Git proxy setup involves configuring Git's http.proxy and https.proxy settings, or leveraging environment variables like HTTP_PROXY and HTTPS_PROXY, or using ProxyCommand within SSH configurations for SSH-based Git operations, to route traffic through an intermediary server.
Understanding Git Proxy Requirements
Corporate firewalls, network security policies, or restricted internet access often necessitate routing Git traffic through a proxy server. This applies to operations such as git clone, git fetch, git pull, and git push. The configuration method depends on the Git URL protocol: https:// (or http://) uses HTTP/HTTPS proxies, while ssh:// (or git@) uses SSH-specific proxy methods.
HTTP/HTTPS Git Proxy Configuration
For Git repositories accessed via https:// or http:// URLs, Git utilizes HTTP/HTTPS proxy settings.
Git Configuration Method (git config)
This is the recommended method for configuring HTTP/HTTPS proxies for Git. Settings can be global (for all repositories) or specific to a single repository.
Global Configuration
To configure a proxy globally for all Git repositories on a system:
# For HTTP proxy (e.g., for https://github.com URLs through an http proxy)
git config --global http.proxy http://proxy.example.com:8080
# For HTTPS proxy (e.g., for https://github.com URLs through an https proxy)
# Note: Often an HTTPS proxy is configured similarly to an HTTP proxy,
# but traffic is explicitly tunneled.
git config --global https.proxy http://proxy.example.com:8080
If the proxy requires authentication:
git config --global http.proxy http://username:password@proxy.example.com:8080
git config --global https.proxy http://username:password@proxy.example.com:8080
For security, instead of embedding the password directly in the URL, Git can prompt for credentials or retrieve them from a credential helper. Omitting the password will cause Git to prompt for it.
Per-Repository Configuration
To configure a proxy for a specific repository, navigate to the repository's root directory and omit the --global flag:
cd /path/to/my/repo
git config http.proxy http://proxy.example.com:8080
git config https.proxy http://proxy.example.com:8080
These settings will be stored in the .git/config file of that repository.
Disabling Proxy for Specific Hosts
To bypass the proxy for certain domains (e.g., internal Git servers), use http.noProxy:
git config --global http.noProxy "localhost,127.0.0.1,*.internal.com"
Multiple hosts can be comma-separated.
SSL Certificate Verification
In corporate environments using transparent or intercepting proxies (MITM proxies), Git's SSL certificate verification may fail due to the proxy presenting its own certificate instead of the origin server's.
To address this, configure Git to trust the corporate root CA certificate:
git config --global http.sslCAInfo /path/to/corporate/ca-cert.pem
Alternatively, and not recommended for production environments due to security risks, SSL verification can be disabled:
git config --global http.sslVerify false
This bypasses certificate validation, making connections vulnerable to actual man-in-the-middle attacks. Use this only for temporary debugging or in controlled, isolated environments.
Environment Variables
Command-line tools, including curl (which Git often uses for HTTP/HTTPS transfers), typically respect HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables. These variables provide a system-wide or session-wide proxy setting that applications can inherit.
# For HTTP proxy
export HTTP_PROXY="http://proxy.example.com:8080"
export HTTPS_PROXY="http://proxy.example.com:8080" # Often the same for HTTPS traffic tunneling
# For SOCKS proxy
export ALL_PROXY="socks5://proxy.example.com:1080"
# Exclude specific hosts from proxy
export NO_PROXY="localhost,127.0.0.1,*.internal.com"
Note that Git's http.proxy and https.proxy configurations take precedence over these environment variables for Git's own HTTP/HTTPS operations. Environment variables are useful when git config is not explicitly set, or for other tools interacting with Git.
Comparison: git config vs. Environment Variables
| Feature | git config http.proxy / https.proxy |
HTTP_PROXY / HTTPS_PROXY Environment Variables |
|---|---|---|
| Scope | Git-specific (global or per-repository) | System-wide or session-wide for applications respecting them |
| Precedence | Higher for Git operations; overrides environment variables. | Lower for Git; acts as a fallback or for other tools. |
| Persistence | Persistent across sessions (stored in .gitconfig or .git/config). |
Non-persistent by default; requires adding to shell profile (.bashrc, .zshrc) for persistence. |
| Authentication | Supports username:password@ in URL, or prompts for credentials. |
Supports username:password@ in URL. |
| Flexibility | Granular control per Git repository. | Broader impact on all applications respecting the variables. |
SSH Git Proxy Configuration
For Git repositories accessed via ssh:// or git@ URLs, the proxy setup is managed through the SSH client configuration, specifically using the ProxyCommand directive in ~/.ssh/config. Standard HTTP/HTTPS proxy settings (e.g., http.proxy) do not affect SSH connections.
