Go Proxy
Choosing Your GOPROXY for Go Modules | JFrog Artifactory
Note: This blog has been updated to reflect the sunsetting of JFrog GoCenter.
Starting with Go 1. 13, Go modules are the standard package manager in Golang, automatically enabled on installation along with a default GOPROXY.
But with that GOPROXY as well as your own Go module packages you need to keep secure from public view, what kind of configuration should you choose? How can you keep your public and private Golang resources from becoming a tangled knot?
Let’s take a look at what a GOPROXY is for, and some of the ways you can set one up for a system that is fast, reliable, and secure.
What Is a GOPROXY?
A GOPROXY controls the source of your Go module downloads and can help assure builds are deterministic and secure.
When developing in Golang before the GOPROXY era, module dependencies were downloaded directly from their source repositories in VCS systems such as GitHub, Bitbucket, Bazaar, Mercurial or SVN. Dependencies from a third party are typically downloaded from public source repos. Private dependencies must authenticate with the VCS system where they are stored to download the module source files.
While the above workflow was popularly used, it lacked the two fundamental requirements of a deterministic and secure build and development process: immutability & availability. Modules can be wiped out by the author or versions can be edited. While these scenarios are considered to be bad practice, they do occur frequently.
Using a GOPROXY
Setting a GOPROXY for your Golang development or CI environment redirects Go module download requests to a cache repository.
Using a GOPROXY for module dependencies helps enforce the immutability requirement. By returning the module from the GOPROXY’s cache, it always provides the same code for a requested version, even if the module has been improperly modified more recently in the VCS repo.
The GOPROXY’s cache also helps ensure the module is always available, even if the original in the VCS repo is destroyed.
There are different ways to use GOPROXY, depending on the source of go modules dependencies you expect to use.
Public GOPROXY
A public GOPROXY is a centralized repository available to Golang devs across the globe. It hosts open-source Go modules that have been made available from third parties in publicly accessible VCS project repositories. Most, like are provided to the Golang developer community for free.
To use a public GOPROXY, set the Golang environment variable to its URL:
$ export GOPROXY=
The above setting redirects all module download requests to the Go module repository maintained by the Golang team. Downloads from a public GOPROXY can be much faster than directly from the VCS, by downloading a module archive file.
In addition to fulfilling downloads, a public GOPROXY can also provide GoLang developers more detailed information about the modules it holds. The UI at enables you to search for modules and provides some basic statistics.
Private Go Modules
Typically, GoLang projects make use of both open-source and private module dependencies. Some users use the GOPRIVATE environment variable to specify a list of paths that must bypass GOPROXY and GOSUMDB and download private modules directly from those VCS repos. For example, you may want to use to retrieve all open-source modules but request private modules only from your company’s servers.
To use the this public GOPROXY along with private modules, set the Golang environment variables:
$ export GOPROXY=$ export GOPRIVATE=*
This use of GOPRIVATE also ensures that your use of these private modules isn’t “leaked” through requests to a public GOPROXY & checksum database server on an open network. Another alternate is to use GONOSUMDB variable that includes references to private go this configuration enables the Go client to resolve both public and private module dependencies, it doesn’t enforce immutability or availability requirements for private modules.
Private GOPROXY
A private GOPROXY is one you install to store both public and private Go modules on your own infrastructure.
Public modules are cached locally by proxying a public GOPROXY in a binary repository manager like JFrog Artifactory. Private modules are also cached in a repository from their VCS repos. In this way, immutability and availability can be guaranteed for both public and private Go modules.
In Artifactory, a combination of a remote repository for, a remote Go module repository that points to private GitHub repos (for private modules) and a local Go module repository can be combined into a single virtual repository, to access as a single unit.
To set your GOPROXY for a virtual repository in Artifactory named “go”:
$ export GOPROXY=”
$ export GONOSUMDB=”*, *”
Since the modules in your private VCS repos will not have entries in the public checksum database at, they must be excluded from this oversight check by the go client. Setting GONOSUMDB to your private VCS repos accomplishes this, and will prevent your go get commands for these private modules from failing due to checksum mismatch.
In this configuration, you are assured that none of your references to private modules are “leaked, ” while also enforcing immutability and availability of both public and private modules.
Cutting Through Knots
As you can see, using a private GOPROXY provides the most certainty, reliability, and security.
You can also speed resolution of module dependencies through network proximity of your private GOPROXY to your build tools. JFrog Artifactory can be installed where you most need it: on-prem or in the cloud, or as a SaaS subscription on all three major public cloud providers.
Those benefits aren’t just limited to Go development, either. Most technology companies use more than one language and multiple package managers. For example, if code is written in Golang, then npm might be used for UI, Docker might be used to distribute bits and Helm might be used to deploy applications on K8s.
With support for over 27 package types, Artifactory can encourage a deterministic, stable and secure software development process for all applications. You can get a free trial and discover how Artifactory can guide your lines and keep your software traveling freely.
Go module proxy – Golang
The Go team is providing the following services run by Google: a module mirror for accelerating
Go module downloads, an index for discovering new modules, and a global database for
authenticating module content.
Since Go 1. 13, the go command by default downloads and authenticates modules using the Go
module mirror and Go checksum database. See
for privacy information
about these services and the
go command documentation
for configuration details including how to disable the use of these servers or use different
ones. If you depend on non-public modules, see the
documentation for configuring your environment.
Services
– a module mirror
which implements the module proxy protocol.
For users downloading large numbers of modules (e. g. for bulk static analysis), the mirror
supports a non-standard header, Disable-Module-Fetch: true that instructs it to
return only cached content. This will avoid slow downloads, at the cost of possibly missing some
rarely-used modules.
