oproxy can inspect HTTPS traffic by acting as a local certificate authority and generating per-domain certificates during CONNECT handling.
On startup, oproxy initializes a root CA at mitm.root_ca_path.
Default built-in path:
mitm:
enabled: false
root_ca_path: ./certsThe checked-in configs/default.yaml sets mitm.enabled: true.
CA files:
root.crtroot.key
If both files exist, oproxy loads the existing key and reconstructs the CA certificate. If either is missing, it generates a new CA. On Unix systems, root.key is written with owner-only permissions.
Domain certificates are generated on demand and cached in memory, up to 1024 entries.
Download the CA:
curl http://127.0.0.1:8080/admin/ca -o oproxy-ca.crtUse it with curl:
curl --cacert oproxy-ca.crt -x http://127.0.0.1:8080 https://example.com- HTTPS inspection requires
mitm.enabled: trueorOPROXY_MITM_ENABLED=true. - The client must trust the oproxy CA.
- Certificate-pinned applications may reject the generated certificate.
- Deleting
root.keyorroot.crtchanges the CA and invalidates previously installed trust. - The CA endpoint returns
404only if CA initialization is unavailable; runtime initialization normally creates the CA even when MITM is disabled. - SOCKS5 captures sessions only when MITM is active and the target port is treated as TLS.
The CA private key can sign certificates trusted by any client that installed root.crt. Protect root.key, Docker CA volumes, backups, and exported files.
Remove the oproxy CA from trust stores when you no longer need it. Do not install the CA on devices you do not control.