Back to Overview

HTTP Proxy Configuration

Route Tymeslot's outbound HTTP traffic through a corporate proxy or firewall.

Luka Breitig — Technical Product Builder & AI Developer
Luka Breitig

Technical Product Builder & AI Developer

Before You Begin

You will need:

  • A running Tymeslot instance deployed inside a corporate network
  • The hostname, port, and (if required) credentials for your corporate proxy
  • Access to your Tymeslot instance's environment variables

By the end of this guide, all outbound HTTP and HTTPS traffic from Tymeslot will route through your corporate proxy.

When You Need This

This guide applies only to corporate or restricted-network environments where direct internet access from servers is blocked by policy. Most self-hosted deployments on a home server, VPS, or cloud VM do not need a proxy — skip this guide if your server can reach the internet directly.

Tymeslot makes outbound connections to the following external services. If any of them are unreachable, the corresponding feature fails silently or with a connection error:

Google OAuth endpoints (login and token refresh)
Google Calendar and Google Meet APIs
Microsoft OAuth and Microsoft Graph API
GitHub OAuth (if GitHub login is enabled)
Postmark email API (outbound email delivery)
Google reCAPTCHA verification endpoint

1 Configure the Proxy

Set proxy configuration via environment variables. Both uppercase and lowercase forms are recognised — use uppercase for maximum compatibility across tools and shells: 

# HTTPS proxy — handles all external API calls (OAuth, Calendar, email)
HTTPS_PROXY=http://proxy.corp.example.com:3128

# HTTP proxy — for any plain HTTP traffic (uncommon but required by some networks)
HTTP_PROXY=http://proxy.corp.example.com:3128

# Bypass list — hosts that must NOT go through the proxy
NO_PROXY=localhost,127.0.0.1,::1

After setting these variables, restart Tymeslot. The proxy is picked up at startup — a running instance will not detect the change without a restart.

2 Authenticated Proxy

If your proxy requires credentials, embed them directly in the proxy URL using standard URL syntax: 

HTTPS_PROXY=http://username:password@proxy.corp.example.com:3128

URL-encode any special characters in the password. For example, a password containing @ must be written as %40.

Credential Exposure Risk

Proxy credentials embedded in environment variables are visible in process listings (ps aux, container inspection). Use a dedicated service account with a long random password, rotate it regularly, and prefer IP-based proxy authentication if your proxy supports it — that avoids credentials in the URL entirely.

3 Configure the Bypass List

NO_PROXY is a comma-separated list of hosts that bypass the proxy entirely. Three pattern formats are supported:

internal.example.com

Exact hostname match

Only this specific hostname bypasses the proxy. Subdomains do not match.

*.internal.example.com

Wildcard subdomain match

Any subdomain of internal.example.com bypasses the proxy. The bare domain itself is not matched.

10.0.0.0/8

CIDR IP range

Any address in this range bypasses the proxy. Useful for entire private network subnets.

A complete example combining all three pattern types:

NO_PROXY=localhost,127.0.0.1,::1,10.0.0.0/8,192.168.0.0/16,*.internal.example.com

Always Include Localhost and Loopback Addresses

Always include localhost, 127.0.0.1, and ::1 in NO_PROXY. Tymeslot makes internal health check calls that must reach the loopback interface directly. Routing these through the proxy causes health checks to fail, which can bring down load balancers and container orchestration in environments that rely on them.

TLS-Inspecting Proxies (MITM Proxies)

Some corporate proxies perform TLS inspection — they terminate the HTTPS connection, inspect the traffic, then re-establish a new TLS connection to the destination using their own CA certificate. If your proxy does this, Tymeslot will reject all HTTPS connections because the proxy's certificate is not trusted by the system.

The symptom is SSL certificate verification errors in Tymeslot logs even though the proxy URL is correct. To fix this, mount your corporate CA certificate bundle into the container and set the trust path: 

# docker-compose.yml snippet
services:
  tymeslot:
    volumes:
      - /path/to/corporate-ca.crt:/etc/ssl/certs/corporate-ca.crt:ro
    environment:
      - SSL_CERT_FILE=/etc/ssl/certs/corporate-ca.crt

Your network or security team can provide the CA certificate bundle. It is typically a .crt or .pem file.

Testing Proxy Connectivity

Before restarting Tymeslot with the new proxy settings, verify that the proxy accepts connections from inside your container. Run this command to send a request through the proxy and inspect the result: 

docker-compose exec tymeslot sh -c \
  "HTTPS_PROXY=http://proxy.corp.example.com:3128 curl -sv https://www.google.com 2>&1 | head -30"

Expected result: the output includes CONNECT www.google.com:443 followed by HTTP/1.1 200 Connection established and eventually a 301 Moved Permanently from Google. That confirms the proxy tunnel is open and HTTPS traffic flows through it correctly.