– an auditable checksum
database which will be used by the go command to authenticate modules.
Learn more in the go command documentation.
– an index which
serves a feed of new module versions that become available by The feed
can be viewed at The feed is served as new line delimited JSON, providing the module path (as Path), the module
version (as Version), and the time it was first cached by (as Timestamp). The
list is sorted in chronological order. There are two optional parameters:
‘since’: the oldest allowable timestamp (RFC3339 format) for module versions in the returned list. Default
is the beginning of time, e. g.
‘limit’: the maximum length of the returned list. Default = 2000, Max = 2000, e. g.
If you use the index to download many modules from the module mirror, you will want to set
the Disable-Module-Fetch header, described above.
Status: Launched
These services are ready for production use. Please
file issues
if you spot them, with the title prefix “”: (or, or).
Environment setup
These services can only access publicly available source code. If you depend on private
modules, set GOPRIVATE to a glob pattern that covers them. See
Module configuration for non-public modules
in the go command documentation for more details.
To opt-out of this module mirror, you can turn it off by setting GOPROXY=direct
See the go command documentation
for other configuration details.
FAQ
I committed a new change (or released a new version) to a repository, why isn’t it showing up
when I run go get -u or go list -m –versions?
In order to improve our services’ caching and serving latencies, new versions may not show up
right away. If you want new code to be immediately available in the mirror, then first make sure
there is a semantically versioned tag for this revision in the underlying source repository.
Then explicitly request that version via go get module@version. The new version
should be available within one minute. Note that if someone requested the version before the tag
was pushed, it may take up to 30 minutes for the mirror’s cache to expire and fresh data about
the version to become available. If the version is still not available after 30 minutes, please
file an issue.
I removed a bad release from my repository but it still appears in the mirror, what should I do?
Whenever possible, the mirror aims to cache content in order to avoid breaking builds for people
that depend on your package, so this bad release may still be available in the mirror even if it
is not available at the origin. The same situation applies if you delete your entire repository.
We suggest creating a new version and encouraging people to use that one instead.
I’m running the go command in an environment that can’t use the mirror.
The go command documentation
describes the configuration details including how to disable the use of these servers or use
different ones.
If I don’t set GOPRIVATE and request a private module from these services,
what leaks?
The proxy and checksum database protocols only send module paths and versions to the remote
server. If you request a private module, the mirror will try to download it just as any Go
user would and fail in the same way. Information about failed requests isn’t published
anywhere. The only trace of the request will be in internal logs, which
are governed by the privacy policy.
Why did a previously available module become unavailable in the mirror?
does not save all modules forever.
There are a number of reasons for this, but one reason is if
is not able to detect a suitable
license. In this case, only a temporarily cached copy of the module will be made available, and
may become unavailable if it is removed from the original source and becomes outdated.
The checksums will still remain in the checksum database regardless of whether or not they
have become unavailable in the mirror.
goproxy/goproxy: A minimalist Go module proxy handler.
A minimalist Go module proxy handler.
Goproxy has fully implemented the
GOPROXY protocol. Our goal is to
find the most dead simple way to provide a minimalist handler that can act as a
full-featured Go module proxy for those who want to build their own proxies.
Yeah, there is no Makefile, no configuration files, no crazy file
organization, no lengthy documentation, no annoying stuff, just a
roxy that
implements the. Handler.
Features
Extremely easy to use
Two structs: roxy and goproxy. DirCacher
One interface:
Built-in GOPROXY support
Defaulted to (just like what Go is doing right now)
Built-in GONOPROXY support
Built-in GOSUMDB support
Built-in GONOSUMDB support
Built-in GOPRIVATE support
Supports serving under other Go module proxies by setting GOPROXY
Supports proxying checksum databases
Installation
Open your terminal and execute
$ go get
done.
The only requirement is the Go, at least v1. 13.
Quick Start
Create a file named
package main
import (
“net/”
“”)
func main() {
stenAndServe(“localhost:8080”, &roxy{})}
and run it
then try it by setting GOPROXY to localhost:8080 by following the
instructions below. In addition, we also recommend that you set GO111MODULE to
on instead of auto when you are working with Go modules.
Go 1. 13 and above (RECOMMENDED)
$ go env -w GOPROXY=localhost:8080, direct
macOS or Linux
$ export GOPROXY=localhost:8080
or
$ echo “export GOPROXY=localhost:8080” >> ~/. profile && source ~/. profile
Windows
Open your PowerShell and execute
C:\> $env:GOPROXY = “localhost:8080”
1. Open the Start Search, type in “env”
2. Choose the “Edit the system environment variables”
3. Click the “Environment Variables…” button
4. Under the “User variables for
5. Click the “New… ” button
6. Choose the “Variable name” input bar, type in “GOPROXY”
7. Choose the “Variable value” input bar, type in “localhost:8080”
8. Click the “OK” button
Community
If you want to discuss Goproxy, or ask questions about it, simply post questions
or ideas here.
Contributing
If you want to help build Goproxy, simply follow
this to send pull
requests here.
License
This project is licensed under the MIT License.
License can be found here.
Frequently Asked Questions about go proxy
What is go proxy?
What Is a GOPROXY? A GOPROXY controls the source of your Go module downloads and can help assure builds are deterministic and secure. … Private dependencies must authenticate with the VCS system where they are stored to download the module source files.May 7, 2020
How do you remove Goproxy?
Removing a package If you would like a package removed, please send an email to [email protected] , with the import path or module path that you want to remove.Feb 8, 2020
How do I set the variable on my gopro?
1. Right click This PC -> Properties -> Advanced system settings -> Environment Variables 2. Click “New” in Environment Variables 3. Input Variable Name: “GOPROXY” 4.