How to Fix GitHub Copilot CLI Corporate Proxy and Firewall Issues

Corporate networks present unique challenges for developer tools that require external API access. GitHub Copilot CLI needs to communicate with GitHub's servers and AI endpoints, which can be blocked or disrupted by proxy servers, SSL inspection, and firewall policies. This guide covers how to diagnose and resolve these connectivity issues.

Understanding Corporate Network Challenges

Corporate networks typically implement several layers of security that can interfere with Copilot CLI:

Before troubleshooting, identify which layers your organization uses by checking with your IT department or testing basic connectivity.

Configuring Proxy Environment Variables

Copilot CLI respects standard proxy environment variables. Set these to route traffic through your corporate proxy.

Basic Proxy Configuration

# macOS/Linux - Add to ~/.bashrc, ~/.zshrc, or ~/.profile
export HTTP_PROXY="http://proxy.company.com:8080"
export HTTPS_PROXY="http://proxy.company.com:8080"
export NO_PROXY="localhost,127.0.0.1,.company.com"

# Windows PowerShell - Add to $PROFILE
$env:HTTP_PROXY = "http://proxy.company.com:8080"
$env:HTTPS_PROXY = "http://proxy.company.com:8080"
$env:NO_PROXY = "localhost,127.0.0.1,.company.com"

# Windows Command Prompt
set HTTP_PROXY=http://proxy.company.com:8080
set HTTPS_PROXY=http://proxy.company.com:8080
set NO_PROXY=localhost,127.0.0.1,.company.com

Finding Your Proxy Settings

If you do not know your proxy URL, check these locations:

Windows:

1. Open Settings > Network & Internet > Proxy
2. Check Internet Options > Connections > LAN Settings
3. Run netsh winhttp show proxy in Command Prompt

macOS:

1. Open System Preferences > Network > Advanced > Proxies
2. Check environment variables: env | grep -i proxy

Linux:

1. Check /etc/environment or /etc/profile.d/
2. Inspect browser proxy settings
3. Run env | grep -i proxy

Authenticated Proxy Configuration

Many corporate proxies require username and password authentication. Include credentials in the proxy URL.

Basic Authentication

# Format: protocol://username:password@proxy:port
export HTTPS_PROXY="http://jsmith:MyP%[email protected]:8080"

# URL-encode special characters in passwords:
# @ becomes %40
# : becomes %3A
# ! becomes %21
# # becomes %23

NTLM/Kerberos Authentication

For Windows-integrated authentication, use a local proxy tool that handles NTLM:

# Install Cntlm (Windows/Linux/macOS)
# Configure Cntlm with your domain credentials
# Point Copilot CLI to Cntlm

export HTTPS_PROXY="http://localhost:3128"

Cntlm configuration example (/etc/cntlm.conf or cntlm.ini):

Username    jsmith
Domain      COMPANY
Proxy       proxy.company.com:8080
NoProxy     localhost, 127.0.0.*, 10.*, .company.com
Listen      3128

SSL/TLS Certificate Configuration

Corporate proxies performing SSL inspection present their own certificates, causing trust errors. You need to add your corporate CA certificate to the trusted store.

Identifying SSL Inspection

Test if your proxy intercepts HTTPS:

# Check certificate issuer - if it shows your company name instead of
# DigiCert or another public CA, SSL inspection is active
openssl s_client -connect api.github.com:443 -proxy proxy.company.com:8080 2>/dev/null | openssl x509 -noout -issuer

Adding Corporate CA Certificate

Option 1: Node.js Environment Variable

# Point to your corporate CA bundle
export NODE_EXTRA_CA_CERTS="/path/to/corporate-ca-bundle.pem"

# Windows
$env:NODE_EXTRA_CA_CERTS = "C:\certs\corporate-ca-bundle.pem"

Option 2: System Certificate Store

# macOS - Add to Keychain
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/corporate-ca.crt

# Ubuntu/Debian
sudo cp corporate-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

# CentOS/RHEL
sudo cp corporate-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

# Windows - Import via MMC or PowerShell
Import-Certificate -FilePath "C:\certs\corporate-ca.crt" -CertStoreLocation Cert:\LocalMachine\Root

Getting Your Corporate CA Certificate

Contact your IT department and ask for:

• The corporate root CA certificate in PEM or CRT format
• Any intermediate certificates that may be required
• The complete certificate chain as a single bundle file

Firewall Allowlist Requirements

Request that your IT team allowlist these domains for Copilot CLI to function:

Required Domains

OAuth and Authentication Domains

WebSocket Connections

Copilot CLI may use WebSocket connections. Ensure your proxy allows:

• WebSocket protocol (ws://, wss://)
• Long-lived connections (disable connection timeouts if possible)
• Keep-alive headers

Git Proxy Configuration

Git operations also need proxy configuration. This is often required for Copilot CLI authentication.

# Configure Git to use proxy
git config --global http.proxy http://proxy.company.com:8080
git config --global https.proxy http://proxy.company.com:8080

# For authenticated proxy
git config --global http.proxy http://user:[email protected]:8080

# Disable SSL verification if certificate issues persist (not recommended for production)
git config --global http.sslVerify false

# Better: Point Git to corporate CA bundle
git config --global http.sslCAInfo /path/to/corporate-ca-bundle.pem

Troubleshooting Connectivity Issues

Test Basic Connectivity

# Test HTTPS access to GitHub
curl -v https://api.github.com

# Test through proxy explicitly
curl -v --proxy http://proxy.company.com:8080 https://api.github.com

# Check DNS resolution
nslookup api.github.com
nslookup copilot.github.com

Debug Copilot CLI Connection

# Enable verbose output
export GH_DEBUG=1
copilot auth

# Check current auth status
gh auth status

# Test API access
gh api user

Common Error Messages and Solutions

Working with IT Teams

When requesting network access for Copilot CLI, provide your IT team with:

1. List of required domains (see tables above)
2. Ports required (443 for HTTPS)
3. Business justification explaining how Copilot improves developer productivity
4. Security documentation from GitHub about Copilot's data handling

Sample request template:

Subject: Network Access Request for GitHub Copilot CLI

We need network access enabled for GitHub Copilot CLI, a developer
productivity tool. Please allowlist the following domains on port 443:

- github.com
- api.github.com
- copilot.github.com
- *.githubusercontent.com

Additionally, please provide:
- Corporate CA certificate bundle for SSL inspection compatibility
- Proxy server URL and authentication requirements

GitHub's security documentation: https://docs.github.com/en/copilot/security

Alternative Approaches

If proxy configuration proves too complex, consider these alternatives:

VPN Split Tunneling

Request that your IT team configure split tunneling to route GitHub traffic outside the VPN:

• Developer tool traffic bypasses corporate proxy
• Internal resources still go through VPN
• Requires IT approval and configuration

GitHub Enterprise with GHES

Organizations using GitHub Enterprise Server on-premises may need different configuration:

• Copilot may connect to your internal GHES instance
• Check with your GitHub Enterprise admin for specific requirements

Mobile Hotspot as Workaround

For urgent situations, temporarily use a mobile hotspot to bypass corporate network restrictions. This is not a long-term solution but can help diagnose whether the issue is network-related.

Next Steps

• Review Copilot CLI authorization troubleshooting for non-network auth issues
• Learn about MCP server configuration which may have similar proxy requirements
• Configure enterprise Copilot settings for organization-wide deployment