httpjail intercepts HTTPS traffic using a locally-generated Certificate Authority (CA) to inspect and filter encrypted requests.
- CA Generation: On first run, httpjail creates a unique CA keypair
- Certificate Storage: CA files are stored in your config directory:
- Linux:
~/.config/httpjail/ - macOS:
~/Library/Application Support/httpjail/ - Windows:
%APPDATA%\httpjail\(planned)
- Linux:
- Process Trust: The jailed process trusts the CA via environment variables
- Per-Host Certificates: Each HTTPS connection gets a certificate signed by the httpjail CA
- No System Changes: Your system trust store is never modified
httpjail sets these environment variables for the child process:
SSL_CERT_FILE/SSL_CERT_DIR- OpenSSL and most toolsCURL_CA_BUNDLE- curlREQUESTS_CA_BUNDLE- Python requestsNODE_EXTRA_CA_CERTS- Node.jsCARGO_HTTP_CAINFO- CargoGIT_SSL_CAINFO- Git
- Transparently redirects TCP port 443 to the proxy
- Extracts SNI from TLS ClientHello
- No application cooperation needed
- Uses
HTTP_PROXY/HTTPS_PROXYenvironment variables - HTTPS negotiated via CONNECT method
- Applications must respect proxy settings
| Platform | Environment Variables | System Trust Store |
|---|---|---|
| Linux | 🟢 Vast majority | N/A |
| macOS | 🟠 Some | 🟢 Vast majority |
Most CLI tools and libraries respect the CA environment variables that httpjail sets. On macOS, some tools (e.g. those built with Go) ignore these variables and require system trust. As Linux doesn't have a concept of a "system trust store" the environment variables are well supported.
On macOS, you can install the CA certificate to the keychain using httpjail trust --install.