_USER}:{PROXY_PASS}@gate.zentislabs.com:7777",
}
# Test both
r1 = requests.get("https://httpbin.org/ip", proxies=proxies_whitelist)
r2 = requests.get("https://httpbin.org/ip", proxies=proxies_auth)
print("Whitelist IP:", r1.json()["origin"])
print("Auth IP:", r2.json()["origin"])Node.js Both Methods
const axios = require('axios');
const { HttpsProxyAgent } = require('https-proxy-agent');
// Method 1: IP Whitelist
const whitelistAgent = new HttpsProxyAgent('http://gate.zentislabs.com:7777');
// Method 2: Username:Password (load from env)
const user = process.env.ZentisLabs_USER;
const pass = process.env.ZentisLabs_PASS;
const authAgent = new HttpsProxyAgent(`http://${user}:${pass}@gate.zentislabs.com:7777`);
// Use in axios
async function fetchWithAuth() {
const { data } = await axios.get('https://httpbin.org/ip', {
httpsAgent: authAgent,
httpAgent: authAgent,
});
return data.origin;
}
// Use in fetch (Node 18+)
const res = await fetch('https://httpbin.org/ip', { agent: authAgent });
const data = await res.json();
console.log('IP:', data.origin);Security Best Practices
Never hardcode credentials. A credential in source code WILL eventually end up in git history, a log file, or a stack trace. It's a matter of when, not if.
- Environment variables: Store credentials in
.envfiles (gitignored) and load withpython-dotenvordotenv - Secrets managers: For production, use AWS Secrets Manager, HashiCorp Vault, or Doppler
- Rotate regularly: ZentisLabs lets you regenerate credentials without downtime. Rotate every 90 days at minimum.
- Separate credentials per project: If one project's creds leak, your other projects stay safe
- Monitor usage: Set alerts in ZentisLabs dashboard for unusual bandwidth spikes
# .env file (add to .gitignore!)
ZentisLabs_USER=user_abc123
ZentisLabs_PASS=your_password_here
# Load in shell
export $(cat .env | xargs)
# Verify
echo $ZentisLabs_USERTroubleshooting Auth Errors
| Error | Cause | Fix |
|---|---|---|
| 407 Proxy Auth Required | Wrong or missing credentials | Verify user:pass, check for typos |
| 403 Forbidden | IP not whitelisted (IP auth mode) | Add your current IP in dashboard |
| Connection Refused | Wrong port or gateway URL | Check gateway URL in dashboard |
| Timeout | Firewall blocking proxy port | Try port 8080 or 443 variants |
| Special chars in password | URL encoding issues | URL-encode: @ = %40, : = %3A |
When switching between home and office (dynamic IP), use Username:Password auth. IP Whitelist is best for production servers with static IPs.