docs: networking

packages/web/astro.config.mjs

@@ -54,6 +54,7 @@ export default defineConfig({
         "",
         "config",
         "providers",
+        "network",
         "enterprise",
         "troubleshooting",
         "1-0",

packages/web/src/content/docs/network.mdx

@@ -0,0 +1,57 @@
+---
+title: Network
+description: Configure proxies and custom certificates.
+---
+
+OpenCode supports standard proxy environment variables and custom certificates for enterprise network environments.
+
+---
+
+## Proxy
+
+OpenCode respects standard proxy environment variables.
+
+```bash
+# HTTPS proxy (recommended)
+export HTTPS_PROXY=https://proxy.example.com:8080
+
+# HTTP proxy (if HTTPS not available)
+export HTTP_PROXY=http://proxy.example.com:8080
+
+# Bypass proxy for local server (required)
+export NO_PROXY=localhost,127.0.0.1
+```
+
+:::caution
+The TUI communicates with a local HTTP server. You must bypass the proxy for this connection to prevent routing loops.
+:::
+
+You can configure the server's port and hostname using [CLI flags](/docs/cli#run).
+
+---
+
+### Authenticate
+
+If your proxy requires basic authentication, include credentials in the URL.
+
+```bash
+export HTTPS_PROXY=http://username:password@proxy.example.com:8080
+```
+
+:::caution
+Avoid hardcoding passwords. Use environment variables or secure credential storage.
+:::
+
+For proxies requiring advanced authentication like NTLM or Kerberos, consider using an LLM Gateway that supports your authentication method.
+
+---
+
+## Custom certificates
+
+If your enterprise uses custom CAs for HTTPS connections, configure OpenCode to trust them.
+
+```bash
+export NODE_EXTRA_CA_CERTS=/path/to/ca-cert.pem
+```
+
+This works for both proxy connections and direct API access.