HTTP/HTTPS Proxy
Forward all traffic through corporate proxy server for security and monitoring
Proxy and VPN Configuration
Proxy and VPN Configuration
Section titled “Proxy and VPN Configuration”Many enterprise environments require proxy configurations or VPN connections. This guide covers how to configure Claude Code to work seamlessly in restricted network environments.
Understanding Network Restrictions
Section titled “Understanding Network Restrictions”Common Enterprise Scenarios
Section titled “Common Enterprise Scenarios”SOCKS Proxy
Route traffic through SOCKS proxy for additional protocols and flexibility
VPN Required
Connect to corporate VPN before accessing internal resources or internet
Certificate Authentication
Use corporate certificates for proxy authentication and SSL inspection
Basic Proxy Configuration
Section titled “Basic Proxy Configuration”Environment Variables
Section titled “Environment Variables”-
Set HTTP/HTTPS proxy
Terminal window # Linux/macOSexport HTTP_PROXY=http://proxy.company.com:8080export HTTPS_PROXY=http://proxy.company.com:8080export http_proxy=$HTTP_PROXYexport https_proxy=$HTTPS_PROXY# Windows (Command Prompt)set HTTP_PROXY=http://proxy.company.com:8080set HTTPS_PROXY=http://proxy.company.com:8080# Windows (PowerShell)$env:HTTP_PROXY="http://proxy.company.com:8080"$env:HTTPS_PROXY="http://proxy.company.com:8080" -
Configure no-proxy exceptions
Terminal window # Internal domains that shouldn't go through proxyexport NO_PROXY=localhost,127.0.0.1,*.internal.company.com,10.0.0.0/8# Windowsset NO_PROXY=localhost,127.0.0.1,*.internal.company.com,10.0.0.0/8 -
Verify configuration
Terminal window # Test proxy connectivityclaude "Test my network configuration and verify:- Proxy settings are detected- Can reach external APIs- DNS resolution works- Certificate validation passes"
Authenticated Proxy
Section titled “Authenticated Proxy”# Include credentials in proxy URLexport HTTP_PROXY=http://username:password@proxy.company.com:8080export HTTPS_PROXY=http://username:password@proxy.company.com:8080
# More secure: use encoded credentialsexport HTTP_PROXY=http://$(echo -n username:password | base64)@proxy.company.com:8080# For Windows NTLM authentication, use CNTLM# Install cntlm proxysudo apt-get install cntlm # Linuxbrew install cntlm # macOS
# Configure /etc/cntlm.confUsername your_usernameDomain CORPORATEProxy proxy.company.com:8080NoProxy localhost, 127.0.0.*, 10.*, 192.168.*Listen 3128
# Generate password hashcntlm -H -u your_username -d CORPORATE
# Start cntlmsudo cntlm -c /etc/cntlm.conf
# Point Claude Code to local proxyexport HTTP_PROXY=http://localhost:3128export HTTPS_PROXY=http://localhost:3128# For Kerberos authentication# Ensure Kerberos is configuredkinit username@CORPORATE.REALM
# Use proxy with Kerberos supportexport HTTP_PROXY=http://proxy.company.com:8080export HTTPS_PROXY=http://proxy.company.com:8080
# May need to set additional Kerberos optionsexport KRB5_CONFIG=/etc/krb5.confSSL Certificate Management
Section titled “SSL Certificate Management”Corporate CA Certificates
Section titled “Corporate CA Certificates”-
Export corporate certificates
Terminal window # Get certificate from IT department or export from browser# Usually in .crt, .pem, or .cer format -
Install certificates system-wide
Terminal window # Copy certificate to system storesudo cp corporate-ca.crt /usr/local/share/ca-certificates/sudo update-ca-certificates# For RHEL/CentOSsudo cp corporate-ca.crt /etc/pki/ca-trust/source/anchors/sudo update-ca-trustTerminal window # Add to system keychainsudo security add-trusted-cert -d -r trustRoot \-k /Library/Keychains/System.keychain corporate-ca.crt# Or use Keychain Access GUITerminal window # Run as AdministratorImport-Certificate -FilePath "corporate-ca.crt" `-CertStoreLocation Cert:\LocalMachine\Root -
Configure Node.js to use certificates
Terminal window # Point to certificate bundleexport NODE_EXTRA_CA_CERTS=/path/to/corporate-ca.crt# Or disable SSL verification (NOT recommended for production)export NODE_TLS_REJECT_UNAUTHORIZED=0
SSL Inspection Bypass
Section titled “SSL Inspection Bypass”# Temporary SSL bypass for testingclaude --no-verify-ssl "Your command here"
# Configure git to work with corporate proxygit config --global http.proxy http://proxy.company.com:8080git config --global https.proxy http://proxy.company.com:8080git config --global http.sslVerify false # Only if necessaryVPN Configuration
Section titled “VPN Configuration”Split Tunnel VPN
Section titled “Split Tunnel VPN”Optimizing VPN Usage
# Check routing table to understand VPN impactclaude "Analyze my network routing:- Show current routes- Identify VPN interfaces- Check which traffic goes through VPN- Suggest optimizations for Claude Code"
# Configure Claude Code to use direct internet when possibleexport CLAUDE_DIRECT_CONNECTION=true # If supportedVPN Connection Scripts
Section titled “VPN Connection Scripts”-
Automated VPN connection
