From f319e8074d0a4a2f24416ff946ce446246e951e6 Mon Sep 17 00:00:00 2001 From: Ammar Bandukwala Date: Wed, 10 Sep 2025 12:52:46 -0500 Subject: [PATCH] Remove support for disabling TLS interception --- README.md | 9 +-------- src/jail/mod.rs | 5 ----- src/main.rs | 34 +++++++++++++--------------------- 3 files changed, 14 insertions(+), 34 deletions(-) diff --git a/README.md b/README.md index 01346994..509e9db8 100644 --- a/README.md +++ b/README.md @@ -200,16 +200,9 @@ How it works: Notes and limits: -- Tools that ignore the above env vars will fail TLS verification when intercepted. For those, either add tool‑specific flags to point at `ca-cert.pem` or run with `--no-tls-intercept`. +- Tools that ignore the above env vars will fail TLS verification when intercepted. For those, add tool‑specific flags to point at `ca-cert.pem`. - Long‑lived connections are supported: timeouts are applied only to protocol detection, CONNECT header reads, and TLS handshakes — not to proxied streams (e.g., gRPC/WebSocket). -### Disable TLS Interception - -```bash -# Only monitor/block HTTP traffic -httpjail --no-tls-intercept --allow ".*" -- ./app -``` - ## License This project is released into the public domain under the CC0 1.0 Universal license. See [LICENSE](LICENSE) for details. diff --git a/src/jail/mod.rs b/src/jail/mod.rs index 11f44a85..4360873c 100644 --- a/src/jail/mod.rs +++ b/src/jail/mod.rs @@ -52,10 +52,6 @@ pub struct JailConfig { /// Port for HTTPS proxy pub https_proxy_port: u16, - /// Whether to use TLS interception - #[allow(dead_code)] - pub tls_intercept: bool, - /// Unique identifier for this jail instance pub jail_id: String, @@ -79,7 +75,6 @@ impl JailConfig { Self { http_proxy_port: 8040, https_proxy_port: 8043, - tls_intercept: true, jail_id, enable_heartbeat: true, heartbeat_interval_secs: 1, diff --git a/src/main.rs b/src/main.rs index 831660b2..eb11402c 100644 --- a/src/main.rs +++ b/src/main.rs @@ -36,10 +36,6 @@ struct Args { #[arg(long = "log-only")] log_only: bool, - /// Disable HTTPS interception - #[arg(long = "no-tls-intercept")] - no_tls_intercept: bool, - /// Interactive approval mode #[arg(long = "interactive")] interactive: bool, @@ -349,7 +345,6 @@ async fn main() -> Result<()> { let mut jail_config = JailConfig::new(); jail_config.http_proxy_port = actual_http_port; jail_config.https_proxy_port = actual_https_port; - jail_config.tls_intercept = !args.no_tls_intercept; // Create and setup jail let mut jail = create_jail(jail_config.clone(), args.weak)?; @@ -386,21 +381,19 @@ async fn main() -> Result<()> { // Set up CA certificate environment variables for common tools let mut extra_env = Vec::new(); - if !args.no_tls_intercept { - match httpjail::tls::CertificateManager::get_ca_env_vars() { - Ok(ca_env_vars) => { - debug!( - "Setting {} CA certificate environment variables", - ca_env_vars.len() - ); - extra_env = ca_env_vars; - } - Err(e) => { - warn!( - "Failed to set up CA certificate environment variables: {}", - e - ); - } + match httpjail::tls::CertificateManager::get_ca_env_vars() { + Ok(ca_env_vars) => { + debug!( + "Setting {} CA certificate environment variables", + ca_env_vars.len() + ); + extra_env = ca_env_vars; + } + Err(e) => { + warn!( + "Failed to set up CA certificate environment variables: {}", + e + ); } } @@ -532,7 +525,6 @@ mod tests { config: Some(file.path().to_str().unwrap().to_string()), dry_run: false, log_only: false, - no_tls_intercept: false, interactive: false, weak: false, verbose: 0,