--- description: Use Capawesome Cloud Native Builds with a Git server behind a firewall. Configure allowlist rules and IP ranges for self-hosted GitLab or GitHub Enterprise. title: Access Git Behind a Firewall - Capawesome image: https://capawesome.io/docs/assets/images/social/cloud/native-builds/guides/firewall-access.png --- [ Skip to content](#access-git-behind-a-firewall) [ 🎉 Introducing **Capawesome Platform** — one platform for Live Updates, Native Builds, App Store Publishing, and Insider SDKs.](https://capawesome.io) * [ Formbricks ](/docs/plugins/formbricks/) * [ Geocoder ](/docs/plugins/geocoder/) * [ Google Sign-In ](/docs/plugins/google-sign-in/) * [ libSQL ](/docs/plugins/libsql/) * [ Live Update ](/docs/plugins/live-update/) * [ Managed Configurations ](/docs/plugins/managed-configurations/) * [ Media Session ](/docs/plugins/media-session/) * [ ML Kit ](/docs/plugins/mlkit/) * [ NFC ](/docs/plugins/nfc/) * [ OAuth ](/docs/plugins/oauth/) * [ Pedometer ](/docs/plugins/pedometer/) * [ Photo Editor ](/docs/plugins/photo-editor/) * [ PostHog ](/docs/plugins/posthog/) * [ Printer ](/docs/plugins/printer/) * [ Purchases ](/docs/plugins/purchases/) * [ RealtimeKit ](/docs/plugins/realtimekit/) * [ Screen Orientation ](/docs/plugins/screen-orientation/) * [ Screenshot ](/docs/plugins/screenshot/) * [ Secure Preferences ](/docs/plugins/secure-preferences/) * [ Speech Recognition ](/docs/plugins/speech-recognition/) * [ Speech Synthesis ](/docs/plugins/speech-synthesis/) * [ Share Target ](/docs/plugins/share-target/) * [ Square Mobile Payments ](/docs/plugins/square-mobile-payments/) * [ SQLite ](/docs/plugins/sqlite/) * [ Superwall ](/docs/plugins/superwall/) * [ Torch ](/docs/plugins/torch/) * [ Wifi ](/docs/plugins/wifi/) * [ Zip ](/docs/plugins/zip/) * [ Cloud ](/docs/cloud/) * [ Live Updates ](/docs/cloud/live-updates/) * Advanced * Integrations * [ Native Builds ](/docs/cloud/native-builds/) * [ Configuration ](/docs/cloud/native-builds/configuration/) * [ Environments ](/docs/cloud/native-builds/environments/) * Guides * [ Build without Git Connection ](#build-without-git-connection) * [ Comparison ](#comparison) * [ Build without Git Connection ](/docs/cloud/native-builds/guides/build-without-git/) * [ Configure Web Build Script ](/docs/cloud/native-builds/guides/web-build-script/) * [ Install Private npm Packages ](/docs/cloud/native-builds/guides/npm-private-registry/) * [ Overwrite Native Configurations ](/docs/cloud/native-builds/guides/native-configurations/) * [ Auto-Increment Build Numbers ](/docs/cloud/native-builds/guides/auto-incrementing-build-numbers/) * [ Override Java Version ](/docs/cloud/native-builds/guides/override-java-version/) * [ Custom iOS Provisioning Profiles ](/docs/cloud/native-builds/guides/custom-ios-provisioning-profiles/) * [ Install APK on Android Device ](/docs/cloud/native-builds/guides/install-apk-on-android-device/) * [ Install IPA on iOS Device ](/docs/cloud/native-builds/guides/install-ipa-on-ios-device/) * [ Sample Projects ](/docs/cloud/native-builds/sample-projects/) * [ Troubleshooting ](/docs/cloud/native-builds/troubleshooting/) * [ Automations ](/docs/cloud/automations/) * [ Assist ](/docs/cloud/assist/) * Account * Organizations * [ Organization and User Management ](/docs/cloud/organizations/memberships/) * [ Single Sign-On (SSO) ](/docs/cloud/organizations/sso/) * [ Teams ](/docs/cloud/organizations/teams/) * [ Two-Factor Authentication ](/docs/cloud/organizations/two-factor-authentication/) * [ Integrations ](/docs/cloud/integrations/) * [ License Keys ](/docs/cloud/license-keys/) * [ Webhooks ](/docs/cloud/webhooks/) * [ Pricing ](https://capawesome.io/pricing/) * [ FAQ ](/docs/cloud/faq/) * [ Support ](/docs/cloud/support/) * [ Contributing ](/docs/contributing/) * [ LLMs ](/docs/llms/) * [ Insiders ](/docs/insiders/) * [ License ](https://capawesome.io/legal/eula/) * [ Support ](/docs/insiders/support/) * [ FAQ ](/docs/insiders/faq/) * [ Blog ](/blog/) * Categories * [ Build without Git Connection ](#build-without-git-connection) * [ Comparison ](#comparison) # Access Git Behind a Firewall[¶](#access-git-behind-a-firewall "Permanent link") Capawesome Cloud [Native Builds](/docs/cloud/native-builds/) needs to clone your Git repository to run a build. If your Git server is behind a firewall, the build runner cannot reach