Skip to Content
Basic FeaturesSSL Proxying

SSL Proxying

APXY can intercept HTTPS (TLS) traffic by acting as a man-in-the-middle proxy, generating leaf certificates on-the-fly signed by its root CA.

HTTPS interception modes

APXY supports three levels of HTTPS inspection:

ModeWhat’s capturedPrivacy
Tunnel (default)Nothing — encrypted passthroughHighest
MetadataHeaders only, no bodiesMedium
DeepFull request and responseFull inspection

HTTPS MITM is opt-in by default for privacy. Traffic is tunneled without inspection unless you explicitly enable it.

Web UI

Open SSL from the Modify group. The page provides:

  • A list of domains with SSL interception enabled
  • Add domain form to enable HTTPS interception for a new domain
  • Enable/disable toggles for each domain
  • Delete buttons to remove domains from the list

When you create a mock rule for an HTTPS URL in the Mock Rules page, APXY automatically enables SSL interception for that domain.

CLI

apxy ssl …, apxy certs … (including custom CAs), and startup flags such as --ssl-domains, --bypass-domains, and --mitm-all are documented in CLI Reference → Setup and CLI Reference → Proxy.

Quick example (enable deep inspection for one domain):

apxy ssl enable --domain api.example.com

See Certificate Setup for platform-specific trust instructions.

Custom Certificate Authorities

Requires a Pro or Personal license. See License Activation for details.

APXY lets you add your own Certificate Authorities bound to specific domain patterns. When APXY intercepts HTTPS traffic for a matching domain, it uses your custom CA to sign the leaf certificate instead of the default APXY root CA.

Full apxy certs custom … syntax is in CLI Reference → Setup.

Web UI

  1. Open the SSL page from the Modify group
  2. Scroll to the Custom Certificate Authorities section
  3. Click Add CA
  4. Provide the domain pattern, CA certificate file, and private key file
  5. Click Save

Domain matching

Custom CAs are matched against the requested domain using these rules:

  • Wildcard patterns*.example.com matches any subdomain of example.com
  • Exact matchapi.example.com matches only that specific domain
  • Fallback — if no custom CA matches, APXY uses its default root CA

Custom CAs persist across proxy restarts and are included when you export/import settings — see Settings Management.

Proxy bypass

Exclude sensitive domains from proxying entirely using --bypass-domains at startup (see Proxy). Bypassed domains are tunneled without any MITM — traffic passes through encrypted. This is required for apps with certificate pinning.

You can also use filter rules to exclude domains from being recorded (traffic is still forwarded):

apxy filter set --type block --target "sensitive-api.com"
Last updated on
Request & Response ViewerFiltering