feat(build): add var_http_proxy and var_http_no_proxy support

Expose HTTP proxy settings in advanced install and vars whitelist, apply them during early container setup and installs, and persist proxy env for updates.

Co-authored-by: Cursor <cursoragent@cursor.com>

ct/headers/plane

@@ -1,6 +0,0 @@
-    ____  __               
-   / __ \/ /___ _____  ___ 
-  / /_/ / / __ `/ __ \/ _ \
- / ____/ / /_/ / / / /  __/
-/_/   /_/\__,_/_/ /_/\___/ 
-                           

ct/plane.sh

@@ -1,88 +0,0 @@
-#!/usr/bin/env bash
-source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: onionrings29
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://plane.so | GitHub: https://github.com/makeplane/plane
-
-APP="Plane"
-var_tags="${var_tags:-project-management}"
-var_cpu="${var_cpu:-4}"
-var_ram="${var_ram:-6144}"
-var_disk="${var_disk:-8}"
-var_os="${var_os:-debian}"
-var_version="${var_version:-13}"
-var_arm64="${var_arm64:-no}"
-var_unprivileged="${var_unprivileged:-1}"
-
-header_info "$APP"
-variables
-color
-catch_errors
-
-function update_script() {
-  header_info
-  check_container_storage
-  check_container_resources
-
-  if [[ ! -d /opt/plane ]]; then
-    msg_error "No Plane Installation Found!"
-    exit 1
-  fi
-
-  if check_for_gh_release "plane" "makeplane/plane"; then
-    msg_info "Stopping Services"
-    systemctl stop plane-api plane-worker plane-beat plane-live plane-space
-    msg_ok "Stopped Services"
-
-    create_backup /opt/plane/.env \
-        /opt/plane/apps/admin/.env \
-        /opt/plane/apps/api/.env \
-        /opt/plane/apps/space/.env \
-       /opt/plane/apps/web/.env
-
-    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "plane" "makeplane/plane" "tarball"
-
-    restore_backup
-
-    msg_info "Rebuilding Frontend (Patience)"
-    cd /opt/plane
-    export NODE_OPTIONS="--max-old-space-size=4096"
-    export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-    $STD corepack enable pnpm
-    $STD pnpm install --frozen-lockfile
-    $STD pnpm turbo run build --filter=web --filter=admin --filter=space --filter=live
-    msg_ok "Rebuilt Frontend"
-
-    msg_info "Updating Python Dependencies"
-    cd /opt/plane/apps/api
-    export VIRTUAL_ENV=/opt/plane-venv
-    $STD uv pip install --upgrade -r requirements/production.txt
-    msg_ok "Updated Python Dependencies"
-
-    msg_info "Running Migrations"
-    cd /opt/plane/apps/api
-    set -a
-    source /opt/plane/apps/api/.env
-    set +a
-    $STD /opt/plane-venv/bin/python manage.py migrate
-    $STD /opt/plane-venv/bin/python manage.py collectstatic --noinput
-    $STD /opt/plane-venv/bin/python manage.py configure_instance
-    msg_ok "Ran Migrations"
-
-    msg_info "Starting Services"
-    systemctl start plane-api plane-worker plane-beat plane-live plane-space
-    msg_ok "Started Services"
-    msg_ok "Updated successfully!"
-  fi
-  exit
-}
-
-start
-build_container
-description
-
-msg_ok "Completed successfully!\n"
-echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}${CL}"

