feat(build): add var_http_proxy and var_http_no_proxy support

Expose HTTP proxy settings in advanced install and vars whitelist, apply them during early container setup and installs, and persist proxy env for updates.

Co-authored-by: Cursor <cursoragent@cursor.com>

ct/apache-airflow.sh

@@ -1,75 +0,0 @@
-#!/usr/bin/env bash
-source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: MickLesk (CanbiZ)
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://github.com/apache/airflow
-
-APP="Apache-Airflow"
-var_tags="${var_tags:-workflow;scheduler;automation}"
-var_cpu="${var_cpu:-2}"
-var_ram="${var_ram:-4096}"
-var_disk="${var_disk:-16}"
-var_os="${var_os:-debian}"
-var_version="${var_version:-13}"
-var_arm64="${var_arm64:-no}"
-var_unprivileged="${var_unprivileged:-1}"
-
-header_info "$APP"
-variables
-color
-catch_errors
-
-function update_script() {
-  header_info
-  check_container_storage
-  check_container_resources
-
-  if [[ ! -d /opt/airflow ]]; then
-    msg_error "No ${APP} Installation Found!"
-    exit
-  fi
-
-  INSTALLED=$(cat ~/.airflow 2>/dev/null || echo "0")
-  LATEST=$(curl -fsSL "https://pypi.org/pypi/apache-airflow/json" | jq -r '.info.version')
-
-  if [[ "$INSTALLED" == "$LATEST" ]]; then
-    msg_ok "Already on the latest version (${LATEST})"
-    exit
-  fi
-
-  msg_info "Stopping Services"
-  systemctl stop airflow-api-server airflow-scheduler airflow-dag-processor airflow-triggerer
-  msg_ok "Stopped Services"
-
-  create_backup /opt/airflow/.env
-
-  msg_info "Updating Apache Airflow to ${LATEST}"
-  $STD uv pip install --python /opt/airflow/.venv/bin/python \
-    "apache-airflow[postgres,fab]==${LATEST}" \
-    --constraint "https://raw.githubusercontent.com/apache/airflow/constraints-${LATEST}/constraints-3.12.txt"
-  echo "${LATEST}" >~/.airflow
-  msg_ok "Updated Apache Airflow to ${LATEST}"
-
-  restore_backup
-
-  msg_info "Running Database Migrations"
-  set -a && source /opt/airflow/.env && set +a
-  $STD /opt/airflow/.venv/bin/airflow db migrate
-  msg_ok "Ran Database Migrations"
-
-  msg_info "Starting Services"
-  systemctl start airflow-api-server airflow-scheduler airflow-dag-processor airflow-triggerer
-  msg_ok "Started Services"
-  msg_ok "Updated successfully!"
-  exit
-}
-
-start
-build_container
-description
-
-msg_ok "Completed Successfully!\n"
-echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8080${CL}"

ct/headers/apache-airflow

@@ -1,6 +0,0 @@
-    ___                     __               ___    _      ______             
-   /   |  ____  ____ ______/ /_  ___        /   |  (_)____/ __/ /___ _      __
-  / /| | / __ \/ __ `/ ___/ __ \/ _ \______/ /| | / / ___/ /_/ / __ \ | /| / /
- / ___ |/ /_/ / /_/ / /__/ / / /  __/_____/ ___ |/ / /  / __/ / /_/ / |/ |/ / 
-/_/  |_/ .___/\__,_/\___/_/ /_/\___/     /_/  |_/_/_/  /_/ /_/\____/|__/|__/  
-      /_/                                                                     

