Git's "Proxy CONNECT aborted" error means a proxy rejected the HTTP CONNECT tunnel to the remote host. Fix it by correcting proxy auth, host allow-listing, or CA trust.
The "fatal: unable to access: Proxy CONNECT aborted" error indicates that Git's underlying HTTP library (libcurl) tried to establish a tunnel through a proxy server using the HTTP CONNECT method, but the proxy terminated the connection before the tunnel could be established. When Git communicates with remote repositories over HTTPS, it uses libcurl to make HTTP requests. If a proxy is configured, libcurl first sends a CONNECT request asking the proxy to open a TCP tunnel to the destination (e.g. github.com:443). The proxy should reply with "HTTP 200 Connection established" and then relay all subsequent encrypted traffic. When the proxy instead aborts this exchange, you see this error. This is most common in corporate environments where a proxy is mandatory for internet access. The proxy typically aborts the CONNECT for one of a few reasons: it requires authentication that Git did not supply (HTTP 407), it is configured to block the destination host (HTTP 403), it cannot reach the upstream host (HTTP 502), or its policy forbids CONNECT tunnels to certain ports. Because the rejection is active, the failure is usually fast rather than a slow timeout.
First, identify exactly which proxy settings Git is using and at which level. Settings can come from Git config (system/global/local) or from environment variables, and they can conflict.
# Git-specific proxy settings at each level
git config --global --get http.proxy
git config --global --get https.proxy
git config --system --get http.proxy
git config --system --get https.proxy
git config --get http.proxy # repo-local
git config --get https.proxy # repo-local
# Environment variables (note: lower-case and upper-case both apply)
echo "$http_proxy" ; echo "$HTTP_PROXY"
echo "$https_proxy" ; echo "$HTTPS_PROXY"
echo "$no_proxy" ; echo "$NO_PROXY"Make note of everything found. If a setting exists at multiple levels, Git config takes precedence over the environment, and a repo-local value overrides global and system.
Turn on verbose tracing so you can see exactly where the CONNECT exchange fails. The HTTP status code the proxy returns tells you the real cause.
GIT_TRACE=1 GIT_CURL_VERBOSE=1 git ls-remote https://github.com/git/git.gitKey lines to look for:
- * Connected to <proxy> - reached the proxy host/port
- > CONNECT github.com:443 HTTP/1.1 - CONNECT request was sent
- < HTTP/1.1 200 Connection established - tunnel succeeded
- < HTTP/1.1 407 Proxy Authentication Required - missing/incorrect proxy credentials (go to step 4)
- < HTTP/1.1 403 Forbidden - the proxy is blocking the host (go to step 5)
- < HTTP/1.1 502/504 - the proxy cannot reach the destination
On Windows cmd:
set GIT_TRACE=1
set GIT_CURL_VERBOSE=1
git ls-remote https://github.com/git/git.gitConfirm the proxy host and port are correct and that the proxy itself can open a tunnel, independent of Git.
# Is the proxy port even open?
nc -zv proxy.company.com 8080
# Ask the proxy to tunnel to GitHub directly with curl
curl -v -x http://proxy.company.com:8080 https://github.comThen set Git's proxy with the correct syntax. Use the http:// scheme even when the destination is HTTPS — the scheme describes how Git talks to the proxy, not the final destination.
git config --global http.proxy http://proxy.company.com:8080
git config --global https.proxy http://proxy.company.com:8080If curl -x succeeds but Git still fails, the problem is in Git's config layering (step 7), not the proxy itself.
A 407 in step 2 means the proxy needs credentials. Prefer keeping credentials out of your Git config and shell history.
Preferred: store credentials in a protected `~/.netrc`. libcurl reads it automatically for proxy auth.
# ~/.netrc (on Windows: %USERPROFILE%\_netrc)
machine proxy.company.com
login your_username
password your_passwordThen lock the file down so other users cannot read your credentials, and configure the proxy without embedding them:
chmod 600 ~/.netrc
git config --global http.proxy http://proxy.company.com:8080
git config --global https.proxy http://proxy.company.com:8080Alternative (only if `.netrc` is not an option): embed credentials in the proxy URL. This writes your password in cleartext into ~/.gitconfig, so treat it as a fallback and URL-encode special characters (@=%40, :=%3A, #=%23, !=%21).
git config --global http.proxy http://john.doe:p%[email protected]:8080Windows NTLM/Kerberos proxies: Git's built-in client does not speak NTLM well. Run a local authenticating relay such as cntlm (or px) that holds your domain credentials, then point Git at the relay:
# cntlm listens on localhost:3128 and handles NTLM upstream
git config --global http.proxy http://localhost:3128If the verbose trace shows a 403 (or the tunnel is dropped) only for certain hosts, the proxy is blocking those destinations. Confirm with IT whether the host is permitted; if direct egress is available for some hosts, bypass the proxy for them.