vpn-connect.sh #!/bin/bash# Connect to VPNecho "Connecting to corporate VPN..."/opt/cisco/anyconnect/bin/vpn -s connect vpn.company.com << EOFusernamepasswordyEOF# Wait for connectionsleep 5# Verify connectionif ip addr show | grep -q "vpn0"; thenecho "VPN connected successfully"# Set proxy for VPN networkexport HTTP_PROXY=http://internal-proxy:8080export HTTPS_PROXY=http://internal-proxy:8080# Start Claude Code sessionclaude "VPN connected, ready for work"elseecho "VPN connection failed"exit 1fi -
VPN disconnect cleanup
vpn-disconnect.sh #!/bin/bash# Disconnect VPN/opt/cisco/anyconnect/bin/vpn disconnect# Clear proxy settingsunset HTTP_PROXYunset HTTPS_PROXYecho "VPN disconnected, proxy settings cleared"
Advanced Proxy Scenarios
Section titled “Advanced Proxy Scenarios”SOCKS Proxy Configuration
Section titled “SOCKS Proxy Configuration”# For SOCKS5 proxyexport ALL_PROXY=socks5://proxy.company.com:1080export all_proxy=$ALL_PROXY
# With authenticationexport ALL_PROXY=socks5://username:password@proxy.company.com:1080
# SSH tunnel as SOCKS proxyssh -D 1080 -N jumphost.company.comexport ALL_PROXY=socks5://localhost:1080PAC File Configuration
Section titled “PAC File Configuration”Proxy Auto-Configuration
// Example PAC file logicfunction FindProxyForURL(url, host) { // Direct connection for internal sites if (isInNet(host, "10.0.0.0", "255.0.0.0") || dnsDomainIs(host, ".internal.company.com")) { return "DIRECT"; }
// Use proxy for external sites return "PROXY proxy.company.com:8080";}# Use PAC file with Claude Codeexport AUTO_PROXY=http://proxy.company.com/proxy.pac
# Parse PAC file manually if neededclaude "Parse this PAC file and extract:- Proxy rules- Direct connection domains- Create equivalent environment variables"Troubleshooting
Section titled “Troubleshooting”Common Issues and Solutions
Section titled “Common Issues and Solutions”# Increase timeout valuesexport CLAUDE_TIMEOUT=300 # 5 minutes
# Test connectivityclaude "Debug my connection issues:- Test proxy connectivity- Check DNS resolution- Verify SSL handshake- Measure latency"# Debug SSL issuesopenssl s_client -connect api.anthropic.com:443 \ -proxy proxy.company.com:8080
# Check certificate chainclaude "Analyze SSL certificate chain:- Show all certificates- Verify corporate CA is trusted- Check for expired certificates- Suggest fixes"# Debug proxy authenticationcurl -v -x http://proxy.company.com:8080 https://api.anthropic.com
# Test with different auth methodsclaude "Test proxy authentication:- Try basic auth- Test NTLM if Windows domain- Check Kerberos ticket- Verify credentials"Diagnostic Commands
Section titled “Diagnostic Commands”-
Network diagnostics
Terminal window claude "Run comprehensive network diagnostics:- Show all network interfaces- Display routing table- Check DNS servers- Test proxy connectivity- Verify certificate stores- Check environment variables" -
Proxy test script
Terminal window claude "Create a proxy test script that:- Tests HTTP/HTTPS connectivity- Verifies proxy authentication- Checks SSL certificate validation- Measures response times- Tests Claude Code API access" -
Environment validation
Terminal window claude "Validate my environment for Claude Code:- Check all proxy variables- Verify certificate configuration- Test API endpoints- Check for conflicts- Generate report"
Performance Optimization
Section titled “Performance Optimization”Caching Proxy Setup
Section titled “Caching Proxy Setup”Local Caching Proxy
# Install Squid as local caching proxysudo apt-get install squid
# Configure Squid to cache Claude Code requestsclaude "Configure Squid proxy for:- Cache API responses where appropriate- Forward to corporate proxy- Handle SSL bumping if needed- Optimize for Claude Code usage"Connection Pooling
Section titled “Connection Pooling”# Configure connection reuseexport CLAUDE_KEEP_ALIVE=trueexport CLAUDE_MAX_SOCKETS=10
# For better performance through proxyexport HTTP_KEEP_ALIVE=trueexport HTTPS_KEEP_ALIVE=trueSecurity Best Practices
Section titled “Security Best Practices”Secure Credential Management
Section titled “Secure Credential Management”# Use secret-tool for credential storageecho -n "proxy-password" | secret-tool store \ --label="Corporate Proxy" \ service proxy \ username myusername
# Retrieve in scriptPROXY_PASS=$(secret-tool lookup service proxy username myusername)export HTTP_PROXY="http://myusername:${PROXY_PASS}@proxy.company.com:8080"# Store in Keychainsecurity add-generic-password \ -a "myusername" \ -s "Corporate Proxy" \ -w "proxy-password"
# Retrieve in scriptPROXY_PASS=$(security find-generic-password \ -a "myusername" \ -s "Corporate Proxy" \ -w)# Store in Credential Managercmdkey /add:proxy.company.com /user:myusername /pass:proxy-password
# Use in scripts with stored credentialsNext Steps
Section titled “Next Steps”Master more enterprise features:
- LLM Gateway for custom endpoints
- Enterprise Integration for corporate tools
- Monitoring Costs for usage tracking
Remember: Proxy configuration can be complex in enterprise environments. Always work with your IT team to ensure compliance with security policies while maintaining productivity with Claude Code.