install/apache-airflow-install.sh

@@ -1,141 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: MickLesk (CanbiZ)
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://github.com/apache/airflow
-
-source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
-color
-verb_ip6
-catch_errors
-setting_up_container
-network_check
-update_os
-
-msg_info "Installing Dependencies"
-$STD apt install -y \
-  build-essential \
-  libpq-dev \
-  libssl-dev \
-  libffi-dev \
-  python3-dev
-msg_ok "Installed Dependencies"
-
-UV_PYTHON="3.12" setup_uv
-PG_VERSION="16" setup_postgresql
-PG_DB_NAME="airflow" PG_DB_USER="airflow" setup_postgresql_db
-
-msg_info "Installing Apache Airflow"
-AIRFLOW_VERSION="3.2.1"
-mkdir -p /opt/airflow/{dags,logs,plugins}
-cd /opt/airflow
-$STD uv venv --python 3.12
-$STD uv pip install --python /opt/airflow/.venv/bin/python \
-  "apache-airflow[postgres,fab]==${AIRFLOW_VERSION}" \
-  --constraint "https://raw.githubusercontent.com/apache/airflow/constraints-${AIRFLOW_VERSION}/constraints-3.12.txt"
-echo "${AIRFLOW_VERSION}" >~/.airflow
-msg_ok "Installed Apache Airflow"
-
-msg_info "Configuring Application"
-FERNET_KEY=$(/opt/airflow/.venv/bin/python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())")
-SECRET_KEY=$(openssl rand -hex 32)
-ADMIN_PASS=$(openssl rand -base64 12 | tr -dc 'a-zA-Z0-9' | cut -c1-12)
-cat <<EOF >/opt/airflow/.env
-AIRFLOW_HOME=/opt/airflow
-AIRFLOW__DATABASE__SQL_ALCHEMY_CONN=postgresql+psycopg2://${PG_DB_USER}:${PG_DB_PASS}@localhost:5432/${PG_DB_NAME}
-AIRFLOW__CORE__EXECUTOR=LocalExecutor
-AIRFLOW__CORE__FERNET_KEY=${FERNET_KEY}
-AIRFLOW__CORE__DAGS_FOLDER=/opt/airflow/dags
-AIRFLOW__CORE__LOAD_EXAMPLES=false
-AIRFLOW__CORE__AUTH_MANAGER=airflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager
-AIRFLOW__API__AUTH_BACKENDS=airflow.api.auth.backend.basic_auth,airflow.api.auth.backend.session
-AIRFLOW__WEBSERVER__SECRET_KEY=${SECRET_KEY}
-AIRFLOW__WEBSERVER__BASE_URL=http://${LOCAL_IP}:8080
-AIRFLOW_ADMIN_PASSWORD=${ADMIN_PASS}
-EOF
-set -a && source /opt/airflow/.env && set +a
-$STD /opt/airflow/.venv/bin/airflow db migrate
-$STD /opt/airflow/.venv/bin/airflow users create \
-  --username admin \
-  --firstname Admin \
-  --lastname User \
-  --role Admin \
-  --email admin@example.com \
-  --password "${ADMIN_PASS}"
-msg_ok "Configured Application"
-
-msg_info "Creating Services"
-cat <<EOF >/etc/systemd/system/airflow-api-server.service
-[Unit]
-Description=Apache Airflow API Server
-After=network.target postgresql.service
-
-[Service]
-Type=simple
-User=root
-EnvironmentFile=/opt/airflow/.env
-ExecStart=/opt/airflow/.venv/bin/airflow api-server --port 8080
-Restart=on-failure
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-cat <<EOF >/etc/systemd/system/airflow-scheduler.service
-[Unit]
-Description=Apache Airflow Scheduler
-After=network.target postgresql.service
-
-[Service]
-Type=simple
-User=root
-EnvironmentFile=/opt/airflow/.env
-ExecStart=/opt/airflow/.venv/bin/airflow scheduler
-Restart=on-failure
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-cat <<EOF >/etc/systemd/system/airflow-dag-processor.service
-[Unit]
-Description=Apache Airflow DAG Processor
-After=network.target postgresql.service
-
-[Service]
-Type=simple
-User=root
-EnvironmentFile=/opt/airflow/.env
-ExecStart=/opt/airflow/.venv/bin/airflow dag-processor
-Restart=on-failure
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-cat <<EOF >/etc/systemd/system/airflow-triggerer.service
-[Unit]
-Description=Apache Airflow Triggerer
-After=network.target postgresql.service
-
-[Service]
-Type=simple
-User=root
-EnvironmentFile=/opt/airflow/.env
-ExecStart=/opt/airflow/.venv/bin/airflow triggerer
-Restart=on-failure
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
-EOF
-systemctl enable -q --now airflow-api-server airflow-scheduler airflow-dag-processor airflow-triggerer
-msg_ok "Created Services"
-
-motd_ssh
-customize
-cleanup_lxc