Using ~/.ssh/config with ProxyCommand
The ProxyCommand tells SSH to establish a connection to the target host (%h) and port (%p) by first routing it through an external command, typically a proxy client.
Prerequisites
netcat(nc): For basic TCP tunneling and SOCKS proxies.corkscreworconnect-proxy: For tunneling SSH through HTTP/HTTPS proxies that require authentication.
HTTP/HTTPS Proxy Tunneling
If your proxy is an HTTP/HTTPS proxy, you can use corkscrew or connect-proxy.
-
Install
corkscreworconnect-proxy(if not already present).- On Debian/Ubuntu:
sudo apt-get install corkscrew - On macOS (with Homebrew):
brew install corkscrew connect-proxyis often part ofopensshor available separately.
- On Debian/Ubuntu:
-
Edit
~/.ssh/config:
Create or modify~/.ssh/configwith the following:```ssh
Host github.com
ProxyCommand corkscrew proxy.example.com 8080 %h %p
# If proxy requires authentication:
# ProxyCommand corkscrew proxy.example.com 8080 %h %p /path/to/proxy_auth_fileHost gitlab.com
ProxyCommand corkscrew proxy.example.com 8080 %h %pOr for all hosts
Host *
ProxyCommand corkscrew proxy.example.com 8080 %h %p
`` Replaceproxy.example.comand8080with your proxy's address and port. The/path/to/proxy_auth_fileshould containusername:passwordon a single line. Ensure this file has restrictive permissions (e.g.,chmod 600`).
SOCKS Proxy Tunneling
If your proxy is a SOCKS proxy, use netcat (nc) with the -X option:
-
Ensure
netcatis installed. It's usually pre-installed on most Unix-like systems. -
Edit
~/.ssh/config:```ssh
Host github.com
ProxyCommand nc -X 5 -x proxy.example.com:1080 %h %pHost gitlab.com
ProxyCommand nc -X 5 -x proxy.example.com:1080 %h %pOr for all hosts
Host *
ProxyCommand nc -X 5 -x proxy.example.com:1080 %h %p
`` Replaceproxy.example.comand1080with your SOCKS proxy's address and port. *-X 5: Specifies SOCKS version 5. Use-X 4for SOCKS version 4. *-x`: Specifies the proxy address and port.
Authentication for SOCKS Proxy
Some netcat versions (nc from OpenBSD, often default on Linux) support SOCKS proxy authentication. For example:
Host *
ProxyCommand nc -X 5 -x user:password@proxy.example.com:1080 %h %p
Consult your netcat version's man page for specific authentication syntax and capabilities.
Verifying Proxy Setup
After configuring the proxy, verify that Git operations are routing correctly.
For HTTP/HTTPS Git Operations
Check your Git configuration:
git config --global --get http.proxy
git config --global --get https.proxy
git config --global --get http.noProxy
Perform a git clone or git fetch operation on an HTTPS repository:
git clone https://github.com/git/git.git
If the proxy is working, the connection should succeed. Network monitoring tools can confirm traffic routing.
For SSH Git Operations
Test your SSH connection verbosely:
ssh -vT git@github.com
Look for output indicating ProxyCommand execution. For example:
debug1: Executing proxy command: exec corkscrew proxy.example.com 8080 github.com 22
Then, attempt a Git operation:
git clone git@github.com:git/git.git
Troubleshooting Common Issues
- Incorrect Proxy Address or Port: Double-check the proxy server's IP address or hostname and the designated port.
- Authentication Failure: Verify proxy username and password. For
git config, ensure credentials are correct or that a credential helper is configured. ForProxyCommand, ensure the authentication file or embedded credentials are correct. - SSL Certificate Issues (
https://): If you encounterSSL certificate problem: self signed certificate in certificate chainerrors, your corporate proxy might be performing SSL inspection. Configurehttp.sslCAInfowith your corporate root CA certificate, or, as a last resort, temporarily sethttp.sslVerify falsefor debugging (not recommended for production). - Firewall Blocks: Ensure that your local firewall (if any) and the corporate firewall allow outgoing connections to the proxy server on its specified port. The proxy server itself must also allow connections to Git hosting services.
ProxyCommandHelper Not Found (ssh://): IfProxyCommandfails with "command not found," ensurenetcat,corkscrew, orconnect-proxyis installed and its executable path is in your system'sPATHenvironment variable. Specify the full path to the executable if necessary (e.g.,ProxyCommand /usr/bin/corkscrew ...).- Proxy Bypassed: If
git confighttp.noProxyis too broad, or if environment variables are set incorrectly, Git might attempt a direct connection. VerifynoProxysettings. - Proxy Timeout: Long-running operations might time out if the proxy has aggressive timeout settings. This is usually a server-side configuration issue.