install/plane-install.sh

@@ -1,386 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: onionrings29
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://plane.so
-
-source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
-color
-verb_ip6
-catch_errors
-setting_up_container
-network_check
-update_os
-
-msg_info "Installing Dependencies"
-$STD apt install -y \
-  nginx \
-  build-essential \
-  libpq-dev \
-  libxml2-dev \
-  libxslt1-dev \
-  libxmlsec1-dev \
-  libxmlsec1-openssl \
-  pkg-config \
-  python3-dev \
-  python3-venv \
-  redis-server \
-  erlang-base \
-  erlang-{asn1,crypto,eldap,ftp,inets,mnesia,os-mon,parsetools} \
-  erlang-{public-key,runtime-tools,snmp,ssl,syntax-tools,tftp,tools,xmerl} \
-  rabbitmq-server
-msg_ok "Installed Dependencies"
-
-NODE_VERSION="24" setup_nodejs
-PG_VERSION="16" setup_postgresql
-PG_DB_NAME="plane" PG_DB_USER="plane" setup_postgresql_db
-
-msg_info "Configuring RabbitMQ"
-RABBITMQ_PASS=$(openssl rand -base64 24 | tr -dc 'a-zA-Z0-9' | head -c16)
-$STD rabbitmqctl add_vhost plane
-$STD rabbitmqctl add_user plane "${RABBITMQ_PASS}"
-$STD rabbitmqctl set_permissions -p plane plane ".*" ".*" ".*"
-msg_ok "Configured RabbitMQ"
-
-msg_info "Installing MinIO"
-curl -fsSL https://dl.min.io/server/minio/release/linux-amd64/minio -o /usr/local/bin/minio
-chmod +x /usr/local/bin/minio
-mkdir -p /opt/minio/data
-MINIO_ACCESS_KEY=$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | head -c16)
-MINIO_SECRET_KEY=$(openssl rand -base64 36 | tr -dc 'a-zA-Z0-9' | head -c32)
-cat <<EOF >/etc/default/minio
-MINIO_ROOT_USER="${MINIO_ACCESS_KEY}"
-MINIO_ROOT_PASSWORD="${MINIO_SECRET_KEY}"
-MINIO_VOLUMES="/opt/minio/data"
-EOF
-cat <<EOF >/etc/systemd/system/minio.service
-[Unit]
-Description=MinIO Object Storage
-After=network.target
-
-[Service]
-Type=simple
-EnvironmentFile=/etc/default/minio
-ExecStart=/usr/local/bin/minio server \$MINIO_VOLUMES --console-address ":9090"
-Restart=on-failure
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
-EOF
-systemctl enable -q --now minio
-msg_ok "Installed MinIO"
-
-fetch_and_deploy_gh_release "plane" "makeplane/plane" "tarball"
-
-msg_info "Building Frontend Apps (Patience)"
-cd /opt/plane
-FRONTEND_ENV="VITE_API_BASE_URL=http://${LOCAL_IP}
-VITE_WEB_BASE_URL=http://${LOCAL_IP}
-VITE_ADMIN_BASE_URL=http://${LOCAL_IP}
-VITE_ADMIN_BASE_PATH=/god-mode
-VITE_SPACE_BASE_URL=http://${LOCAL_IP}
-VITE_SPACE_BASE_PATH=/spaces
-VITE_LIVE_BASE_URL=http://${LOCAL_IP}
-VITE_LIVE_BASE_PATH=/live"
-# Each Vite app needs its own .env for the build
-for app in web admin space; do
-  echo "$FRONTEND_ENV" >/opt/plane/apps/${app}/.env
-done
-export NODE_OPTIONS="--max-old-space-size=4096"
-export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-$STD corepack enable pnpm
-$STD pnpm install --frozen-lockfile
-$STD pnpm turbo run build --filter=web --filter=admin --filter=space --filter=live
-msg_ok "Built Frontend Apps"
-
-msg_info "Setting up Python API"
-setup_uv
-$STD uv venv /opt/plane-venv
-export VIRTUAL_ENV=/opt/plane-venv
-$STD uv pip install -r /opt/plane/apps/api/requirements/production.txt
-msg_ok "Set up Python API"
-
-msg_info "Configuring Plane"
-SECRET_KEY=$(openssl rand -hex 32)
-MACHINE_SIG=$(echo -n "$(hostname)-$(date +%s)" | sha256sum | head -c64)
-LIVE_SECRET=$(openssl rand -hex 16)
-cat <<EOF >/opt/plane/apps/api/.env
-DEBUG=0
-CORS_ALLOWED_ORIGINS=http://${LOCAL_IP}
-
-POSTGRES_USER=plane
-POSTGRES_PASSWORD=${PG_DB_PASS}
-POSTGRES_HOST=localhost
-POSTGRES_DB=plane
-POSTGRES_PORT=5432
-DATABASE_URL=postgresql://plane:${PG_DB_PASS}@localhost:5432/plane
-
-REDIS_HOST=localhost
-REDIS_PORT=6379
-REDIS_URL=redis://localhost:6379/
-
-RABBITMQ_HOST=localhost
-RABBITMQ_PORT=5672
-RABBITMQ_USER=plane
-RABBITMQ_PASSWORD=${RABBITMQ_PASS}
-RABBITMQ_VHOST=plane
-AMQP_URL=amqp://plane:${RABBITMQ_PASS}@localhost:5672/plane
-
-AWS_REGION=us-east-1
-AWS_ACCESS_KEY_ID=${MINIO_ACCESS_KEY}
-AWS_SECRET_ACCESS_KEY=${MINIO_SECRET_KEY}
-AWS_S3_ENDPOINT_URL=http://localhost:9000
-AWS_S3_BUCKET_NAME=uploads
-FILE_SIZE_LIMIT=104857600
-
-USE_MINIO=1
-MINIO_ENDPOINT_SSL=0
-SECRET_KEY=${SECRET_KEY}
-MACHINE_SIGNATURE=${MACHINE_SIG}
-
-WEB_URL=http://${LOCAL_IP}
-ADMIN_BASE_URL=http://${LOCAL_IP}
-ADMIN_BASE_PATH=/god-mode
-SPACE_BASE_URL=http://${LOCAL_IP}
-SPACE_BASE_PATH=/spaces
-APP_BASE_URL=http://${LOCAL_IP}
-APP_BASE_PATH=
-LIVE_BASE_URL=http://${LOCAL_IP}
-LIVE_BASE_PATH=/live
-
-GUNICORN_WORKERS=2
-LIVE_SERVER_SECRET_KEY=${LIVE_SECRET}
-API_KEY_RATE_LIMIT=60/minute
-EOF
-cat <<EOF >/opt/plane/.env
-API_BASE_URL=http://localhost:8000
-LIVE_SERVER_SECRET_KEY=${LIVE_SECRET}
-REDIS_HOST=localhost
-REDIS_PORT=6379
-REDIS_URL=redis://localhost:6379/
-PORT=3100
-EOF
-msg_ok "Configured Plane"
-
-msg_info "Running Database Migrations"
-cd /opt/plane/apps/api
-set -a
-source /opt/plane/apps/api/.env
-set +a
-$STD /opt/plane-venv/bin/python manage.py migrate