misc/alpine-install.func

@@ -138,6 +138,7 @@ network_check() {
 # This function updates the Container OS by running apk upgrade with mirror fallback
 update_os() {
   msg_info "Updating Container OS"
+  configure_http_proxy
   if ! $STD apk -U upgrade; then
     msg_warn "apk update failed (dl-cdn.alpinelinux.org), trying alternate mirrors..."
     local alpine_mirrors="mirror.init7.net ftp.halifax.rwth-aachen.de mirrors.edge.kernel.org alpine.mirror.wearetriple.com mirror.leaseweb.com uk.alpinelinux.org dl-2.alpinelinux.org dl-4.alpinelinux.org"
@@ -243,7 +244,7 @@ EOF
     msg_ok "Customized Container"
   fi
 
-  echo "bash -c \"\$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/${app}.sh)\"" >/usr/bin/update
+  echo 'set -a; [ -f /etc/profile.d/90-http-proxy.sh ] && . /etc/profile.d/90-http-proxy.sh; set +a; bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/'"${app}"'.sh)"' >/usr/bin/update
   chmod +x /usr/bin/update
   post_progress_to_api
 }

misc/build.func

@@ -1018,6 +1018,9 @@ base_settings() {
     fi
   fi
 
+  HTTP_PROXY="${var_http_proxy:-}"
+  HTTP_NO_PROXY="${var_http_no_proxy:-}"
+
   MTU=${var_mtu:-""}
   _sd_val="${var_searchdomain:-""}"
   [[ -n "$_sd_val" ]] && SD="-searchdomain=$_sd_val" || SD=""
@@ -1071,7 +1074,7 @@ load_vars_file() {
 
   # Allowed var_* keys
   local VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_keyctl
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_http_no_proxy var_http_proxy var_keyctl
     var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
     var_net var_nesting var_ns var_os var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
     var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage var_searchdomain
@@ -1250,6 +1253,18 @@ load_vars_file() {
             continue
           fi
           ;;
+        var_http_proxy)
+          if [[ -n "$var_val" ]] && ! [[ "$var_val" =~ ^https?://[^[:space:]]+(:[0-9]+)?/?$ ]]; then
+            msg_warn "Invalid HTTP proxy URL '$var_val' in $file, ignoring"
+            continue
+          fi
+          ;;
+        var_http_no_proxy)
+          if [[ -n "$var_val" ]] && [[ ! "$var_val" =~ ^[a-zA-Z0-9.*_:/-]+(,[a-zA-Z0-9.*_:/-]+)*$ ]]; then
+            msg_warn "Invalid no_proxy value '$var_val' in $file, ignoring"
+            continue
+          fi
+          ;;
         var_container_storage | var_template_storage)
           # Validate that the storage exists and is active on the current node
           local _storage_status
@@ -1289,7 +1304,7 @@ default_var_settings() {
   # Allowed var_* keys (alphabetically sorted)
   # Note: Removed var_ctid (can only exist once), var_ipv6_static (static IPs are unique)
   local VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_keyctl
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_http_no_proxy var_http_proxy var_keyctl
     var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
     var_net var_nesting var_ns var_os var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
     var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage
@@ -1369,6 +1384,10 @@ var_ssh=no
 # var_apt_cacher_ip=http://proxy.local
 # var_apt_cacher_ip=https://proxy.local:443
 
