NO_PROXY

A comma-separated list of hostnames, domain suffixes, or IP addresses that should bypass the proxy. Supports wildcards in some implementations. Used to exclude internal services, localhost, and private network addresses from proxy routing.

Last updated: 2026-06-05

NO_PROXY is the exception list for HTTP_PROXY/HTTPS_PROXY — a comma-separated set of hosts, domain suffixes, and IP addresses that should connect directly, bypassing the proxy. It is what keeps your app able to reach localhost, the cloud metadata endpoint (169.254.169.254), and internal services while everything else goes through the corporate proxy. The matching rules are frustratingly inconsistent across tools: a leading dot (`.internal.com`) versus a bare suffix, whether ports are honored, and whether CIDR ranges work all vary between curl, Go, Python requests, and the JVM.

Provider: General / OS
Category: network
Set by: Set alongside HTTP_PROXY/HTTPS_PROXY
Example: localhost,127.0.0.1,.internal.company.com

Gotcha: The cloud-credentials killer: if you proxy all traffic but forget to add 169.254.169.254 to NO_PROXY, the instance metadata request goes through the proxy, times out, and the AWS/GCP SDK fails to fetch IAM role credentials — surfacing as confusing auth errors. Always include localhost, 127.0.0.1, the metadata IP, and your internal domain suffix. Because matching differs per tool, list both `internal.com` and `.internal.com` when in doubt.

How to set NO_PROXY

bash (safe defaults)

export NO_PROXY=localhost,127.0.0.1,169.254.169.254,.internal.example.com

match both forms for portability

export NO_PROXY=localhost,127.0.0.1,.svc.cluster.local,svc.cluster.local

References

curl proxy documentation

Frequently Asked Questions

My AWS/GCP SDK can't get credentials behind a proxy. Why?

The SDK fetches temporary credentials from the instance metadata endpoint at 169.254.169.254, but your proxy settings are routing that request through the proxy, which cannot reach it. Add 169.254.169.254 (and localhost/127.0.0.1) to NO_PROXY so metadata and local calls bypass the proxy.

Does NO_PROXY support wildcards and subdomains?

Partially, and inconsistently. A leading dot like .example.com matches subdomains in most tools, and a bare example.com matches the domain and its subdomains in many but not all. CIDR ranges and ports are honored by some tools only. When portability matters, list both the dotted and undotted forms.

Was this helpful?

Stay up to date

Get notified about new guides, tools, and cheatsheets.

Related Variables

HTTP_PROXY

Specifies the proxy server URL for HTTP requests. Used by many command-line tools (curl, wget, apt), package managers (npm, pip), and programming language HTTP clients. The format is typically http://[user:password@]host:port.

HTTPS_PROXY

Specifies the proxy server URL for HTTPS requests. Most tools check both HTTP_PROXY and HTTPS_PROXY separately. Can point to either an HTTP or HTTPS proxy server. In many environments, this is set to the same value as HTTP_PROXY.

Browse all 242 environment variables →