-$STD /opt/plane-venv/bin/python manage.py collectstatic --noinput
-$STD /opt/plane-venv/bin/python manage.py configure_instance
-$STD /opt/plane-venv/bin/python manage.py register_instance "${MACHINE_SIG}"
-msg_ok "Ran Database Migrations"
-
-msg_info "Creating Services and MinIO Bucket"
-curl -fsSL https://dl.min.io/client/mc/release/linux-amd64/mc -o /usr/local/bin/mcli
-chmod +x /usr/local/bin/mcli
-$STD /usr/local/bin/mcli alias set plane http://localhost:9000 "${MINIO_ACCESS_KEY}" "${MINIO_SECRET_KEY}"
-$STD /usr/local/bin/mcli mb plane/uploads --ignore-existing
-$STD /usr/local/bin/mcli anonymous set download plane/uploads
-
-cat <<EOF >/etc/systemd/system/plane-api.service
-[Unit]
-Description=Plane API
-After=network.target postgresql.service redis-server.service rabbitmq-server.service minio.service
-
-[Service]
-Type=simple
-WorkingDirectory=/opt/plane/apps/api
-EnvironmentFile=/opt/plane/apps/api/.env
-ExecStart=/opt/plane-venv/bin/gunicorn -w 2 -k uvicorn.workers.UvicornWorker plane.asgi:application --bind 0.0.0.0:8000 --max-requests 1200 --max-requests-jitter 1000 --access-logfile -
-Restart=on-failure
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-cat <<EOF >/etc/systemd/system/plane-worker.service
-[Unit]
-Description=Plane Celery Worker
-After=plane-api.service
-Requires=plane-api.service
-
-[Service]
-Type=simple
-WorkingDirectory=/opt/plane/apps/api
-EnvironmentFile=/opt/plane/apps/api/.env
-ExecStart=/opt/plane-venv/bin/celery -A plane worker -l info
-Restart=on-failure
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-cat <<EOF >/etc/systemd/system/plane-beat.service
-[Unit]
-Description=Plane Celery Beat
-After=plane-api.service
-Requires=plane-api.service
-
-[Service]
-Type=simple
-WorkingDirectory=/opt/plane/apps/api
-EnvironmentFile=/opt/plane/apps/api/.env
-ExecStart=/opt/plane-venv/bin/celery -A plane beat -l info
-Restart=on-failure
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-cat <<EOF >/etc/systemd/system/plane-live.service
-[Unit]
-Description=Plane Live Server
-After=network.target
-
-[Service]
-Type=simple
-WorkingDirectory=/opt/plane
-EnvironmentFile=/opt/plane/.env
-ExecStart=/usr/bin/node apps/live/dist/start.mjs
-Restart=on-failure
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-cat <<EOF >/etc/systemd/system/plane-space.service
-[Unit]
-Description=Plane Space Server
-After=network.target
-
-[Service]
-Type=simple
-WorkingDirectory=/opt/plane/apps/space
-Environment=PORT=3002
-Environment=NODE_ENV=production
-ExecStart=/opt/plane/apps/space/node_modules/.bin/react-router-serve ./build/server/index.js
-Restart=on-failure
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
-EOF
-systemctl daemon-reload
-systemctl enable -q --now plane-api plane-worker plane-beat plane-live plane-space
-{
-  echo "RabbitMQ User: plane"
-  echo "RabbitMQ Password: ${RABBITMQ_PASS}"
-  echo "MinIO Access Key: ${MINIO_ACCESS_KEY}"
-  echo "MinIO Secret Key: ${MINIO_SECRET_KEY}"
-  echo "Secret Key: ${SECRET_KEY}"
-  echo "Config: /opt/plane/apps/api/.env"
-} >>~/plane.creds
-msg_ok "Created Services and MinIO Bucket"
-
-msg_info "Configuring Nginx"
-cat <<'EOF' >/etc/nginx/sites-available/plane.conf
-upstream plane-api {
-    server 127.0.0.1:8000;
-}
-
-upstream plane-live {
-    server 127.0.0.1:3100;
-}
-
-upstream plane-space {
-    server 127.0.0.1:3002;
-}
-
-upstream plane-minio {
-    server 127.0.0.1:9000;
-}
-
-server {
-    listen 80 default_server;
-    server_name _;
-    client_max_body_size 100M;
-
-    location /api/ {
-        proxy_pass http://plane-api;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-
-    location /auth/ {
-        proxy_pass http://plane-api;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-
-    location /static/ {
-        alias /opt/plane/apps/api/plane/static-assets/collected-static/;
-    }
-
-    location /live/ {
-        proxy_pass http://plane-live;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-
-    location = /uploads {
-        proxy_pass http://plane-minio;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    }
-
-    location /uploads/ {
-        proxy_pass http://plane-minio;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    }
-
-    location /spaces/ {
-        proxy_pass http://plane-space;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-
-    location /spaces {
-        return 301 /spaces/;
-    }
-
-    location /god-mode/ {
-        alias /opt/plane/apps/admin/build/client/;
-        try_files $uri $uri/ /god-mode/index.html;
-    }
-
-    location /god-mode {
-        return 301 /god-mode/;
-    }
-
-    location / {
-        root /opt/plane/apps/web/build/client;
-        try_files $uri $uri/ /index.html;
-    }
-}
-EOF
-ln -sf /etc/nginx/sites-available/plane.conf /etc/nginx/sites-enabled/plane.conf
-rm -f /etc/nginx/sites-enabled/default
-$STD systemctl reload nginx
-msg_ok "Configured Nginx"
-
-motd_ssh
-customize
-cleanup_lxc

