From 796c22f7362cb3d896ab12544727164522621096 Mon Sep 17 00:00:00 2001 From: Mathieu Virbel Date: Thu, 26 Feb 2026 17:46:21 -0600 Subject: [PATCH] fix: don't inject SOCKS5 proxy env vars in macOS daemon mode In daemon mode, tun2socks provides transparent proxying at the IP level via pf + utun, so apps don't need proxy env vars. Setting HTTP_PROXY and HTTPS_PROXY to socks5h:// breaks apps like Bun/Node.js that read these vars but don't support the SOCKS5 protocol (UnsupportedProxyProtocol). --- internal/sandbox/macos.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/internal/sandbox/macos.go b/internal/sandbox/macos.go index 200a6d7..9593374 100644 --- a/internal/sandbox/macos.go +++ b/internal/sandbox/macos.go @@ -737,13 +737,18 @@ func WrapCommandMacOS(cfg *config.Config, command string, exposedPorts []int, da // Using -u # preserves the user's identity (home dir, SSH keys, etc.) // while -g _greywall sets the effective GID for pf matching. // + // Do NOT inject HTTP_PROXY/HTTPS_PROXY env vars in daemon mode: tun2socks + // provides transparent proxying at the IP level, so apps don't need proxy + // env vars. Setting them to socks5h:// breaks apps (like Bun/Node.js) that + // read HTTP_PROXY but don't support SOCKS5 protocol. + // // sudo resets the environment, so we use `env` after sudo to re-inject - // terminal vars (TERM, COLORTERM, etc.) needed for TUI apps and proxy vars. + // terminal vars (TERM, COLORTERM, etc.) needed for TUI apps. uid := fmt.Sprintf("#%d", os.Getuid()) - proxyEnvs := GenerateProxyEnvVars(cfg.Network.ProxyURL) + sandboxEnvs := GenerateProxyEnvVars("") termEnvs := getTerminalEnvVars() parts = append(parts, "sudo", "-u", uid, "-g", daemonSession.SandboxGroup, "env") - parts = append(parts, proxyEnvs...) + parts = append(parts, sandboxEnvs...) parts = append(parts, termEnvs...) parts = append(parts, "sandbox-exec", "-p", profile, shellPath, "-c", command) } else {