Note
This is an AI-generated research report. All text and code in this report was created by an LLM (Large Language Model). For more information on how these reports are created, see the main research repository.
This investigation explores methods to proxy GitHub CLI (gh) traffic through a different API host or proxy server.
The GitHub CLI supports multiple methods for proxying traffic:
This is the easiest method and works out of the box!
The GitHub CLI is built with Go and uses http.DefaultTransport, which automatically respects standard proxy environment variables.
# Set proxy for HTTPS requests (most GitHub API calls)
export HTTPS_PROXY=http://proxy.example.com:8080
# Set proxy for HTTP requests (if needed)
export HTTP_PROXY=http://proxy.example.com:8080
# Exclude certain hosts from proxying
export NO_PROXY=localhost,127.0.0.1,.internal.company.com
# Now use gh normally - all traffic goes through the proxy
gh repo view cli/cli
gh pr list- Located in:
go-gh/pkg/api/http_client.go:59 - Uses Go's
http.DefaultTransportas the base transport - Go's standard library automatically reads
HTTP_PROXY,HTTPS_PROXY, andNO_PROXYenvironment variables - No configuration changes to
ghneeded - Works with any standard HTTP proxy server (Squid, mitmproxy, corporate proxies, etc.)
For more advanced use cases, custom proxies, or debugging.
GitHub CLI can route all HTTP traffic through a Unix domain socket, which can be connected to a custom proxy server.
# Start a proxy server listening on a Unix socket
go run unix-socket-proxy.go /tmp/gh-proxy.sock
# Configure gh to use the Unix socket
gh config set http_unix_socket /tmp/gh-proxy.sock
# Now all gh traffic goes through the Unix socket
gh repo view cli/cli
# To reset
gh config set http_unix_socket ""- Configuration key:
http_unix_socket(in~/.config/gh/config.yml) - Located in:
go-gh/pkg/api/http_client.go:61-63 - Creates a custom transport that dials the Unix socket for ALL connections
- Bypasses standard HTTP proxy environment variables
- Useful for:
- Local debugging and traffic inspection
- Custom proxy logic
- Sandboxing/isolation
- Integration with tools like
socat,nginx
Note: This is NOT a proxy method!
This changes which GitHub instance you're connecting to, but doesn't intercept traffic.
# Connect to GitHub Enterprise Server instead of github.com
export GH_HOST=github.enterprise.company.com
gh repo view myorg/myrepo- Located in:
pkg/cmd/root/help_topic.go:52 - Changes the target hostname for API requests
- Useful for GitHub Enterprise Server deployments
- Does not intercept or proxy traffic - just redirects to a different host
This investigation includes two example proxy servers written in Go:
A standard HTTP/HTTPS proxy server that logs all requests.
# Build and run
go run simple-http-proxy.go 8888
# In another terminal
export HTTPS_PROXY=http://localhost:8888
gh repo view cli/cliFeatures:
- Handles both HTTP and HTTPS (CONNECT tunneling)
- Logs all requests for debugging
- Works with the
HTTPS_PROXYenvironment variable
A Unix domain socket proxy server that logs all requests.
# Build and run
go run unix-socket-proxy.go /tmp/gh-proxy.sock
# In another terminal
gh config set http_unix_socket /tmp/gh-proxy.sock
gh repo view cli/cliFeatures:
- Listens on a Unix domain socket
- Handles both HTTP and HTTPS
- Logs all requests for debugging
- Works with
gh config set http_unix_socket
| Method | Ease of Use | Flexibility | Configuration Required |
|---|---|---|---|
| HTTP/HTTPS Proxy | ⭐⭐⭐⭐⭐ Easiest | ⭐⭐⭐ Good | Environment variable only |
| Unix Socket | ⭐⭐⭐ Moderate | ⭐⭐⭐⭐⭐ Highest | gh config + proxy server |
| GH_HOST | ⭐⭐⭐⭐⭐ Easiest | ⭐ Limited | Environment variable only |
Use HTTP/HTTPS Proxy method:
export HTTPS_PROXY=http://corporate-proxy.company.com:3128
gh auth loginUse Unix Socket or HTTP/HTTPS Proxy with a logging proxy:
# Option 1: Unix socket
go run unix-socket-proxy.go /tmp/gh-proxy.sock &
gh config set http_unix_socket /tmp/gh-proxy.sock
# Option 2: HTTP proxy
go run simple-http-proxy.go 8888 &
export HTTPS_PROXY=http://localhost:8888Use Unix Socket with custom logic:
# Build a custom proxy with rate limiting logic
# Listen on Unix socket
# Configure gh to use it
gh config set http_unix_socket /tmp/rate-limited-proxy.sockUse GH_HOST:
export GH_HOST=github.mycompany.com
gh auth login --hostname github.mycompany.com- GitHub CLI: https://github.com/cli/cli
- go-gh library: https://github.com/cli/go-gh
- HTTP client implementation:
go-gh/pkg/api/http_client.go - Config implementation:
cli/internal/config/config.go - Environment variables documentation:
cli/pkg/cmd/root/help_topic.go
api/http_client.go(in cli/cli) callsghAPI.NewHTTPClient()pkg/api/http_client.go(in go-gh) creates the client- Base transport is
http.DefaultTransport(line 59) - If
UnixDomainSocketis set, creates custom Unix socket transport (line 61-63) - Wraps transport with:
- Sanitizer (ASCII sanitization)
- Cache (if enabled)
- Logger (if GH_DEBUG is set)
- Header injector (auth tokens, user-agent, etc.)
Go's http.DefaultTransport uses http.ProxyFromEnvironment which checks:
HTTP_PROXY/http_proxy- proxy for HTTP URLsHTTPS_PROXY/https_proxy- proxy for HTTPS URLsNO_PROXY/no_proxy- comma-separated list of hosts to bypassCGI_PROXY- used in CGI environments
Uppercase variables take precedence over lowercase.
- For most use cases: Use the standard
HTTPS_PROXYenvironment variable - For custom logic: Build a Unix socket proxy with your specific requirements
- For debugging: Use either method with a logging proxy server
- For GitHub Enterprise: Use
GH_HOSTto change the target, optionally with a proxy
The GitHub CLI has excellent proxy support built-in through Go's standard HTTP library. For most use cases, simply setting the HTTPS_PROXY environment variable is sufficient. For advanced scenarios, the Unix socket option provides maximum flexibility for custom proxy implementations.