+# HTTP/HTTPS proxy (optional - for networks requiring a proxy)
+# var_http_proxy=http://proxy.local:8080
+# var_http_no_proxy=localhost,127.0.0.1,.local
+
 # Features/Tags/verbosity
 var_fuse=no
 var_tun=no
@@ -1468,7 +1487,7 @@ get_app_defaults_path() {
 if ! declare -p VAR_WHITELIST >/dev/null 2>&1; then
   # Note: Removed var_ctid (can only exist once), var_ipv6_static (static IPs are unique)
   declare -ag VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_keyctl
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_http_no_proxy var_http_proxy var_keyctl
     var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
     var_net var_nesting var_ns var_os var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
     var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage var_searchdomain
@@ -1616,6 +1635,8 @@ _build_current_app_vars_tmp() {
   _ssh_auth="${SSH_AUTHORIZED_KEY:-}"
   _apt_cacher="${APT_CACHER:-}"
   _apt_cacher_ip="${APT_CACHER_IP:-}"
+  _http_proxy="${HTTP_PROXY:-${var_http_proxy:-}}"
+  _http_no_proxy="${HTTP_NO_PROXY:-${var_http_no_proxy:-}}"
   _fuse="${ENABLE_FUSE:-no}"
   _tun="${ENABLE_TUN:-no}"
   _gpu="${ENABLE_GPU:-no}"
@@ -1667,6 +1688,8 @@ _build_current_app_vars_tmp() {
 
     [ -n "$_apt_cacher" ] && echo "var_apt_cacher=$(_sanitize_value "$_apt_cacher")"
     [ -n "$_apt_cacher_ip" ] && echo "var_apt_cacher_ip=$(_sanitize_value "$_apt_cacher_ip")"
+    [ -n "$_http_proxy" ] && echo "var_http_proxy=$(_sanitize_value "$_http_proxy")"
+    [ -n "$_http_no_proxy" ] && echo "var_http_no_proxy=$(_sanitize_value "$_http_no_proxy")"
 
     [ -n "$_fuse" ] && echo "var_fuse=$(_sanitize_value "$_fuse")"
     [ -n "$_tun" ] && echo "var_tun=$(_sanitize_value "$_tun")"
@@ -1830,7 +1853,7 @@ advanced_settings() {
     TAGS="community-script${var_tags:+;${var_tags}}"
   fi
   local STEP=1
-  local MAX_STEP=29
+  local MAX_STEP=30
 
   # Store values for back navigation - inherit from var_* app defaults
   local _ct_type="${var_unprivileged:-1}"
@@ -1849,6 +1872,8 @@ advanced_settings() {
   local _ipv6_gate=""
   local _apt_cacher="${var_apt_cacher:-no}"
   local _apt_cacher_ip="${var_apt_cacher_ip:-}"
+  local _http_proxy="${var_http_proxy:-}"
+  local _http_no_proxy="${var_http_no_proxy:-}"
   local _mtu="${var_mtu:-}"
   local _sd="${var_searchdomain:-}"
   local _ns="${var_ns:-}"
@@ -2626,9 +2651,46 @@ advanced_settings() {
       ;;
 
     # ═══════════════════════════════════════════════════════════════════════════
-    # STEP 24: Container Timezone
+    # STEP 24: HTTP/HTTPS Proxy
     # ═══════════════════════════════════════════════════════════════════════════
     24)
+      local http_proxy_default_flag="--defaultno"
+      [[ -n "$_http_proxy" ]] && http_proxy_default_flag=""
+
+      if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "HTTP/HTTPS PROXY" \
+        --ok-button "Next" --cancel-button "Back" \
+        $http_proxy_default_flag \
+        --yesno "\nUse HTTP/HTTPS proxy?\n\nRequired when internet access must go through a proxy server.\n(e.g. corporate networks)\n\n(App default: ${var_http_proxy:-none})" 14 62; then
+        if result=$(whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+          --title "HTTP PROXY URL" \
+          --inputbox "\nEnter HTTP proxy URL:\n(e.g. http://proxy.local:8080)" 12 62 "$_http_proxy" \
+          3>&1 1>&2 2>&3); then
+          _http_proxy="$result"
+          local _no_proxy_default="${_http_no_proxy:-localhost,127.0.0.1,.local}"
+          if result=$(whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+            --title "NO_PROXY EXCEPTIONS" \
+            --inputbox "\nEnter NO_PROXY exceptions (comma-separated):\nLeave empty for defaults." 12 62 "$_no_proxy_default" \
+            3>&1 1>&2 2>&3); then
+            _http_no_proxy="$result"
+          fi
+        fi
+      else
+        if [ $? -eq 1 ]; then
+          _http_proxy=""
+          _http_no_proxy=""
+        else
+          ((STEP--))
+          continue
+        fi
+      fi
+      ((STEP++))
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 25: Container Timezone
+    # ═══════════════════════════════════════════════════════════════════════════
+    25)
       local tz_hint="$_ct_timezone"
       [[ -z "$tz_hint" ]] && tz_hint="(empty - will use host timezone)"
 