it by default. This guide covers four approaches to solve this, each with different trade-offs for security, complexity, and maintenance. ## Reverse Tunnel (Recommended)[¶](#reverse-tunnel-recommended "Permanent link") A reverse tunnel lets you expose your internal Git server to the internet without opening inbound firewall ports. You run a small daemon inside your network that establishes an outbound-only connection to a tunnel provider. The provider assigns a public hostname (e.g., `git-tunnel.yourcompany.com`) that routes traffic through the tunnel to your internal Git server. This is the recommended approach for most teams because your firewall remains fully closed to inbound traffic while Native Builds can access your repository securely. There are several tunnel providers available, such as [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/), [ngrok](https://ngrok.com/), or [Tailscale Funnel](https://tailscale.com/kb/1223/funnel). Refer to your chosen provider's documentation for setup instructions. Once the tunnel is running, use the public hostname as the server URL when connecting Capawesome Cloud to your Git repository. ## Repository Mirroring[¶](#repository-mirroring "Permanent link") You can set up a mirror of your internal Git repository on a public Git hosting service like [GitHub](https://github.com/) or [GitLab](https://gitlab.com/). Native Builds then clones from the mirror instead of your internal server, so no direct access to your network is needed. The most common approach is **push mirroring**, where your internal server pushes changes to the external mirror on a schedule. Some Git hosting services like GitLab offer [built-in mirroring](https://docs.gitlab.com/ee/user/project/repository/mirror/). For others, you can set up a cron job that runs `git push --mirror` to keep the mirror in sync. Sync Delay Mirrors are not real-time. There is always a delay between a push to your internal server and the mirror being updated. Make sure your mirroring schedule is frequent enough for your build workflow. ## IP Whitelisting[¶](#ip-whitelisting "Permanent link") You can whitelist the IP ranges of the infrastructure providers that Capawesome Cloud uses to run Native Builds. This allows the build runners to access your internal Git server directly through your firewall. ### Required IP Ranges[¶](#required-ip-ranges "Permanent link") You need to whitelist the IP ranges from the following providers: * [Cloudflare](https://www.cloudflare.com/ips/) * [Scaleway](https://www.scaleway.com/en/docs/account/reference-content/scaleway-network-information/) Security Considerations These IP ranges are shared across all customers of the respective providers. Whitelisting them allows any service hosted on those networks to reach your Git server, not just Capawesome Cloud. Make sure your Git server requires proper authentication (e.g., SSH keys or access tokens) in addition to the IP whitelist. ## Build without Git Connection[¶](#build-without-git-connection "Permanent link") Instead of making your Git server accessible to Capawesome Cloud, you can bypass the Git connection entirely by uploading your local source files directly using the CLI's `--path` option. This approach avoids any firewall or networking configuration, but trades off Git integration features such as commit metadata in the Cloud UI, Automations, and the ability to trigger builds from the Console. For details and usage instructions, see the [Build without Git Connection](/docs/cloud/native-builds/guides/build-without-git/) guide. ## Comparison[¶](#comparison "Permanent link") | Reverse Tunnel | Repository Mirroring | IP Whitelisting | Build without Git | | | ------------------------------- | ------------------------------- | ----------------------------------- | ---------------------------- | -------------------------- | | **Firewall changes** | None | None | Inbound rules required | None | | **Security** | High (outbound-only, encrypted) | High (no exposure) | Low (broad shared IP ranges) | High (no network exposure) | | **Real-time repository access** | Yes | No (sync delay) | Yes | N/A | | **Complexity** | Medium | Low to medium | Low | Low | | **Maintenance** | Low | Medium (sync schedule, credentials) | Medium (IP range updates) | Low | | **Git integration** | Full | Full | Full | None | May 7, 2026 Back to top