TLS Interception
httpjail intercepts HTTPS traffic using a locally-generated Certificate Authority (CA) to inspect and filter encrypted requests.
How It Works
- CA Generation: On first run, httpjail creates a unique CA keypair
- Certificate Storage: CA files are stored in your config directory:
- Linux:
~/.config/httpjail/ - macOS:
~/Library/Application Support/httpjail/ - Windows:
%APPDATA%\httpjail\(planned)
- Linux:
- Process Trust: The jailed process trusts the CA via environment variables
- Per-Host Certificates: Each HTTPS connection gets a certificate signed by the httpjail CA
- No System Changes: Your system trust store is never modified
Certificate Trust
httpjail sets these environment variables for the child process:
SSL_CERT_FILE/SSL_CERT_DIR- OpenSSL and most toolsCURL_CA_BUNDLE- curlREQUESTS_CA_BUNDLE- Python requestsNODE_EXTRA_CA_CERTS- Node.jsCARGO_HTTP_CAINFO- CargoGIT_SSL_CAINFO- Git
Platform Differences
Linux (Strong Mode)
- Transparently redirects TCP port 443 to the proxy
- Extracts SNI from TLS ClientHello
- No application cooperation needed
macOS (Weak Mode)
- Uses
HTTP_PROXY/HTTPS_PROXYenvironment variables - HTTPS negotiated via CONNECT method
- Applications must respect proxy settings
Application Support
| Platform | Environment Variables | System Trust Store |
|---|---|---|
| Linux | 🟢 Vast majority | N/A |
| macOS | 🟠 Some | 🟢 Vast majority |
Most CLI tools and libraries respect the CA environment variables that httpjail sets. On macOS, some tools (e.g. those built with Go) ignore these variables and require system trust. As Linux doesn't have a concept of a "system trust store" the environment variables are well supported.
On macOS, you can install the CA certificate to the keychain using httpjail trust --install.