@@ -2651,9 +2713,9 @@ advanced_settings() {
       ;;
 
     # ═══════════════════════════════════════════════════════════════════════════
-    # STEP 25: Container Protection
+    # STEP 26: Container Protection
     # ═══════════════════════════════════════════════════════════════════════════
-    25)
+    26)
       local protect_default_flag="--defaultno"
       [[ "$_protect_ct" == "yes" || "$_protect_ct" == "1" ]] && protect_default_flag=""
 
@@ -2675,9 +2737,9 @@ advanced_settings() {
       ;;
 
     # ═══════════════════════════════════════════════════════════════════════════
-    # STEP 26: Device Node Creation (mknod)
+    # STEP 27: Device Node Creation (mknod)
     # ═══════════════════════════════════════════════════════════════════════════
-    26)
+    27)
       local mknod_default_flag="--defaultno"
       [[ "$_enable_mknod" == "1" ]] && mknod_default_flag=""
 
@@ -2699,9 +2761,9 @@ advanced_settings() {
       ;;
 
     # ═══════════════════════════════════════════════════════════════════════════
-    # STEP 27: Mount Filesystems
+    # STEP 28: Mount Filesystems
     # ═══════════════════════════════════════════════════════════════════════════
-    27)
+    28)
       local mount_hint=""
       [[ -n "$_mount_fs" ]] && mount_hint="$_mount_fs" || mount_hint="(none)"
 
@@ -2722,9 +2784,9 @@ advanced_settings() {
       ;;
 
     # ═══════════════════════════════════════════════════════════════════════════
-    # STEP 28: Optional host-side post-install hook (path on the Proxmox HOST)
+    # STEP 29: Optional host-side post-install hook (path on the Proxmox HOST)
     # ═══════════════════════════════════════════════════════════════════════════
-    28)
+    29)
       local _hook_prompt="Optional: absolute path to a *.sh file ON THE PROXMOX HOST.
 
 It runs as root on the HOST (NOT in the LXC) after the container
@@ -2774,9 +2836,9 @@ Leave empty to skip."
       ;;
 
     # ═══════════════════════════════════════════════════════════════════════════
-    # STEP 29: Verbose Mode & Confirmation
+    # STEP 30: Verbose Mode & Confirmation
     # ═══════════════════════════════════════════════════════════════════════════
-    29)
+    30)
       local verbose_default_flag="--defaultno"
       [[ "$_verbose" == "yes" ]] && verbose_default_flag=""
 
@@ -2804,6 +2866,7 @@ Leave empty to skip."
       local tz_display="${_ct_timezone:-Host TZ}"
       local apt_display="${_apt_cacher:-no}"
       [[ "$_apt_cacher" == "yes" && -n "$_apt_cacher_ip" ]] && apt_display="$_apt_cacher_ip"
+      local http_proxy_display="${_http_proxy:-(none)}"
 
       local post_install_display="${_post_install:-(none)}"
       local post_install_warn=""
@@ -2833,6 +2896,7 @@ Features:
 Advanced:
   Timezone: $tz_display
   APT Cacher: $apt_display
+  HTTP Proxy: $http_proxy_display
   Verbose: $_verbose
   Post-Install Script: ${post_install_display}${post_install_warn}"
 
