mirror of
https://github.com/openai/codex.git
synced 2026-04-24 14:45:27 +00:00
2.1 KiB
2.1 KiB
Codex Network Proxy Quickstart (Local)
This is a compact guide to build and validate the Codex network proxy locally.
Build
From the Codex repo:
cd /Users/viyatb/code/codex/codex-rs
cargo build -p codex-network-proxy
For MITM support:
cargo build -p codex-network-proxy --features mitm
Configure
Add this to ~/.codex/config.toml:
[features]
network_proxy = true
[network_proxy]
enabled = true
proxy_url = "http://127.0.0.1:3128"
admin_url = "http://127.0.0.1:8080"
mode = "limited" # or "full"
poll_interval_ms = 1000
[network_proxy.policy]
allowed_domains = ["example.com", "*.github.com"]
denied_domains = ["metadata.google.internal", "169.254.*"]
# macOS only: allow specific local IPC when proxy-restricted.
allow_local_binding = false
# Example: allow SSH agent socket for git/ssh.
allow_unix_sockets = ["$SSH_AUTH_SOCK"]
[network_proxy.mitm]
enabled = false
Run the proxy
cd /Users/viyatb/code/codex/codex-rs
cargo run -p codex-network-proxy -- proxy
With MITM:
cargo run -p codex-network-proxy --features mitm -- proxy
Test with curl
HTTP/HTTPS via proxy:
export HTTP_PROXY="http://127.0.0.1:3128"
export HTTPS_PROXY="http://127.0.0.1:3128"
curl -sS https://example.com
Limited mode + HTTPS requires MITM. If MITM is on, trust the generated CA:
security add-trusted-cert -d -r trustRoot \
-k ~/Library/Keychains/login.keychain-db \
~/.codex/network_proxy/mitm/ca.pem
Or pass the CA directly:
curl --cacert ~/.codex/network_proxy/mitm/ca.pem -sS https://example.com
Admin endpoints
Reload config after edits:
curl -fsS -X POST http://127.0.0.1:8080/reload
Switch modes:
curl -fsS -X POST http://127.0.0.1:8080/mode -d '{"mode":"full"}'
Codex integration sanity check
- Start the proxy.
- Launch Codex with
[features].network_proxy = trueandnetwork_proxy.enabled = trueset in config. - Run a network command (e.g.,
curl https://example.com). - Confirm you see the allow/deny prompt and that the proxy logs reflect the decision.