How it works
When you enable TLS interception:- microsandbox loads the interception CA. By default this is a host-global development CA persisted under
~/.microsandbox/tls/ca.{crt,key}so repeated sandboxes can reuse the same trusted root. You can provide custom CA paths withintercept_ca_cert()andintercept_ca_key()when a sandbox or environment needs its own CA. - microsandbox updates the guest’s trust store to trust this CA.
- When the guest opens an HTTPS connection, the host-side proxy intercepts the handshake, generates a leaf certificate for the target domain on the fly, and signs it with the configured interception CA.
- The proxy opens its own TLS connection to the upstream server and bridges the two.
~/.microsandbox/tls/ca.crt and ~/.microsandbox/tls/ca.key if you want microsandbox to generate a fresh default CA. Use explicit CA paths when you do not want to share the default across sandboxes on the same machine.
Enabling interception
Bypass patterns
Some domains don’t play well with interception, typically ones whose clients pin a specific certificate or public key instead of trusting the system CA store. Software update channels (browser autoupdate, macOSsoftwareupdate, package-manager mirrors that ship a pinned signing CA) and vendor SDKs that bundle their own pinned CA are the usual suspects. Add them to the bypass list and their traffic flows through as-is, encrypted end-to-end between the guest and the upstream server.
Bypass patterns accept exact matches (api.example.com) and wildcards (*.gov, *.apple.com).
Upstream CA trust
By default, the TLS proxy verifies upstream server certificates using the host’s native root store. Add global upstream CAs when every intercepted host should trust the same private root. Add scoped upstream CAs when only specific host patterns should trust a private root. Disable upstream verification for ephemeral hosts where you cannot get a PEM. Disabling upstream verification is the proxy-side equivalent ofcurl -k: interception still happens, but microsandbox does not authenticate the proxy-to-upstream TLS certificate for matching hosts.
Limits
- Pinned clients bypass the trust store. Any client that pins the server’s certificate or public key (rather than trusting the system CA) will fail TLS interception and needs to be bypassed explicitly.
- Bypassed traffic is opaque. Policy checks that depend on inspecting request content (URL-based rules, secret injection with
require_tls_identity, and HTTPHost/:authority/ SNI alignment checks) don’t apply on bypassed domains. - Client certificates are not proxied. mTLS flows where the guest is the one presenting a client certificate aren’t supported through interception; add those hosts to the bypass list.
Trusting host CAs
Corporate TLS-inspecting proxies (Cloudflare Warp Zero Trust, Zscaler, Netskope, Palo Alto, …) terminate outbound HTTPS at the host and re-sign it with a gateway CA. The corporate rollout installs that CA in your macOS Keychain or Linux trust store, so HTTPS works silently on the host. Inside a sandbox it doesn’t: the guest’s stock Mozilla bundle has never seen the gateway CA, soapk update, pip install, curl, and any SDK fetch fail with server certificate not trusted.
By default the sandbox does not extend host trust into the guest, so the guest validates TLS strictly against its stock Mozilla bundle. Opt in when you need the guest to trust whatever the host trusts. At sandbox boot, microsandbox copies the host’s trusted root CAs into the guest and appends them to the system CA bundle.
Security: this extends the guest’s trust to whatever the host trusts. That’s the point for MITM-proxy environments, but it also means an attacker who can plant a CA on the host now has that trust inside every sandbox.It matches the existing threat model (a host-access attacker already owns the sandbox), but worth knowing before enabling on a host with an unfamiliar trust store.
Interaction with TLS interception
TLS interception also covers the corporate-proxy case, but only on the ports it’s configured for (default[443]), and only for non-bypassed domains. It doesn’t touch QUIC / HTTP/3 flows. Everything outside that scope (gRPC, Postgres / Redis / Mongo TLS, custom 8443, non-intercepted ports, bypassed domains) goes over raw TLS from the guest, where host-CA trust is what makes certificate validation succeed.
The two features compose. Turn on host-CA trust alongside TLS interception when you need both: interception provides richer inspection on the ports it covers, host-CA trust covers everything else. Leave it off to keep the guest’s TLS stack validating strictly against its stock Mozilla bundle.
See also
- DNS: the DNS interceptor is what makes per-host rules possible, and DoT interception reuses this TLS path
- Network defenses: how TLS interception interacts with SSRF defenses, and secret handling for credential injection