@@ -2876,6 +2940,8 @@ Advanced:
   CT_TIMEZONE="$_ct_timezone"
   APT_CACHER="$_apt_cacher"
   APT_CACHER_IP="$_apt_cacher_ip"
+  HTTP_PROXY="$_http_proxy"
+  HTTP_NO_PROXY="$_http_no_proxy"
   VERBOSE="$_verbose"
   var_post_install="$_post_install"
 
@@ -2891,6 +2957,8 @@ Advanced:
   var_timezone="$_ct_timezone"
   var_apt_cacher="$_apt_cacher"
   var_apt_cacher_ip="$_apt_cacher_ip"
+  var_http_proxy="$_http_proxy"
+  var_http_no_proxy="$_http_no_proxy"
 
   # Format optional values
   [[ -n "$_mtu" ]] && MTU=",mtu=$_mtu" || MTU=""
@@ -2928,6 +2996,7 @@ Advanced:
   [[ "${PROTECT_CT:-no}" == "yes" || "${PROTECT_CT:-no}" == "1" ]] && echo -e "${CONTAINERTYPE}${BOLD}${DGN}Protection: ${BGN}Enabled${CL}"
   [[ -n "${CT_TIMEZONE:-}" ]] && echo -e "${INFO}${BOLD}${DGN}Timezone: ${BGN}$CT_TIMEZONE${CL}"
   [[ "$APT_CACHER" == "yes" ]] && echo -e "${INFO}${BOLD}${DGN}APT Cacher: ${BGN}$APT_CACHER_IP${CL}"
+  [[ -n "${HTTP_PROXY:-}" ]] && echo -e "${INFO}${BOLD}${DGN}HTTP Proxy: ${BGN}$HTTP_PROXY${CL}"
   echo -e "${SEARCH}${BOLD}${DGN}Verbose Mode: ${BGN}$VERBOSE${CL}"
   echo -e "${CREATING}${BOLD}${RD}Creating an LXC of ${APP} using the above advanced settings${CL}"
 
@@ -3765,6 +3834,47 @@ start() {
 # SECTION 8: CONTAINER CREATION & DEPLOYMENT
 # ==============================================================================
 
+# ------------------------------------------------------------------------------
+# _apply_http_proxy_in_container()
+#
+# - Writes persistent proxy settings into the LXC before base package install
+# - Ensures apt/apk/curl work behind corporate proxies during early setup
+# ------------------------------------------------------------------------------
+_apply_http_proxy_in_container() {
+  local proxy="${HTTP_PROXY:-}"
+  local noproxy="${HTTP_NO_PROXY:-}"
+  [[ -z "$proxy" || -z "${CTID:-}" ]] && return 0
+  [[ -z "$noproxy" ]] && noproxy="localhost,127.0.0.1,.local"
+
+  msg_info "Applying HTTP proxy in container"
+  local tmpf
+  tmpf="$(mktemp)"
+  cat >"$tmpf" <<EOF
+export http_proxy="$proxy"
+export https_proxy="$proxy"
+export HTTP_PROXY="$proxy"
+export HTTPS_PROXY="$proxy"
+export no_proxy="$noproxy"
+export NO_PROXY="$noproxy"
+EOF
+  pct push "$CTID" "$tmpf" /etc/profile.d/90-http-proxy.sh >/dev/null 2>&1 || {
+    rm -f "$tmpf"
+    msg_warn "Failed to push HTTP proxy profile into container"
+    return 0
+  }
+  pct exec "$CTID" -- chmod 644 /etc/profile.d/90-http-proxy.sh >/dev/null 2>&1 || true
+
+  if [[ "$var_os" != "alpine" && "${APT_CACHER:-}" != "yes" ]]; then
+    cat >"$tmpf" <<EOF
+Acquire::http::Proxy "$proxy";
+Acquire::https::Proxy "$proxy";
+EOF
+    pct push "$CTID" "$tmpf" /etc/apt/apt.conf.d/95http-proxy >/dev/null 2>&1 || true
+  fi
+  rm -f "$tmpf"
+  msg_ok "Applied HTTP proxy in container"
+}
+
 # ------------------------------------------------------------------------------
 # build_container()
 #
@@ -3891,6 +4001,12 @@ build_container() {
   export SESSION_ID="$SESSION_ID"
   export CACHER="$APT_CACHER"
   export CACHER_IP="$APT_CACHER_IP"
+  if [[ -n "${HTTP_PROXY:-}" ]]; then
+    export HTTP_PROXY HTTPS_PROXY="$HTTP_PROXY" http_proxy="$HTTP_PROXY" https_proxy="$HTTP_PROXY"
+    export NO_PROXY="${HTTP_NO_PROXY:-}" no_proxy="${HTTP_NO_PROXY:-}"
+    export var_http_proxy="$HTTP_PROXY"
+    export var_http_no_proxy="${HTTP_NO_PROXY:-}"
+  fi
   export tz="$timezone"
   export APPLICATION="$APP"
   export app="$NSAPP"
@@ -4374,6 +4490,8 @@ EOF
 