misc/alpine-install.func

@@ -138,6 +138,7 @@ network_check() {
 # This function updates the Container OS by running apk upgrade with mirror fallback
 update_os() {
   msg_info "Updating Container OS"
+  configure_http_proxy
   if ! $STD apk -U upgrade; then
     msg_warn "apk update failed (dl-cdn.alpinelinux.org), trying alternate mirrors..."
     local alpine_mirrors="mirror.init7.net ftp.halifax.rwth-aachen.de mirrors.edge.kernel.org alpine.mirror.wearetriple.com mirror.leaseweb.com uk.alpinelinux.org dl-2.alpinelinux.org dl-4.alpinelinux.org"
@@ -243,7 +244,7 @@ EOF
     msg_ok "Customized Container"
   fi
 
-  echo "bash -c \"\$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/${app}.sh)\"" >/usr/bin/update
+  echo 'set -a; [ -f /etc/profile.d/90-http-proxy.sh ] && . /etc/profile.d/90-http-proxy.sh; set +a; bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/'"${app}"'.sh)"' >/usr/bin/update
   chmod +x /usr/bin/update
   post_progress_to_api
 }

misc/build.func

@@ -1018,6 +1018,9 @@ base_settings() {
     fi
   fi
 
+  HTTP_PROXY="${var_http_proxy:-}"
+  HTTP_NO_PROXY="${var_http_no_proxy:-}"
+
   MTU=${var_mtu:-""}
   _sd_val="${var_searchdomain:-""}"
   [[ -n "$_sd_val" ]] && SD="-searchdomain=$_sd_val" || SD=""
@@ -1071,7 +1074,7 @@ load_vars_file() {
 
   # Allowed var_* keys
   local VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_keyctl
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_http_no_proxy var_http_proxy var_keyctl
     var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
     var_net var_nesting var_ns var_os var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
     var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage var_searchdomain
@@ -1250,6 +1253,18 @@ load_vars_file() {
             continue
           fi
           ;;
+        var_http_proxy)
+          if [[ -n "$var_val" ]] && ! [[ "$var_val" =~ ^https?://[^[:space:]]+(:[0-9]+)?/?$ ]]; then
+            msg_warn "Invalid HTTP proxy URL '$var_val' in $file, ignoring"
+            continue
+          fi
+          ;;
+        var_http_no_proxy)
+          if [[ -n "$var_val" ]] && [[ ! "$var_val" =~ ^[a-zA-Z0-9.*_:/-]+(,[a-zA-Z0-9.*_:/-]+)*$ ]]; then
+            msg_warn "Invalid no_proxy value '$var_val' in $file, ignoring"
+            continue
+          fi
+          ;;
         var_container_storage | var_template_storage)
           # Validate that the storage exists and is active on the current node
           local _storage_status
@@ -1289,7 +1304,7 @@ default_var_settings() {
   # Allowed var_* keys (alphabetically sorted)
   # Note: Removed var_ctid (can only exist once), var_ipv6_static (static IPs are unique)
   local VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_keyctl
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_http_no_proxy var_http_proxy var_keyctl
     var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
     var_net var_nesting var_ns var_os var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
     var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage
@@ -1369,6 +1384,10 @@ var_ssh=no
 # var_apt_cacher_ip=http://proxy.local
 # var_apt_cacher_ip=https://proxy.local:443
 
