Please check the build logs for more information.
See Builds for ideas on how to fix a failed build, or Metadata for how to configure docs.rs builds.
If you believe this is docs.rs' fault, open an issue.
Product OS : Proxy
Product OS : Proxy builds on the work of hudsucker, taking it to the next level with a man-in-the-middle proxy server that can tunnel traffic through a VPN utilising Product OS : VPN.
What is Product OS?
Product OS is a collection of packages that provide different tools and features that can work together to build products more easily for the Rust ecosystem.
Feature Flags
Product OS : Proxy uses feature flags to minimize dependencies and binary size:
default: Enablesdecoder,rcgen_ca,rustls_client, andhttp2(recommended for most use cases)decoder: HTTP content encoding/decoding support (gzip, brotli, deflate, zstd)http2: HTTP/2 protocol supportrcgen_ca: Certificate authority using rcgen (recommended, pure Rust)rustls_client: TLS client using rustls (recommended, pure Rust)tor: Route traffic through Tor networkvpn: Route traffic through VPN connectionsvendored_openssl: Use vendored OpenSSL build (for static linking)
Using Features
Enable specific features in your Cargo.toml:
[]
= { = "0.0.19", = ["decoder", "http2", "tor"] }
Installation
[]
= "0.0.19"
Pin the version to match the crate Cargo.toml when using path or git dependencies.
Documentation
Full API documentation is available at docs.rs/product-os-proxy.
Usage
Overview
Product OS : Proxy is a high-performance, feature-rich MITM (man-in-the-middle) proxy server built on the Rust async ecosystem. It builds upon the work of hudsucker, taking it to the next level with powerful traffic interception, modification, and tunneling capabilities through VPN or Tor networks.
Features
- π MITM Proxying: Intercept and modify HTTP/HTTPS traffic with custom middleware
- π WebSocket Support: Handle WebSocket connections with custom message processing
- π TLS Certificate Authority: Automatic certificate generation for HTTPS interception
- π¦ Content Decoding: Support for gzip, brotli, deflate, and zstd compression (with
decoderfeature) - π VPN Tunneling: Route proxy traffic through VPN connections (with
vpnfeature) - π§
Tor Network: Route traffic through the Tor network (with
torfeature) - β‘ HTTP/2 Support: Full HTTP/2 protocol support (with
http2feature) - π§ Custom Middleware: Implement custom request/response handlers
- π High Performance: Built on Tokio async runtime with minimal overhead
- π‘οΈ Type Safety: Leverages Rust's type system for safe concurrent operations
Quick Start
Basic Proxy
use ;
async
Custom Middleware
Implement custom middleware to inspect and modify traffic:
use ;
use ;
use ;
use BodyBytes as Body;
use async_trait;
use Arc;
;
// Use the middleware
let middleware = new;
proxy.set_middleware;
Certificate Authority Setup
Managed CA (recommended)
"certificateAuthority":
Default storage: ~/.product-os/proxy/ (or $PRODUCT_OS_HOME/proxy/).
Generate and install trust via CLI:
Trust targets
| Target | Description |
|---|---|
system |
OS trust store (Keychain, Windows Root, Linux CA bundle) |
firefox |
Firefox NSS certificate databases |
chromium-profile |
Chrome/Chromium profile NSS databases |
macos-user |
macOS login keychain without sudo |
Active HTTPS probe
When activeHttpsProbe is true, the proxy waits until its listen port accepts connections, then performs a CONNECT + TLS request to example.com:443 through itself using only the managed CA as trust anchor. This validates end-to-end MITM signing after store trust checks pass.
The probe runs after the proxy starts (not during preflight store checks). Use pos-proxy cert guide β βRun active HTTPS self-testβ when the proxy is already running.
Interactive cert guide
pos-proxy cert guide launches a dialoguer menu (with --features cli):
- Auto-install and trust
- Manual steps
- Export CA to Desktop
- Re-check trust status
- Run active HTTPS self-test through proxy
- Skip
mkcert migration
Reuse an existing mkcert CA (already trusted via mkcert -install):
"certificateAuthority":
Programmatic API
use Proxy;
let ca = generate_certificate_authority; // in-memory CA
let managed = load_or_create_managed_certificate_authority?;
β οΈ Security Warning: Clients must be configured to trust the CA certificate, or certificate errors must be explicitly ignored. Never share your CA private key. Store it securely and use proper access controls.
Configuration boundary
NetworkProxy, NetworkProxyCertificateAuthority, and related MITM types are owned by product-os-proxy. Downstream crates (product-os-agents-browser, product-os-runner) depend on product-os-proxy for proxy configuration and CA material β they should not duplicate proxy config structs or path-resolution logic. Use load_certificate_authority and LoadedCa::to_managed_config() when you need a managed CA from loaded cert/key paths.
Architecture
The proxy operates as a MITM proxy with the following flow:
graph LR
Client --> Proxy
Proxy --> CA[Certificate Authority]
CA --> TLS[TLS Handshake]
TLS --> Middleware
Middleware --> Tunnel[VPN/Tor Optional]
Tunnel --> Server
Server --> Tunnel
Tunnel --> Middleware
Middleware --> Client
- Accept Connection: Client connects to proxy
- HTTPS CONNECT: Intercept CONNECT requests for HTTPS traffic
- Certificate Generation: Generate temporary certificates signed by CA
- TLS Termination: Establish TLS connections with clients
- Middleware Processing: Apply custom request/response transformations
- Tunneling (optional): Route through VPN/Tor
- Forward Request: Send request to destination server
- Response Processing: Apply middleware transformations
- Return Response: Send response back to client
Examples
See the examples/ directory for complete working examples:
basic_proxy.rs- Minimal proxy setupcustom_middleware.rs- Custom request/response handling
Run examples with:
Performance
Product OS : Proxy is designed for high performance:
- Async I/O: Built on Tokio for efficient async operations
- Zero-copy: Minimal data copying with
Bytesand streaming - Connection Pooling: Reuses connections to backend servers
- Certificate Caching: Caches generated certificates to reduce overhead
- Parallel Processing: Handles multiple connections concurrently
Security Considerations
When using MITM proxying, be aware of security implications:
- Certificate Trust: Clients must trust your CA certificate
- Private Key Security: Protect your CA private key
- Traffic Inspection: Only inspect traffic you have authorization to intercept
- Compliance: Ensure compliance with relevant regulations (GDPR, CCPA, etc.)
- Logging: Be mindful of sensitive data in logs
- Encryption: All traffic between client and proxy should be encrypted
Thread Safety
The Proxy struct is not Send or Sync by design, as it manages mutable state. However:
- Use it within a single async task
- The internal proxy implementation is thread-safe
- Handles multiple concurrent connections safely
- Middleware should implement
Clone + Send + Sync
Minimum Supported Rust Version
This crate requires Rust 1.75 or later.
Contributing
Contributions are not currently available but will be available on a public repository soon.
License
This project is licensed under the GNU GPLv3.