Monday, June 27, 2022

Tell Git to bypass proxy for internal addresses

Summary: How to make Git bypass proxy settings when connecting to internal repositories.

A common question enterprise application developers ask that generally gets unsatisfactory answers is: how do you configure Git to use the corporate proxy settings to connect to the external repositories (such as Github) while bypassing the proxy when connecting to internal repositories (such as corporate Gitlab instances)? A typical answer would recommend configuring proxy settings on each repo. The problem with this approach is that it assumes that you already have a local repo, but how do you access a repo if you want to perform the initial clone other than changing global proxy settings?

One option would be to specify proxy in the git clone command. For example, to bypass the global proxy settings, run it like this:

git -c http.proxy= clone https://internalgithub.com/foo/bar.git

But there is an even better solution: you can specify proxy settings on a per-domain basis. The following instructions assume that you are using a Windows system (I suspect that Mac or Linux instructions would be slightly different, but the idea must be the same). Simply, open the .gitconfig file located in the root of your user profile folder (such as c:\Windows\Users\yourusername), and add lines similar to the following:

[http]
	proxy = http://your.corp.proxy.server.com:XXX
	sslBackend = schannel
[https]
	proxy = http://your.corp.proxy.server.com:YYY
[http "https://your.company.repo.host1.com/"]
	proxy = ""
	sslVerify = false
[http "https://your.company.repo.host2.com/"]
	proxy = ""
	sslVerify = false
[credential "https://your.company.repo.host1.com/"]
	provider = generic
[credential "https://your.company.repo.host2.com/"]
	provider = generic

Once you save the .gitconfig file, you will need to log off and log on to the system for the changes to take effect.

Notice that your global proxy settings are defined under both the http and https sections, while domain-specific sections only use http (when I added the https sections for domain-specific URLs, it stopped working). Also, the global proxy definition assumes that the proxy server does not require authentication (if it does, adjust the proxy definition appropriately).