+# HTTP/HTTPS proxy (optional - for networks requiring a proxy)
+# var_http_proxy=http://proxy.local:8080
+# var_http_no_proxy=localhost,127.0.0.1,.local
+
 # Features/Tags/verbosity
 var_fuse=no
 var_tun=no
@@ -1468,7 +1487,7 @@ get_app_defaults_path() {
 if ! declare -p VAR_WHITELIST >/dev/null 2>&1; then
   # Note: Removed var_ctid (can only exist once), var_ipv6_static (static IPs are unique)
   declare -ag VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_keyctl
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_http_no_proxy var_http_proxy var_keyctl
     var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
     var_net var_nesting var_ns var_os var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
     var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage var_searchdomain
@@ -1616,6 +1635,8 @@ _build_current_app_vars_tmp() {
   _ssh_auth="${SSH_AUTHORIZED_KEY:-}"
   _apt_cacher="${APT_CACHER:-}"
   _apt_cacher_ip="${APT_CACHER_IP:-}"
+  _http_proxy="${HTTP_PROXY:-${var_http_proxy:-}}"
+  _http_no_proxy="${HTTP_NO_PROXY:-${var_http_no_proxy:-}}"
   _fuse="${ENABLE_FUSE:-no}"
   _tun="${ENABLE_TUN:-no}"
   _gpu="${ENABLE_GPU:-no}"
@@ -1667,6 +1688,8 @@ _build_current_app_vars_tmp() {
 
     [ -n "$_apt_cacher" ] && echo "var_apt_cacher=$(_sanitize_value "$_apt_cacher")"
     [ -n "$_apt_cacher_ip" ] && echo "var_apt_cacher_ip=$(_sanitize_value "$_apt_cacher_ip")"
+    [ -n "$_http_proxy" ] && echo "var_http_proxy=$(_sanitize_value "$_http_proxy")"
+    [ -n "$_http_no_proxy" ] && echo "var_http_no_proxy=$(_sanitize_value "$_http_no_proxy")"
 
     [ -n "$_fuse" ] && echo "var_fuse=$(_sanitize_value "$_fuse")"
     [ -n "$_tun" ] && echo "var_tun=$(_sanitize_value "$_tun")"
@@ -1830,7 +1853,7 @@ advanced_settings() {
     TAGS="community-script${var_tags:+;${var_tags}}"
   fi
   local STEP=1
-  local MAX_STEP=29
+  local MAX_STEP=30
 
   # Store values for back navigation - inherit from var_* app defaults
   local _ct_type="${var_unprivileged:-1}"
@@ -1849,6 +1872,8 @@ advanced_settings() {
   local _ipv6_gate=""
   local _apt_cacher="${var_apt_cacher:-no}"
   local _apt_cacher_ip="${var_apt_cacher_ip:-}"
+  local _http_proxy="${var_http_proxy:-}"
+  local _http_no_proxy="${var_http_no_proxy:-}"
   local _mtu="${var_mtu:-}"
   local _sd="${var_searchdomain:-}"
   local _ns="${var_ns:-}"
@@ -2626,9 +2651,46 @@ advanced_settings() {
       ;;
 
     # ═══════════════════════════════════════════════════════════════════════════
-    # STEP 24: Container Timezone
+    # STEP 24: HTTP/HTTPS Proxy
     # ═══════════════════════════════════════════════════════════════════════════
     24)
+      local http_proxy_default_flag="--defaultno"
+      [[ -n "$_http_proxy" ]] && http_proxy_default_flag=""
+
+      if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "HTTP/HTTPS PROXY" \
+        --ok-button "Next" --cancel-button "Back" \
+        $http_proxy_default_flag \
+        --yesno "\nUse HTTP/HTTPS proxy?\n\nRequired when internet access must go through a proxy server.\n(e.g. corporate networks)\n\n(App default: ${var_http_proxy:-none})" 14 62; then
+        if result=$(whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+          --title "HTTP PROXY URL" \
+          --inputbox "\nEnter HTTP proxy URL:\n(e.g. http://proxy.local:8080)" 12 62 "$_http_proxy" \
+          3>&1 1>&2 2>&3); then
+          _http_proxy="$result"
+          local _no_proxy_default="${_http_no_proxy:-localhost,127.0.0.1,.local}"
+          if result=$(whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+            --title "NO_PROXY EXCEPTIONS" \
+            --inputbox "\nEnter NO_PROXY exceptions (comma-separated):\nLeave empty for defaults." 12 62 "$_no_proxy_default" \
+            3>&1 1>&2 2>&3); then
+            _http_no_proxy="$result"
+          fi
+        fi
+      else
+        if [ $? -eq 1 ]; then
+          _http_proxy=""
+          _http_no_proxy=""
+        else
+          ((STEP--))
+          continue
+        fi
+      fi
+      ((STEP++))
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 25: Container Timezone
+    # ═══════════════════════════════════════════════════════════════════════════
+    25)
       local tz_hint="$_ct_timezone"
       [[ -z "$tz_hint" ]] && tz_hint="(empty - will use host timezone)"
 
@@ -2651,9 +2713,9 @@ advanced_settings() {
       ;;
 
     # ═══════════════════════════════════════════════════════════════════════════
-    # STEP 25: Container Protection
+    # STEP 26: Container Protection
     # ═══════════════════════════════════════════════════════════════════════════
-    25)
+    26)
       local protect_default_flag="--defaultno"
       [[ "$_protect_ct" == "yes" || "$_protect_ct" == "1" ]] && protect_default_flag=""
 