   local install_exit_code=0
 
+  _apply_http_proxy_in_container
+
   # Continue with standard container setup
   if [ "$var_os" == "alpine" ]; then
     sleep 3
@@ -4381,10 +4499,13 @@ EOF
 https://dl-cdn.alpinelinux.org/alpine/latest-stable/main
 https://dl-cdn.alpinelinux.org/alpine/latest-stable/community
 EOF'
-    pct exec "$CTID" -- ash -c "apk add bash newt curl openssh nano mc ncurses jq" >>"$BUILD_LOG" 2>&1 || {
+    pct exec "$CTID" -- ash -c 'set -a; [ -f /etc/profile.d/90-http-proxy.sh ] && . /etc/profile.d/90-http-proxy.sh; set +a; apk add bash newt curl openssh nano mc ncurses jq' >>"$BUILD_LOG" 2>&1 || {
       msg_warn "apk install failed (dl-cdn.alpinelinux.org), trying alternate mirrors..."
       local alpine_exit=0
       pct exec "$CTID" -- ash -c '
+        set -a
+        [ -f /etc/profile.d/90-http-proxy.sh ] && . /etc/profile.d/90-http-proxy.sh
+        set +a
         ALPINE_MIRRORS="mirror.init7.net ftp.halifax.rwth-aachen.de mirrors.edge.kernel.org alpine.mirror.wearetriple.com mirror.leaseweb.com uk.alpinelinux.org dl-2.alpinelinux.org dl-4.alpinelinux.org"
         for m in $(printf "%s\n" $ALPINE_MIRRORS | shuf); do
           if wget -q --spider --timeout=2 "http://$m/alpine/latest-stable/main/" 2>/dev/null; then
@@ -4443,13 +4564,16 @@ EOF
       pct exec "$CTID" -- bash -c "echo -e 'nameserver 8.8.8.8\nnameserver 1.1.1.1' >/etc/resolv.conf"
     fi
 
-    pct exec "$CTID" -- bash -c "apt-get update 2>&1 && apt-get install -y ${_base_pkgs} 2>&1" >>"$BUILD_LOG" 2>&1 || {
+    pct exec "$CTID" -- bash -c "set -a; [ -f /etc/profile.d/90-http-proxy.sh ] && . /etc/profile.d/90-http-proxy.sh; set +a; apt-get update 2>&1 && apt-get install -y ${_base_pkgs} 2>&1" >>"$BUILD_LOG" 2>&1 || {
       local failed_mirror
       failed_mirror=$(pct exec "$CTID" -- bash -c "grep -m1 -oP '(?<=URIs: https?://)[^/]+' /etc/apt/sources.list.d/debian.sources 2>/dev/null || grep -m1 -oP '(?<=deb https?://)[^/]+' /etc/apt/sources.list 2>/dev/null" 2>/dev/null || echo "unknown")
       msg_warn "apt-get update failed (${failed_mirror})."
       msg_custom "ℹ️" "${YW}" "Probing alternate mirrors (this can take 1-2 minutes on network issues)"
       local mirror_exit=0
       pct exec "$CTID" -- env APT_BASE="$_base_pkgs" bash -c '
+        set -a
+        [ -f /etc/profile.d/90-http-proxy.sh ] && . /etc/profile.d/90-http-proxy.sh
+        set +a
         DISTRO=$(. /etc/os-release 2>/dev/null && echo "$ID" || echo "debian")
         echo "  Mirror fallback for distro: $DISTRO"
 