# Bypass the proxy for specific Git hosts (empty per-host proxy)
git config --global http.https://github.com.proxy ""
git config --global http.https://gitlab.com.proxy ""
# Or use NO_PROXY for a broader set of hosts
export NO_PROXY="github.com,gitlab.com,bitbucket.org,.internal.company.com"
# Conversely, route only an internal host through the proxy
git config --global http.https://internal-git.company.com.proxy http://proxy.company.com:8080If the host is genuinely blocked by policy and not reachable directly, this is a network-policy decision for IT (step 8); there is no client-side workaround.
Some proxies perform TLS inspection (a man-in-the-middle): they terminate the TLS session, re-sign it with a corporate CA, and Git fails because it does not trust that CA. The correct fix is to trust the corporate CA, never to disable verification.
Obtain the corporate root CA certificate from IT (or export the chain shown in your browser at https://github.com), then point Git at it or add it to the system trust store:
# Point Git at the corporate CA bundle
git config --global http.sslCAInfo /path/to/corporate-ca-bundle.crt
# Or install it system-wide (Debian/Ubuntu)
sudo cp corporate-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
# RHEL/CentOS/Fedora
sudo cp corporate-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trustDo NOT use git config --global http.sslVerify false or GIT_SSL_NO_VERIFY=1 to work around this. Disabling certificate verification removes all protection against impersonation and credential theft over the connection, and it does not actually fix the underlying trust problem. Adding the CA is both safer and permanent.
If settings exist at several levels (step 1), wipe them and set a single authoritative configuration. Mismatched http vs https proxy values, or a stale environment variable overriding your intended config, frequently cause the tunnel to be aborted.
# Remove Git proxy settings at every level (ignore 'not set' errors)
git config --global --unset http.proxy
git config --global --unset https.proxy
git config --system --unset http.proxy
git config --system --unset https.proxy
git config --unset http.proxy
git config --unset https.proxy
# Clear environment variables for the current shell
unset http_proxy https_proxy HTTP_PROXY HTTPS_PROXYOn Windows PowerShell:
Remove-Item Env:HTTP_PROXY -ErrorAction SilentlyContinue
Remove-Item Env:HTTPS_PROXY -ErrorAction SilentlyContinueThen set both schemes to the same correct proxy:
git config --global http.proxy http://proxy.company.com:8080
git config --global https.proxy http://proxy.company.com:8080If HTTPS through the proxy is blocked by policy, SSH may take a different network path. Check whether outbound SSH is permitted first.
git remote -v
git remote set-url origin [email protected]:username/repository.git
ssh -T [email protected]If port 22 is blocked, GitHub also accepts SSH over port 443:
# ~/.ssh/config
Host github.com
HostName ssh.github.com
Port 443
User gitNote that many corporate networks block outbound SSH entirely; in that case correctly configured HTTPS-through-proxy (steps 4-6) is the only path.
If authentication, allow-listing, and CA trust are all correct and the proxy still aborts the tunnel, the policy or proxy itself is at fault. Collect the evidence and raise it with your network team.
# Settings in effect
git config --list | grep -i proxy
env | grep -i proxy
# Captured failure (status line shows the real cause)
GIT_CURL_VERBOSE=1 git ls-remote https://github.com/git/git.git 2>&1 | head -50Questions for IT:
1. What is the correct proxy host, port, and authentication scheme (Basic, NTLM, Kerberos)?
2. Is GitHub/GitLab/Bitbucket on the proxy allow-list?
3. Does the proxy permit the CONNECT method to port 443?
4. Is there a PAC file or VPN profile that developer machines must use?
5. Is there a designated egress path for developer/Git traffic?
### Understanding the HTTP CONNECT method
When Git accesses an HTTPS URL through a proxy, the flow is:
1. Git connects to the proxy on its configured port (e.g. 8080).
2. Git sends CONNECT github.com:443 HTTP/1.1.
3. The proxy authenticates the request (if required) and checks policy.
4. The proxy opens a TCP connection to github.com:443.
5. The proxy replies HTTP/1.1 200 Connection established.
6. The proxy then blindly relays the encrypted TLS/Git traffic in both directions.
"Proxy CONNECT aborted" means step 3, 4, or 5 failed — the proxy rejected, blocked, or could not complete the tunnel. Because TLS is established end-to-end *after* step 5, a normal (non-inspecting) proxy never sees the certificate; certificate problems only arise when the proxy performs TLS inspection.
