Skip to Content
Basic FeaturesSSL Proxying

SSL Proxying

APXY can intercept HTTPS (TLS) traffic by acting as a man-in-the-middle proxy, generating leaf certificates on-the-fly signed by its root CA.

HTTPS interception modes

APXY supports three levels of HTTPS inspection:

ModeWhat’s capturedPrivacy
Tunnel (default)Nothing — encrypted passthroughHighest
MetadataHeaders only, no bodiesMedium
DeepFull request and responseFull inspection

HTTPS MITM is opt-in by default for privacy. Traffic is tunneled without inspection unless you explicitly enable it.

Web UI

Open SSL from the Modify group. The page provides:

  • A list of domains with SSL interception enabled
  • Add domain form to enable HTTPS interception for a new domain
  • Enable/disable toggles for each domain
  • Delete buttons to remove domains from the list

When you create a mock rule for an HTTPS URL in the Mock Rules page, APXY automatically enables SSL interception for that domain.

CLI

Enable SSL interception

# Enable deep inspection for a specific domain
apxy ssl enable --domain api.example.com
 
# Disable SSL interception
apxy ssl disable --domain api.example.com
 
# List domains with SSL interception
apxy ssl list

Startup flags

You can also configure SSL behavior at startup:

# Enable deep inspection for specific domains from startup
apxy start --ssl-domains "api.example.com,api.staging.com"
 
# Bypass cert-pinned apps (tunnel without MITM)
apxy start --bypass-domains "app.datadoghq.com,*.apple.com"
 
# Deep inspect ALL HTTPS traffic
apxy start --mitm-all

Automatic with mock rules

When you create a mock rule for an HTTPS URL, APXY automatically enables SSL interception for that domain.

Certificate management

# Generate root CA (first time)
apxy certs generate
 
# View CA info
apxy certs info
 
# Trust CA in macOS Keychain
sudo apxy certs trust

See Certificate Setup for platform-specific instructions.

Custom Certificate Authorities

Requires a Pro or Personal license. See License Activation for details.

APXY lets you add your own Certificate Authorities bound to specific domain patterns. When APXY intercepts HTTPS traffic for a matching domain, it uses your custom CA to sign the leaf certificate instead of the default APXY root CA.

CLI

# Add a custom CA for a domain pattern
apxy certs custom add --domain "*.example.com" --cert ./my-ca.pem --key ./my-ca-key.pem
 
# List all custom CAs
apxy certs custom list
 
# Show details for a specific custom CA
apxy certs custom info --domain "*.example.com"
 
# Remove a custom CA by domain pattern
apxy certs custom remove --domain "*.example.com"
 
# Trust a custom CA in the system keychain
sudo apxy certs custom trust --domain "*.example.com"

Web UI

  1. Open the SSL page from the Modify group
  2. Scroll to the Custom Certificate Authorities section
  3. Click Add CA
  4. Provide the domain pattern, CA certificate file, and private key file
  5. Click Save

Domain matching

Custom CAs are matched against the requested domain using these rules:

  • Wildcard patterns*.example.com matches any subdomain of example.com
  • Exact matchapi.example.com matches only that specific domain
  • Fallback — if no custom CA matches, APXY uses its default root CA

Custom CAs persist across proxy restarts and are included when you export/import settings with apxy setup settings export and apxy setup settings import.

Proxy bypass

Exclude sensitive domains from proxying entirely using the --bypass-domains flag at startup:

apxy start --bypass-domains "sensitive-api.com,*.internal.corp"

Bypassed domains are tunneled without any MITM — traffic passes through encrypted. This is required for apps with certificate pinning.

You can also use filter rules to exclude domains from being recorded (traffic is still forwarded):

apxy traffic filter set --type block --target "sensitive-api.com"
Last updated on
Request & Response ViewerFiltering