@@ -2675,9 +2737,9 @@ advanced_settings() {
       ;;
 
     # ═══════════════════════════════════════════════════════════════════════════
-    # STEP 26: Device Node Creation (mknod)
+    # STEP 27: Device Node Creation (mknod)
     # ═══════════════════════════════════════════════════════════════════════════
-    26)
+    27)
       local mknod_default_flag="--defaultno"
       [[ "$_enable_mknod" == "1" ]] && mknod_default_flag=""
 
@@ -2699,9 +2761,9 @@ advanced_settings() {
       ;;
 
     # ═══════════════════════════════════════════════════════════════════════════
-    # STEP 27: Mount Filesystems
+    # STEP 28: Mount Filesystems
     # ═══════════════════════════════════════════════════════════════════════════
-    27)
+    28)
       local mount_hint=""
       [[ -n "$_mount_fs" ]] && mount_hint="$_mount_fs" || mount_hint="(none)"
 
@@ -2722,9 +2784,9 @@ advanced_settings() {
       ;;
 
     # ═══════════════════════════════════════════════════════════════════════════
-    # STEP 28: Optional host-side post-install hook (path on the Proxmox HOST)
+    # STEP 29: Optional host-side post-install hook (path on the Proxmox HOST)
     # ═══════════════════════════════════════════════════════════════════════════
-    28)
+    29)
       local _hook_prompt="Optional: absolute path to a *.sh file ON THE PROXMOX HOST.
 
 It runs as root on the HOST (NOT in the LXC) after the container
@@ -2774,9 +2836,9 @@ Leave empty to skip."
       ;;
 
     # ═══════════════════════════════════════════════════════════════════════════
-    # STEP 29: Verbose Mode & Confirmation
+    # STEP 30: Verbose Mode & Confirmation
     # ═══════════════════════════════════════════════════════════════════════════
-    29)
+    30)
       local verbose_default_flag="--defaultno"
       [[ "$_verbose" == "yes" ]] && verbose_default_flag=""
 
@@ -2804,6 +2866,7 @@ Leave empty to skip."
       local tz_display="${_ct_timezone:-Host TZ}"
       local apt_display="${_apt_cacher:-no}"
       [[ "$_apt_cacher" == "yes" && -n "$_apt_cacher_ip" ]] && apt_display="$_apt_cacher_ip"
+      local http_proxy_display="${_http_proxy:-(none)}"
 
       local post_install_display="${_post_install:-(none)}"
       local post_install_warn=""
@@ -2833,6 +2896,7 @@ Features:
 Advanced:
   Timezone: $tz_display
   APT Cacher: $apt_display
+  HTTP Proxy: $http_proxy_display
   Verbose: $_verbose
   Post-Install Script: ${post_install_display}${post_install_warn}"
 
@@ -2876,6 +2940,8 @@ Advanced:
   CT_TIMEZONE="$_ct_timezone"
   APT_CACHER="$_apt_cacher"
   APT_CACHER_IP="$_apt_cacher_ip"
+  HTTP_PROXY="$_http_proxy"
+  HTTP_NO_PROXY="$_http_no_proxy"
   VERBOSE="$_verbose"
   var_post_install="$_post_install"
 
@@ -2891,6 +2957,8 @@ Advanced:
   var_timezone="$_ct_timezone"
   var_apt_cacher="$_apt_cacher"
   var_apt_cacher_ip="$_apt_cacher_ip"
+  var_http_proxy="$_http_proxy"
+  var_http_no_proxy="$_http_no_proxy"
 
   # Format optional values
   [[ -n "$_mtu" ]] && MTU=",mtu=$_mtu" || MTU=""
@@ -2928,6 +2996,7 @@ Advanced:
   [[ "${PROTECT_CT:-no}" == "yes" || "${PROTECT_CT:-no}" == "1" ]] && echo -e "${CONTAINERTYPE}${BOLD}${DGN}Protection: ${BGN}Enabled${CL}"
   [[ -n "${CT_TIMEZONE:-}" ]] && echo -e "${INFO}${BOLD}${DGN}Timezone: ${BGN}$CT_TIMEZONE${CL}"
   [[ "$APT_CACHER" == "yes" ]] && echo -e "${INFO}${BOLD}${DGN}APT Cacher: ${BGN}$APT_CACHER_IP${CL}"
+  [[ -n "${HTTP_PROXY:-}" ]] && echo -e "${INFO}${BOLD}${DGN}HTTP Proxy: ${BGN}$HTTP_PROXY${CL}"
   echo -e "${SEARCH}${BOLD}${DGN}Verbose Mode: ${BGN}$VERBOSE${CL}"
   echo -e "${CREATING}${BOLD}${RD}Creating an LXC of ${APP} using the above advanced settings${CL}"
 
@@ -3765,6 +3834,47 @@ start() {
 # SECTION 8: CONTAINER CREATION & DEPLOYMENT
 # ==============================================================================
 
