What Is a Forward Proxy? Outbound Traffic Broker
A forward proxy sits between internal clients and the wider internet, sending outbound requests on their behalf so the organization can filter, log, and control egress traffic.
A forward proxy is the mirror image of a reverse proxy: it represents clients reaching out, not servers receiving traffic. Companies route runner egress through forward proxies to enforce policy and inspect what leaves the network. When CI lives behind one, every package install and API call must go through it.
Acting for the client
When a runner behind a forward proxy fetches a URL, it actually sends the request to the proxy, which fetches the destination and returns the result. The destination sees the proxy, not the runner.
Why organizations use one
- Filter which external hosts are reachable.
- Log and audit outbound traffic.
- Cache common downloads to save bandwidth.
- Enforce egress security policy.
Configuring CI to use it
Tools read proxy settings from environment variables like HTTP_PROXY and HTTPS_PROXY, plus NO_PROXY for exceptions. A runner that ignores these will fail to reach the internet in a proxied environment.
Forward proxies and egress control
Security teams often allowlist destinations at the forward proxy. If a new dependency host is not on the list, the install fails with a connection refused even though the package is valid.
Debugging proxy issues
Symptoms include 407 proxy authentication required, blocked hosts, and TLS interception that swaps in a custom certificate authority the runner must trust. These are configuration problems, not transient blips.
Transient vs blocked
A proxy that drops a connection momentarily is a transient failure; a host that is blocked by policy fails every time. Latchkey runners retry transient proxy drops but surface policy blocks clearly so you can fix the allowlist.
Key takeaways
- A forward proxy brokers outbound requests on behalf of internal clients.
- CI tools must honor HTTP_PROXY, HTTPS_PROXY, and NO_PROXY settings.
- Blocked hosts and proxy auth errors are configuration issues, not retryable blips.