-
Notifications
You must be signed in to change notification settings - Fork 0
Client Setup
This guide explains how to configure various package managers to work with Socket Firewall, an HTTP proxy that provides security scanning for package installations.
Socket Firewall uses a custom Certificate Authority (CA) to intercept HTTPS traffic. Before configuring package managers, you need to install and trust the CA certificate.
Note: If you're running Socket Firewall in service mode, you'll first need to generate the CA keypair and configure your service to use it. See Generating Keys for instructions on creating your CA keypair.
# Copy the CA certificate to the system certificate directory
sudo cp /path/to/socketFirewallCa.crt /usr/local/share/ca-certificates/socketFirewallCa.crt
# Update the system certificate store
sudo update-ca-certificates# Copy the CA certificate to the system certificate directory
sudo cp /path/to/socketFirewallCa.crt /etc/pki/ca-trust/source/anchors/socketFirewallCa.crt
# Update the system certificate store
sudo update-ca-trust# Add the CA certificate to the system keychain
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/socketFirewallCa.crt
# Verify the certificate was added
security find-certificate -c "Socket Proxy CA" /Library/Keychains/System.keychain- Double-click the
socketFirewallCa.crtfile to open Keychain Access - Select "System" keychain when prompted
- Enter your administrator password
- Find the certificate in Keychain Access and double-click it
- Expand "Trust" section and set "When using this certificate" to "Always Trust"
- Close the dialog and enter your password again to save changes
For more details, see Apple's documentation on certificate trust settings.
# Import the CA certificate to the Trusted Root Certification Authorities store
Import-Certificate -FilePath "C:\path\to\socketFirewallCa.crt" -CertStoreLocation Cert:\LocalMachine\Root
# Verify the certificate was imported
Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Socket Proxy CA*"}- Right-click the
socketFirewallCa.crtfile and select "Install Certificate" - Choose "Local Machine" and click "Next"
- Select "Place all certificates in the following store"
- Click "Browse" and select "Trusted Root Certification Authorities"
- Click "Next" then "Finish"
- Click "Yes" when prompted about installing the certificate
For more details, see Microsoft's documentation on managing certificates.
If Java is installed, add the CA certificate to the Java keystore:
keytool -import -trustcacerts -cacerts -noprompt \
-storepass changeit \
-alias socket-proxy-ca \
-file /usr/local/share/ca-certificates/socketFirewallCa.crtRun the following in the terminal to validate the Socket Firewall CA has been installed as a trusted root certificate:
openssl s_client -connect your-firewall-host:443 -prexitNear the top of the output, you should see something like the following:
Certificate chain
0 s:CN=your-firewall-host
i:CN=Socket Security CA, O=Socket Security
a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Aug 24 02:02:23 2025 GMT; NotAfter: Aug 24 02:02:23 2026 GMT
If you're not sure of the output, check it against the output from this command; they should look the same:
openssl s_client -connect your-firewall-host:443 -prexit -CAfile ./path/to/socketFirewallCa.crtEnvironment Variables:
npm config set proxy "https://your-firewall-host:https-port"
npm config set https-proxy "https://your-firewall-host:https-port"
export NODE_EXTRA_CA_CERTS="/path/to/socketFirewallCa.crt"Alternative for Node.js > 23:
npm config set proxy "https://your-firewall-host:https-port"
npm config set https-proxy "https://your-firewall-host:https-port"
export NODE_OPTIONS="--use-system-ca"Note: Firewall requires npm version 10 or higher. Previous versions of npm included an abstraction incompatible with how we intercept traffic.
