Add MITM support to network proxy

2026-04-29 02:41:12 +03:00 · 2026-01-22 22:50:45 -08:00
parent 74ecd6e3b2
commit a4b65c5795
10 changed files with 770 additions and 18 deletions
--- a/codex-rs/network-proxy/src/config.rs
+++ b/codex-rs/network-proxy/src/config.rs
@@ -5,6 +5,7 @@ use serde::Deserialize;
 use serde::Serialize;
 use std::net::IpAddr;
 use std::net::SocketAddr;
+use std::path::PathBuf;
 use tracing::warn;
 use url::Url;

@@ -44,6 +45,8 @@ pub struct NetworkProxySettings {
    pub allow_unix_sockets: Vec<String>,
    #[serde(default)]
    pub allow_local_binding: bool,
+    #[serde(default)]
+    pub mitm: MitmConfig,
 }

 impl Default for NetworkProxySettings {
@@ -63,6 +66,7 @@ impl Default for NetworkProxySettings {
            denied_domains: Vec::new(),
            allow_unix_sockets: Vec::new(),
            allow_local_binding: false,
+            mitm: MitmConfig::default(),
        }
    }
 }
@@ -88,6 +92,32 @@ impl NetworkMode {
    }
 }

+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct MitmConfig {
+    #[serde(default)]
+    pub enabled: bool,
+    #[serde(default)]
+    pub inspect: bool,
+    #[serde(default = "default_mitm_max_body_bytes")]
+    pub max_body_bytes: usize,
+    #[serde(default = "default_ca_cert_path")]
+    pub ca_cert_path: PathBuf,
+    #[serde(default = "default_ca_key_path")]
+    pub ca_key_path: PathBuf,
+}
+
+impl Default for MitmConfig {
+    fn default() -> Self {
+        Self {
+            enabled: false,
+            inspect: false,
+            max_body_bytes: default_mitm_max_body_bytes(),
+            ca_cert_path: default_ca_cert_path(),
+            ca_key_path: default_ca_key_path(),
+        }
+    }
+}
+
 fn default_proxy_url() -> String {
    "http://127.0.0.1:3128".to_string()
 }
@@ -100,6 +130,18 @@ fn default_socks_url() -> String {
    "http://127.0.0.1:8081".to_string()
 }

+fn default_ca_cert_path() -> PathBuf {
+    PathBuf::from("network_proxy/mitm/ca.pem")
+}
+
+fn default_ca_key_path() -> PathBuf {
+    PathBuf::from("network_proxy/mitm/ca.key")
+}
+
+fn default_mitm_max_body_bytes() -> usize {
+    4096
+}
+
 /// Clamp non-loopback bind addresses to loopback unless explicitly allowed.
 fn clamp_non_loopback(addr: SocketAddr, allow_non_loopback: bool, name: &str) -> SocketAddr {
    if addr.ip().is_loopback() {