After confirming proxy connectivity, verify end-to-end with a real Tymeslot flow: restart the application with the proxy variables set, then attempt a Google OAuth login. A successful redirect to the Google login page confirms that Tymeslot can reach Google's OAuth endpoints through the proxy.

Troubleshooting

curl reports "CONNECT tunnel failed" or connection refused

The proxy is blocking the outbound connection. Contact your network team to confirm that OAuth and API domains (accounts.google.com, graph.microsoft.com, api.postmarkapp.com) are allowlisted for outbound HTTPS on port 443. Some proxies require explicit allowlist entries per destination domain.

All requests fail after setting the proxy — including internal operations

Check that NO_PROXY includes localhost and 127.0.0.1. Without these, internal health check calls and database connections may be routed through the proxy, causing them to fail immediately.

SSL certificate verification errors in logs despite a working proxy

Your proxy is performing TLS inspection. Follow the "TLS-Inspecting Proxies" section above to mount and trust your corporate CA certificate inside the container.

Proxy authentication fails with valid credentials

Special characters in the password must be URL-encoded in the proxy URL. For example, @ becomes %40, # becomes %23, and % itself becomes %25.

Frequently Asked Questions

Which variable names does Tymeslot use — uppercase or lowercase?

Tymeslot reads both. The runtime configuration checks uppercase first (HTTPS_PROXY, HTTP_PROXY, NO_PROXY) and falls back to lowercase (https_proxy, http_proxy, no_proxy) if the uppercase form is absent. Use uppercase — it is the conventional form for environment variables and avoids ambiguity with shell tools that may handle casing differently.

Do I need to set both HTTP_PROXY and HTTPS_PROXY?

In practice, HTTPS_PROXY is the only one you must set. Nearly all of Tymeslot's outbound API calls (Google, Microsoft, GitHub, Postmark, reCAPTCHA) use HTTPS. Setting HTTP_PROXY as well is good practice for completeness, since some proxy configurations require it to handle plain HTTP redirects that can occur during OAuth flows, but most deployments work with HTTPS_PROXY alone.

What should I put in NO_PROXY?

At minimum: localhost,127.0.0.1,::1. These ensure internal health checks and loopback calls never route through the proxy.

Add the Docker service name of your PostgreSQL container (e.g. db or postgres) and any private CIDR ranges your infrastructure uses so that database and internal service traffic bypasses the proxy entirely. A typical value looks like: localhost,127.0.0.1,::1,db,10.0.0.0/8,192.168.0.0/16

Does proxy configuration affect WebSocket connections from browsers to Tymeslot?

No. The proxy variables control only outbound HTTP requests that Tymeslot's server makes to third-party APIs — Google, Microsoft, GitHub, Postmark, and so on. WebSocket connections opened by browsers to the Tymeslot server are inbound connections and are handled by your reverse proxy (nginx, Caddy, Traefik, etc.), not by these variables.

How do I verify that outbound requests are actually going through the proxy?

Run the curl test from inside the container described in the "Testing Proxy Connectivity" section above. A CONNECT line in the verbose output confirms the request tunnelled through the proxy.

For application-level verification, enable debug logging by temporarily setting LOG_LEVEL=debug and restarting. Log lines for outbound HTTP requests will include the proxy address when one is in use. Reset to LOG_LEVEL=info afterwards — debug output is verbose and not suitable for continuous production use.

Verification Checklist

Confirm each item before considering the proxy configuration complete:
  • HTTPS_PROXY is set to your corporate proxy URL
  • NO_PROXY includes localhost, 127.0.0.1, and ::1
  • curl test from inside the container returns 200 Connection established followed by a 301 from Google
  • If using a TLS-inspecting proxy: corporate CA certificate mounted and trusted inside the container
  • Tymeslot restarted after environment variable changes
  • Google OAuth login attempt redirects to the Google login page (confirming OAuth endpoints are reachable)

🔗 Related Articles

Read Docker Self-Hosting

Docker Self-Hosting

Deploy Tymeslot using Docker and Docker Compose. Perfect for VPS hosting, home servers, or any environment with Docker support.

Read Cloudron Deployment

Cloudron Deployment

One-click installation on Cloudron. Automated backups, SSL certificates, and updates handled automatically.

Read Reverse Proxy Setup

Reverse Proxy Setup

Run Tymeslot behind Nginx or Caddy with automatic HTTPS. Required for production deployments and OAuth integrations.