I got started with migrating a Go project to use modules for dependency management. My company has an internal go proxy that hosts PRIVATE modules ONLY. So, I need a way to download the PRIVATE modules from the internal proxy, let say goproxy.company.com and the public modules like the golang.org/x/tools/cmd/goimports and github.com/sirupsen/logrus from a publicly available go proxy like proxy.golang.org. I was thought this would solve it.
GOPROXY='goproxy.company.com,proxy.golang.org,direct'
GPPRIVATE=*.company.com/*
But, it fails after trying out the first proxy and the second and never uses the direct option as a fallback. Is this a known issue or am I doing something wrong here?
Is there a better way to do this? Are the corporate internal proxies expected to host the publicly available go modules are well? Is this the general expectation?
I get that feeling after reading the docs. Here are the references.
As mentioned in the Proposal: Secure the Public Go Module Ecosystem
We expect that corporate environments may fetch all modules, public and private, through an internal proxy;
Also, in the go docs example for a corporate proxy
For example, if a company ran a module proxy serving private modules, users would configure go using:
GOPRIVATE=*.corp.example.com GOPROXY=proxy.example.com GONOPROXY=noneThis would tell the go command and other tools that modules beginning with a corp.example.com subdomain are private but that the company proxy should be used for downloading both public and private modules, because
GONOPROXYhas been set to a pattern that won't match any modules, overridingGOPRIVATE.
