All posts
ConceptsOctober 16, 20251 min read

Fixing Mercurial Push Failures Behind Zscaler Proxies

Engineers running global teams hit this wall often: Mercurial tries to move code, but Zscaler’s cloud-based web filter intercepts outbound traffic. This is not random. Zscaler acts as a proxy, scanning HTTP(S) requests, and Mercurial’s protocol is not friendly with some proxy settings. The handshake fails, authentication loops, or the connection drops outright. The core conflict lives in how Mercurial handles network I/O. By default, it opens direct connections to the remote repository. Zscaler

Free White Paper

Push-Based Authentication: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Engineers running global teams hit this wall often: Mercurial tries to move code, but Zscaler’s cloud-based web filter intercepts outbound traffic. This is not random. Zscaler acts as a proxy, scanning HTTP(S) requests, and Mercurial’s protocol is not friendly with some proxy settings. The handshake fails, authentication loops, or the connection drops outright.

The core conflict lives in how Mercurial handles network I/O. By default, it opens direct connections to the remote repository. Zscaler forces those connections through its secure proxy stack. SSL interception, custom certificates, and restricted ports create friction at every step. Common symptoms include hg clone stalling, hg pull timing out, and commits that push partial data before failing.

Solving this demands configuration, not guesswork. Check if Zscaler tunneling supports Mercurial’s native HTTP and HTTPS requests. Import Zscaler’s root certificate into Mercurial’s trusted store, or point Mercurial to an updated CA bundle. If you can, switch Mercurial to use HTTPS on standard ports (443) with fully qualified hostnames. When that’s impossible, consider SSH-based Mercurial over port 443, which can bypass protocol inspection.

Continue reading? Get the full guide.

Push-Based Authentication: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

For teams behind strict Zscaler policies, create a controlled exception rule. Limit it to your Mercurial server’s IP range. Audit logs to verify what the proxy does at each attempt. Remove deprecated ciphers and update your TLS libraries—Mercurial relies on Python’s SSL support, and older versions fail against Zscaler’s enforced standards.

Sometimes the fastest fix is not tweaking Mercurial itself, but aligning your development environment with the proxy. Containerized workflows can abstract the problem. Build your repository interactions inside a network segment that has preapproved access. Automate certificate injection and proxy configuration in dev setups so new developers ship code without fighting the stack.

Mercurial and Zscaler can work together if you cut through the handshake noise and align their expectations. Test, measure, and document the path for your team.

See this in action now—spin up a full Mercurial + Zscaler-compatible workflow at hoop.dev and go live in minutes.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts