feat: add upstream proxy configuration for outbound requests

[Andreybest]

Resolves #759.

Adds upstream proxy support. Uses values from both configuration file in upstreamProxy fields or environment variables (HTTPS_PROXY/HTTP_PROXY, NO_PROXY)

[netlify]

✅ Deploy Preview for endearing-brigadeiros-63f9d0 ready!

Name	Link
🔨 Latest commit	d5a6b28
🔍 Latest deploy log	https://app.netlify.com/projects/endearing-brigadeiros-63f9d0/deploys/6a0a779854e66200082bc057
😎 Deploy Preview	https://deploy-preview-1458.git-proxy.preview.finos.org
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: Andreybest / name: Andrew (45624bf)
• ✅ login: Andreybest / name: Andrii Kotliar (548e84c, 7534cf3, 790aa6c, 9336511, b0a4b43, be51974)
• ✅ login: coopernetes / name: Thomas Cooper (45624bf)
• ✅ login: jescalada / name: Juan Escalada (9af1d69)
• ✅ login: kriswest / name: Kris West (84b5b27, b7fa2b3)

[codecov]

Codecov Report

❌ Patch coverage is 81.44330% with 18 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.10%. Comparing base (4c6e8d4) to head (d5a6b28).

Files with missing lines	Patch %	Lines
src/proxy/routes/index.ts	81.11%	17 Missing ⚠️
src/config/index.ts	85.71%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1458      +/-   ##
==========================================
- Coverage   90.25%   90.10%   -0.16%     
==========================================
  Files          69       69              
  Lines        5561     5657      +96     
  Branches      958      990      +32     
==========================================
+ Hits         5019     5097      +78     
- Misses        523      541      +18     
  Partials       19       19              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[jescalada]

@Andreybest Thanks for the contribution! 🚀

I left some comments for code refactoring. It'd be very helpful if you could upload images or a video demonstrating that this feature works as intended.

@coopernetes Wondering if this implements your original requirements (#759) and works on your end 🤔

[dcoric]

Thanks for tackling #759. I've left a few comments focused on correctness and robustness, especially around NO_PROXY pattern handling which is important to get right for the target use case. The main items are the missing */leading-dot NO_PROXY support and proxy URL validation.

[Andreybest]

Thanks for the reviews @jescalada and @dcoric!
Made changes and left comments for your comments. Please recheck :)

[Andreybest]

@jescalada
Here is the video on how the proxy works:

Screen.Recording.2026-03-25.at.21.35.35_no_audio.mov

[jescalada]

LGTM after fixing Denis' comment about validating/error handling the HttpsProxyAgent creation.

@coopernetes Does everything work as you expected? 🤔

[coopernetes]

LGTM. The only rub is the lack of direct authentication support in the proxy agent. Many client and server libraries do not implement auth directly so it's fine to leave it out for now. Worth making a follow up issue to add HTTP Basic and NTLM (Windows) auth support which are the two most common methods (at least that I'm aware of).

[kriswest]

Worth making a follow up issue to add HTTP Basic and NTLM (Windows) auth support which are the two most common methods (at least that I'm aware of).

I'd suggest making that HTTP Basic, NTLM and Negotiate (the negotiate protocol is used to detect support for NTLM or Kerberos auth and then kick off which ever is supported).

[Andreybest]

@dcoric Thank you again for the review! Can you please check again? :)

[kriswest]

@Andreybest could you run teh schema doc generation - you did typescript types gen but not but not config schema docs generation. See https://github.com/finos/git-proxy/blob/main/CONTRIBUTING.md#configuration-schema

Very keen to merge this as it will unblock some testing for us on windows machines. We'll report back with testing in a bit.

[kriswest]

@Andreybest could you run teh schema doc generation - you did typescript types gen but not but not config schema docs generation. See https://github.com/finos/git-proxy/blob/main/CONTRIBUTING.md#configuration-schema

@goldensyntax can probably PR into your branch for this...

[goldensyntax]

@Andreybest could you run teh schema doc generation - you did typescript types gen but not but not config schema docs generation. See https://github.com/finos/git-proxy/blob/main/CONTRIBUTING.md#configuration-schema

@goldensyntax can probably PR into your branch for this...

Done that with:
Andreybest#1

[Andreybest]

@Andreybest could you run teh schema doc generation - you did typescript types gen but not but not config schema docs generation. See https://github.com/finos/git-proxy/blob/main/CONTRIBUTING.md#configuration-schema

Very keen to merge this as it will unblock some testing for us on windows machines. We'll report back with testing in a bit.

Merged @goldensyntax PR
Would be happy to see it in main too :)

Can we merge now?

[kriswest]

LGTM

[kriswest]

@jescalada will need to approve and merge due to previously requested change.

[re-vlad]

While the code supports upstreamProxy config, the user-facing doc does not mention this new feature. New users (especially in corporate environments) will not know how to enable it. Please add a configuration example under the "configuration" section in readme.md:

"upstreamProxy": {
  "enabled": true,
  "url": "http://proxy.corp.local:8080",
  "noProxy": [
    "localhost",
    "127.0.0.1",
    "github.com"
  ]
}```

[re-vlad]

Adds upstream proxy support. Uses values from both configuration file in upstreamProxy fields and environment variables (HTTPS_PROXY/HTTP_PROXY, NO_PROXY)

I'd say 'both configuration file in upstreamProxy fields OR environment variables' (according to the src/proxy/routes/index.ts, lines 237–238 const proxyUrl = url || getEnvProxyUrl();)

[Andreybest]

Thank you for the review @re-vlad!

1. This is already described in website/docs/architecture/architecture.md
2. Changed PR description as you suggested

[kriswest]

We should be able to complete a retest of this tomorrow, which we'd like to do before this merges.

[jescalada]

@Andreybest LGTM 👍🏼

Do you mind adding an issue for direct authentication support (HTTP Basic, NTLM and Negotiate) as mentioned earlier and referencing to this PR?