misc/core.func

@@ -970,6 +970,53 @@ is_verbose_mode() {
   [[ "$verbose" != "no" ]]
 }
 
+# ------------------------------------------------------------------------------
+# configure_http_proxy()
+#
+# - Applies var_http_proxy / var_http_no_proxy inside the container
+# - Persists proxy env for login shells, systemd, and package managers
+# - Skips APT proxy config when APT Cacher-NG is active
+# ------------------------------------------------------------------------------
+configure_http_proxy() {
+  local proxy="${HTTP_PROXY:-${http_proxy:-${var_http_proxy:-}}}"
+  local noproxy="${HTTP_NO_PROXY:-${no_proxy:-${var_http_no_proxy:-}}}"
+  [[ -z "$proxy" ]] && return 0
+  [[ -z "$noproxy" ]] && noproxy="localhost,127.0.0.1,.local"
+
+  msg_info "Configuring HTTP proxy"
+  cat >/etc/profile.d/90-http-proxy.sh <<EOF
+export http_proxy="$proxy"
+export https_proxy="$proxy"
+export HTTP_PROXY="$proxy"
+export HTTPS_PROXY="$proxy"
+export no_proxy="$noproxy"
+export NO_PROXY="$noproxy"
+EOF
+  chmod 644 /etc/profile.d/90-http-proxy.sh
+
+  if ! grep -q '^http_proxy=' /etc/environment 2>/dev/null; then
+    cat >>/etc/environment <<EOF
+http_proxy=$proxy
+https_proxy=$proxy
+HTTP_PROXY=$proxy
+HTTPS_PROXY=$proxy
+no_proxy=$noproxy
+NO_PROXY=$noproxy
+EOF
+  fi
+
+  if [[ "${CACHER:-}" != "yes" && -d /etc/apt/apt.conf.d ]]; then
+    cat >/etc/apt/apt.conf.d/95http-proxy <<EOF
+Acquire::http::Proxy "$proxy";
+Acquire::https::Proxy "$proxy";
+EOF
+  fi
+
+  export http_proxy="$proxy" https_proxy="$proxy" HTTP_PROXY="$proxy" HTTPS_PROXY="$proxy"
+  export no_proxy="$noproxy" NO_PROXY="$noproxy"
+  msg_ok "Configured HTTP proxy"
+}
+
 # ------------------------------------------------------------------------------
 # is_unattended()
 #

misc/install.func

@@ -388,7 +388,8 @@ apt_update_safe() {
 # ------------------------------------------------------------------------------
 update_os() {
   msg_info "Updating Container OS"
-  if [[ "$CACHER" == "yes" ]]; then
+  configure_http_proxy
+  if [[ "$CACHER" == "yes" && -z "${HTTP_PROXY:-${http_proxy:-}}" ]]; then
     echo 'Acquire::http::Proxy-Auto-Detect "/usr/local/bin/apt-proxy-detect.sh";' >/etc/apt/apt.conf.d/00aptproxy
     local _proxy_raw="${CACHER_IP}"
     local _proxy_host _proxy_port _proxy_url
@@ -509,7 +510,7 @@ EOF
     systemctl restart "$(basename "$(dirname "$GETTY_OVERRIDE")" | sed 's/\.d//')"
     msg_ok "Customized Container"
   fi
-  echo "bash -c \"\$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/${app}.sh)\"" >/usr/bin/update
+  echo 'set -a; [ -f /etc/profile.d/90-http-proxy.sh ] && . /etc/profile.d/90-http-proxy.sh; set +a; bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/'"${app}"'.sh)"' >/usr/bin/update
   chmod +x /usr/bin/update
 
   if [[ -n "${SSH_AUTHORIZED_KEY}" ]]; then