Route Traffic Through a Proxy

Goal

Route OCM registry traffic through a corporate HTTP/HTTPS proxy and exclude loopback or internal hosts that should connect directly.

Prerequisites

OCM CLI installed
The proxy URL and any bypass rules from your network team

Background

The OCM CLI inherits Go’s standard proxy resolution (http.ProxyFromEnvironment). No OCM config file field is needed — the proxy is controlled entirely through environment variables.

Steps

Set the proxy environment variables

export HTTPS_PROXY=http://proxy.corp:3128
export NO_PROXY=localhost,127.0.0.1,.corp,.svc.cluster.local
ocm get cv ghcr.io/open-component-model//ocm.software/demos/podinfo:6.8.0

Variable	Purpose
`HTTPS_PROXY` / `https_proxy`	Proxy URL for `https://` requests (almost all OCI traffic)
`HTTP_PROXY` / `http_proxy`	Proxy URL for plain-`http://` requests
`NO_PROXY` / `no_proxy`	Comma-separated list of hosts or CIDRs that bypass the proxy

Both upper- and lowercase variable names are honoured; uppercase wins when both are set. Authenticated proxies use the standard URL form http://user:pass@proxy.corp:3128.

Configure NO_PROXY correctly
NO_PROXY matches by suffix — .corp matches registry.corp and internal.corp, while a bare hostname matches only that exact host.
Always include loopback addresses explicitly — Go’s proxy resolver does not auto-exclude them:
```
export NO_PROXY=localhost,127.0.0.1,::1${NO_PROXY:+,$NO_PROXY}
```
Add corporate suffixes (.corp, .svc.cluster.local) when you want them to connect directly.
Blob downloads for ghcr.io content are served from a separate CDN host (pkg-containers.githubusercontent.com). Allow both through your proxy ACLs, or include neither in NO_PROXY — otherwise component fetches succeed on the manifest step but fail on the blob step.

Troubleshooting

`proxyconnect tcp: … connection refused` (or `i/o timeout`)

HTTPS_PROXY is set but the proxy address is unreachable. Verify the proxy URL with a direct probe:

curl -sx "$HTTPS_PROXY" -o /dev/null -w "HTTP %{http_code}\n" https://ghcr.io/v2/

A 200 (or 401 from the registry) means the proxy is reachable. Unset the variable for a quick direct comparison:

unset HTTPS_PROXY https_proxy

Manifest fetch succeeds via proxy but blob download fails

The blob CDN host is missing from the proxy ACLs or is incorrectly listed in NO_PROXY. Inspect the failing URL in the error message — the host that errors is the one with the wrong policy. Either allow both hosts through the proxy, or include both in NO_PROXY.

Traffic to a loopback registry is being sent through the proxy

NO_PROXY does not list loopback addresses. Add localhost,127.0.0.1,::1 explicitly:

export NO_PROXY=localhost,127.0.0.1,::1${NO_PROXY:+,$NO_PROXY}

Reference

HTTP Client Configuration Reference — Proxy Environment Variables

TLS and Custom CA — trust a private CA on the connection after it passes through the proxy
Per-Host Overrides — timeout and TLS settings per registry

Resource

Signing and Verification

Route Traffic Through a Proxy

Goal#

Prerequisites#

Background#

Steps#

Troubleshooting#

proxyconnect tcp: … connection refused (or i/o timeout)#

Manifest fetch succeeds via proxy but blob download fails#

Traffic to a loopback registry is being sent through the proxy#

Reference#

Related#