Environment Variables:
export YARN_HTTP_PROXY="https://your-firewall-host:https-port"
export YARN_HTTPS_PROXY="https://your-firewall-host:https-port"
export NODE_EXTRA_CA_CERTS="/path/to/socketFirewallCa.crt"
export YARN_HTTPS_CA_FILE_PATH="/path/to/socketFirewallCa.crt"Alternative for Node.js > 23:
export YARN_HTTP_PROXY="https://your-firewall-host:https-port"
export YARN_HTTPS_PROXY="https://your-firewall-host:https-port"
export NODE_OPTIONS="--use-system-ca"Environment Variables:
export HTTP_PROXY="https://your-firewall-host:https-port"
export HTTPS_PROXY="https://your-firewall-host:https-port"
export NODE_EXTRA_CA_CERTS="/path/to/socketFirewallCa.crt"Alternative for Node.js > 23:
export HTTP_PROXY="https://your-firewall-host:https-port"
export HTTPS_PROXY="https://your-firewall-host:https-port"
export NODE_OPTIONS="--use-system-ca"Environment Variables:
export HTTP_PROXY="https://your-firewall-host:https-port"
export HTTPS_PROXY="https://your-firewall-host:https-port"
export PIP_CERT="/path/to/socketFirewallCa.crt"Poetry is not currently supported by Socket Firewall
Environment Variables:
export HTTP_PROXY="https://your-firewall-host:https-port"
export HTTPS_PROXY="https://your-firewall-host:https-port"
export PIP_CERT="/path/to/socketFirewallCa.crt"Environment Variables:
export HTTP_PROXY="https://your-firewall-host:https-port"
export HTTPS_PROXY="https://your-firewall-host:https-port"Configuration File: Create .cargo/config.toml in your project or home directory:
[http]
cainfo = "/path/to/socketFirewallCa.crt"
proxy = 'your-firewall-host:http-port'
proxy-cainfo = "/path/to/socketFirewallCa.crt"
multiplexing = falseKnown Issue: Cargo currently has limited support for HTTPS proxies. Use the HTTP port of Socket Firewall instead.
Configuration File: Create ~/.gemrc:
---
http_proxy: https://your-firewall-host:http-port
https_proxy: https://your-firewall-host:http-portNote: RubyGems may not fully support HTTPS proxies. Use the HTTP port of Socket Firewall.
Configuration File: Create ~/.gemrc:
---
http_proxy: https://your-firewall-host:http-port
https_proxy: https://your-firewall-host:http-portNote: Bundler cannot establish proxy connections with HTTPS endpoints. Use the HTTP port of Socket Firewall.
Configuration File: Edit /usr/share/maven/conf/settings.xml (or ~/.m2/settings.xml):
<settings>
<proxies>
<proxy>
<id>http-proxy</id>
<active>true</active>
<protocol>http</protocol>
<host>your-firewall-host</host>
<port>http-port</port>
</proxy>
<proxy>
<id>https-proxy</id>
<active>true</active>
<protocol>https</protocol>
<host>your-firewall-host</host>
<port>http-port</port>
</proxy>
</proxies>
</settings>Known Issue: Maven uses Apache HttpClient, which doesn't support HTTPS requests through HTTPS proxies. Use the HTTP port for both protocols.
Configuration File: Create ~/.gradle/gradle.properties:
systemProp.http.proxyHost=your-firewall-host
systemProp.http.proxyPort=http-port
systemProp.https.proxyHost=your-firewall-host
systemProp.https.proxyPort=http-portKnown Issue: Gradle uses Apache HttpClient, which doesn't support HTTPS requests through HTTPS proxies. Use the HTTP port for both protocols.
Environment Variables:
export HTTP_PROXY="https://your-firewall-host:https-port"
export HTTPS_PROXY="https://your-firewall-host:https-port"Several package managers have limitations with HTTPS proxies:
- Cargo: Limited HTTPS proxy support (issue)
- Maven/Gradle: Apache HttpClient doesn't support HTTPS through HTTPS proxy (issue)
- RubyGems/Bundler: Limited HTTPS proxy support
For these tools, use the HTTP port of Socket Firewall instead of the HTTPS port.
Most package managers respect standard HTTP proxy environment variables:
-
HTTP_PROXY/http_proxy -
HTTPS_PROXY/https_proxy
Some tools have their own specific environment variables (e.g., YARN_HTTP_PROXY, PIP_CERT).