+# ------------------------------------------------------------------------------
+# _apply_http_proxy_in_container()
+#
+# - Writes persistent proxy settings into the LXC before base package install
+# - Ensures apt/apk/curl work behind corporate proxies during early setup
+# ------------------------------------------------------------------------------
+_apply_http_proxy_in_container() {
+  local proxy="${HTTP_PROXY:-}"
+  local noproxy="${HTTP_NO_PROXY:-}"
+  [[ -z "$proxy" || -z "${CTID:-}" ]] && return 0
+  [[ -z "$noproxy" ]] && noproxy="localhost,127.0.0.1,.local"
+
+  msg_info "Applying HTTP proxy in container"
+  local tmpf
+  tmpf="$(mktemp)"
+  cat >"$tmpf" <<EOF
+export http_proxy="$proxy"
+export https_proxy="$proxy"
+export HTTP_PROXY="$proxy"
+export HTTPS_PROXY="$proxy"
+export no_proxy="$noproxy"
+export NO_PROXY="$noproxy"
+EOF
+  pct push "$CTID" "$tmpf" /etc/profile.d/90-http-proxy.sh >/dev/null 2>&1 || {
+    rm -f "$tmpf"
+    msg_warn "Failed to push HTTP proxy profile into container"
+    return 0
+  }
+  pct exec "$CTID" -- chmod 644 /etc/profile.d/90-http-proxy.sh >/dev/null 2>&1 || true
+
+  if [[ "$var_os" != "alpine" && "${APT_CACHER:-}" != "yes" ]]; then
+    cat >"$tmpf" <<EOF
+Acquire::http::Proxy "$proxy";
+Acquire::https::Proxy "$proxy";
+EOF
+    pct push "$CTID" "$tmpf" /etc/apt/apt.conf.d/95http-proxy >/dev/null 2>&1 || true
+  fi
+  rm -f "$tmpf"
+  msg_ok "Applied HTTP proxy in container"
+}
+
 # ------------------------------------------------------------------------------
 # build_container()
 #
@@ -3891,6 +4001,12 @@ build_container() {
   export SESSION_ID="$SESSION_ID"
   export CACHER="$APT_CACHER"
   export CACHER_IP="$APT_CACHER_IP"
+  if [[ -n "${HTTP_PROXY:-}" ]]; then
+    export HTTP_PROXY HTTPS_PROXY="$HTTP_PROXY" http_proxy="$HTTP_PROXY" https_proxy="$HTTP_PROXY"
+    export NO_PROXY="${HTTP_NO_PROXY:-}" no_proxy="${HTTP_NO_PROXY:-}"
+    export var_http_proxy="$HTTP_PROXY"
+    export var_http_no_proxy="${HTTP_NO_PROXY:-}"
+  fi
   export tz="$timezone"
   export APPLICATION="$APP"
   export app="$NSAPP"
@@ -4374,6 +4490,8 @@ EOF
 
   local install_exit_code=0
 
+  _apply_http_proxy_in_container
+
   # Continue with standard container setup
   if [ "$var_os" == "alpine" ]; then
     sleep 3
@@ -4381,10 +4499,13 @@ EOF
 https://dl-cdn.alpinelinux.org/alpine/latest-stable/main
 https://dl-cdn.alpinelinux.org/alpine/latest-stable/community
 EOF'
-    pct exec "$CTID" -- ash -c "apk add bash newt curl openssh nano mc ncurses jq" >>"$BUILD_LOG" 2>&1 || {
+    pct exec "$CTID" -- ash -c 'set -a; [ -f /etc/profile.d/90-http-proxy.sh ] && . /etc/profile.d/90-http-proxy.sh; set +a; apk add bash newt curl openssh nano mc ncurses jq' >>"$BUILD_LOG" 2>&1 || {
       msg_warn "apk install failed (dl-cdn.alpinelinux.org), trying alternate mirrors..."
       local alpine_exit=0
       pct exec "$CTID" -- ash -c '
+        set -a
+        [ -f /etc/profile.d/90-http-proxy.sh ] && . /etc/profile.d/90-http-proxy.sh
+        set +a
         ALPINE_MIRRORS="mirror.init7.net ftp.halifax.rwth-aachen.de mirrors.edge.kernel.org alpine.mirror.wearetriple.com mirror.leaseweb.com uk.alpinelinux.org dl-2.alpinelinux.org dl-4.alpinelinux.org"
         for m in $(printf "%s\n" $ALPINE_MIRRORS | shuf); do
           if wget -q --spider --timeout=2 "http://$m/alpine/latest-stable/main/" 2>/dev/null; then
@@ -4443,13 +4564,16 @@ EOF
       pct exec "$CTID" -- bash -c "echo -e 'nameserver 8.8.8.8\nnameserver 1.1.1.1' >/etc/resolv.conf"
     fi
 