### Proxy authentication schemes
- Basic: works directly via .netrc or credentials in the proxy URL (step 4).
- NTLM: Git's bundled curl handles NTLM poorly. Run a local relay such as cntlm (configure /etc/cntlm.conf with your domain credentials; it listens on localhost:3128) and point Git at http://localhost:3128.
- Kerberos/Negotiate: obtain a ticket with kinit [email protected]. This requires a curl built with GSSAPI/SPNEGO support; verify with curl --version (look for GSS-API/SPNEGO).
### SOCKS proxies
If your bundled libcurl was built with SOCKS support you can use:
git config --global http.proxy socks5://proxy:1080
git config --global http.proxy socks5h://proxy:1080 # proxy does DNS resolutionSome Git for Windows builds omit SOCKS support; confirm with curl --version | grep -i socks before relying on it.
### PAC (Proxy Auto-Configuration) files
Git does not evaluate PAC files. Either read the PAC manually to find the proxy that applies to your Git host, or run a local proxy that understands PAC (for example px, installed via pip install px-proxy) and point Git at that local listener:
px --pac=http://proxy.company.com/proxy.pac # listens locally, e.g. :3128
git config --global http.proxy http://localhost:3128### Environment variable precedence
Git resolves the proxy in this order, highest first:
1. git config http.proxy (and per-URL http.<url>.proxy)
2. https_proxy / HTTPS_PROXY for HTTPS URLs
3. http_proxy / HTTP_PROXY as a fallback
4. all_proxy / ALL_PROXY catch-all
NO_PROXY / no_proxy excludes hosts:
export NO_PROXY="localhost,127.0.0.1,.internal.company.com"### Windows credential cache
A proxy 407 that persists despite correct credentials can be caused by a stale entry cached by Git Credential Manager or the Windows Credential Manager. Remove the cached proxy credential:
printf 'protocol=http\nhost=proxy.company.com\n\n' | git credential-manager eraseYou can also clear it under Control Panel > Credential Manager > Windows Credentials. To inspect the OS-level WinHTTP proxy: netsh winhttp show proxy.
### CI/CD pipelines behind a proxy
Configure the proxy via environment variables so the checkout step can tunnel out. Do NOT disable TLS verification in pipelines — if the proxy inspects TLS, mount the corporate CA and trust it instead, exactly as on a workstation.
# GitHub Actions
env:
HTTP_PROXY: http://proxy.company.com:8080
HTTPS_PROXY: http://proxy.company.com:8080
NO_PROXY: localhost,127.0.0.1# GitLab CI
variables:
HTTP_PROXY: "http://proxy.company.com:8080"
HTTPS_PROXY: "http://proxy.company.com:8080"
NO_PROXY: "localhost,127.0.0.1"
before_script:
# If the proxy does TLS inspection, trust the corporate CA (do NOT set GIT_SSL_NO_VERIFY)
- git config --global http.sslCAInfo "$CI_PROJECT_DIR/certs/corporate-ca.crt"If a runner only fails because of a corporate CA, ship that CA into the image/runner and trust it (update-ca-certificates or http.sslCAInfo). Setting GIT_SSL_NO_VERIFY=1 disables certificate validation for every clone in the pipeline and exposes the build to man-in-the-middle attacks; it is not an acceptable standing pipeline setting.
ssh: Could not resolve hostname github.com: Name or service not known
How to fix 'ssh: Could not resolve hostname github.com: Name or service not known' in Git
error: insufficient permission for adding an object to repository database .git/objects
How to fix "insufficient permission for adding an object to repository database" in Git
fatal: could not create work tree dir 'repo': Permission denied
How to fix "could not create work tree dir: Permission denied" in Git
Smudge error: Error downloading object: The requested URL returned error
How to fix Git LFS 'Smudge error: Error downloading object' error
fetch-pack: unexpected disconnect while reading sideband packet
How to fix 'unexpected disconnect while reading sideband packet' in Git