Lib.rs

Network programming
#monitoring #network-security #proxy #sandbox #network-monitoring #security

bin+lib httpjail

Monitor and restrict HTTP/HTTPS requests from processes

by ammario and 4 contributors

15 releases (5 breaking)

Uses new Rust 2024

0.6.1 Dec 27, 2025
0.6.0 Nov 11, 2025
0.5.1 Nov 9, 2025
0.4.2 Oct 3, 2025
0.1.7 Sep 13, 2025

#10 in #network-monitoring

CC0 license

340KB
7K SLoC

Rust 6K SLoC // 0.1% comments Shell 752 SLoC // 0.2% comments

httpjail

Documentation Crates.io CI

A cross-platform tool for monitoring and restricting HTTP/HTTPS requests from processes using network isolation and transparent proxy interception.

Install:

cargo install httpjail

Or download a pre-built binary from the releases page.

Features

[!WARNING] httpjail is experimental and offers no API or CLI compatibility guarantees.

  • 🔒 Process-level network isolation - Isolate processes in restricted network environments
  • 🌐 HTTP/HTTPS interception - Transparent proxy with TLS certificate injection
  • 🛡️ DNS exfiltration protection - Prevents data leakage through DNS queries
  • 🔧 Multiple evaluation approaches - JS expressions or custom programs
  • 🖥️ Cross-platform - Native support for Linux and macOS

Quick Start

By default, httpjail denies all network requests. Provide a JS rule or script to allow traffic.

# Allow only requests to github.com (JS)
httpjail --js "r.host === 'github.com'" -- your-app

# Load JS from a file (auto-reloads on file changes)
echo "/^api\\.example\\.com$/.test(r.host) && r.method === 'GET'" > rules.js
httpjail --js-file rules.js -- curl https://api.example.com/health
# File changes are detected and reloaded automatically on each request

# Log requests to a file
httpjail --request-log requests.log --js "true" -- npm install
# Log format: "<timestamp> <+/-> <METHOD> <URL>" (+ = allowed, - = blocked)

# Use shell script for request evaluation (process per request)
httpjail --sh "/path/to/script.sh" -- ./my-app
# Script receives env vars: HTTPJAIL_URL, HTTPJAIL_METHOD, HTTPJAIL_HOST, etc.
# Exit code 0 allows, non-zero blocks

# Use line processor for request evaluation (efficient persistent process)
httpjail --proc /path/to/filter.py -- ./my-app
# Program receives JSON on stdin (one per line) and outputs allow/deny decisions
# stdin  -> {"method": "GET", "url": "https://api.github.com", "host": "api.github.com", ...}
# stdout -> true

# Run as standalone proxy server (no command execution) and allow all
httpjail --server --js "true"
# Server defaults to ports 8080 (HTTP) and 8443 (HTTPS)
# Configure your application:
# HTTP_PROXY=http://localhost:8080 HTTPS_PROXY=http://localhost:8443

# Run Docker containers with network isolation (Linux only)
httpjail --js "r.host === 'api.github.com'" --docker-run -- --rm alpine:latest wget -qO- https://api.github.com

Documentation

Docs are stored in the docs/ directory and served at coder.github.io/httpjail.

Table of Contents:

License

This project is released into the public domain under the CC0 1.0 Universal license. See LICENSE for details.

Dependencies

~130MB
~2.5M SLoC