-    pct exec "$CTID" -- bash -c "apt-get update 2>&1 && apt-get install -y ${_base_pkgs} 2>&1" >>"$BUILD_LOG" 2>&1 || {
+    pct exec "$CTID" -- bash -c "set -a; [ -f /etc/profile.d/90-http-proxy.sh ] && . /etc/profile.d/90-http-proxy.sh; set +a; apt-get update 2>&1 && apt-get install -y ${_base_pkgs} 2>&1" >>"$BUILD_LOG" 2>&1 || {
       local failed_mirror
       failed_mirror=$(pct exec "$CTID" -- bash -c "grep -m1 -oP '(?<=URIs: https?://)[^/]+' /etc/apt/sources.list.d/debian.sources 2>/dev/null || grep -m1 -oP '(?<=deb https?://)[^/]+' /etc/apt/sources.list 2>/dev/null" 2>/dev/null || echo "unknown")
       msg_warn "apt-get update failed (${failed_mirror})."
       msg_custom "ℹ️" "${YW}" "Probing alternate mirrors (this can take 1-2 minutes on network issues)"
       local mirror_exit=0
       pct exec "$CTID" -- env APT_BASE="$_base_pkgs" bash -c '
+        set -a
+        [ -f /etc/profile.d/90-http-proxy.sh ] && . /etc/profile.d/90-http-proxy.sh
+        set +a
         DISTRO=$(. /etc/os-release 2>/dev/null && echo "$ID" || echo "debian")
         echo "  Mirror fallback for distro: $DISTRO"
 

misc/core.func

@@ -970,6 +970,53 @@ is_verbose_mode() {
   [[ "$verbose" != "no" ]]
 }
 
+# ------------------------------------------------------------------------------
+# configure_http_proxy()
+#
+# - Applies var_http_proxy / var_http_no_proxy inside the container
+# - Persists proxy env for login shells, systemd, and package managers
+# - Skips APT proxy config when APT Cacher-NG is active
+# ------------------------------------------------------------------------------
+configure_http_proxy() {
+  local proxy="${HTTP_PROXY:-${http_proxy:-${var_http_proxy:-}}}"
+  local noproxy="${HTTP_NO_PROXY:-${no_proxy:-${var_http_no_proxy:-}}}"
+  [[ -z "$proxy" ]] && return 0
+  [[ -z "$noproxy" ]] && noproxy="localhost,127.0.0.1,.local"
+
+  msg_info "Configuring HTTP proxy"
+  cat >/etc/profile.d/90-http-proxy.sh <<EOF
+export http_proxy="$proxy"
+export https_proxy="$proxy"
+export HTTP_PROXY="$proxy"
+export HTTPS_PROXY="$proxy"
+export no_proxy="$noproxy"
+export NO_PROXY="$noproxy"
+EOF
+  chmod 644 /etc/profile.d/90-http-proxy.sh
+
+  if ! grep -q '^http_proxy=' /etc/environment 2>/dev/null; then
+    cat >>/etc/environment <<EOF
+http_proxy=$proxy
+https_proxy=$proxy
+HTTP_PROXY=$proxy
+HTTPS_PROXY=$proxy
+no_proxy=$noproxy
+NO_PROXY=$noproxy
+EOF
+  fi
+
+  if [[ "${CACHER:-}" != "yes" && -d /etc/apt/apt.conf.d ]]; then
+    cat >/etc/apt/apt.conf.d/95http-proxy <<EOF
+Acquire::http::Proxy "$proxy";
+Acquire::https::Proxy "$proxy";
+EOF
+  fi
+
+  export http_proxy="$proxy" https_proxy="$proxy" HTTP_PROXY="$proxy" HTTPS_PROXY="$proxy"
+  export no_proxy="$noproxy" NO_PROXY="$noproxy"
+  msg_ok "Configured HTTP proxy"
+}
+
 # ------------------------------------------------------------------------------
 # is_unattended()
 #

misc/install.func

@@ -388,7 +388,8 @@ apt_update_safe() {
 # ------------------------------------------------------------------------------
 update_os() {
   msg_info "Updating Container OS"
-  if [[ "$CACHER" == "yes" ]]; then
+  configure_http_proxy
+  if [[ "$CACHER" == "yes" && -z "${HTTP_PROXY:-${http_proxy:-}}" ]]; then
     echo 'Acquire::http::Proxy-Auto-Detect "/usr/local/bin/apt-proxy-detect.sh";' >/etc/apt/apt.conf.d/00aptproxy
     local _proxy_raw="${CACHER_IP}"
     local _proxy_host _proxy_port _proxy_url
@@ -509,7 +510,7 @@ EOF
     systemctl restart "$(basename "$(dirname "$GETTY_OVERRIDE")" | sed 's/\.d//')"
     msg_ok "Customized Container"
   fi
-  echo "bash -c \"\$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/${app}.sh)\"" >/usr/bin/update
+  echo 'set -a; [ -f /etc/profile.d/90-http-proxy.sh ] && . /etc/profile.d/90-http-proxy.sh; set +a; bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/'"${app}"'.sh)"' >/usr/bin/update
   chmod +x /usr/bin/update
 
   if [[ -n "${SSH_AUTHORIZED_KEY}" ]]; then