Slim forward proxy with IP, auth, and destination filtering

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for hugobatista from gravatar.com hugobatista

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Hugo Batista <code at hugobatista.com>
  • Tags filtering , forward-proxy , http-proxy , proxy , security
  • Requires: Python >=3.11
Classifiers
Report project as malware

Project description

GitHub Tag Lint Test PyPI - Version PyPI - Python Version PyPI - License

🛡️ slimproxy — A lightweight forward proxy CLI built on proxy.py — deploy anywhere Python runs.

The problem: Your enterprise-managed desktop sits behind a corporate forward proxy that intercepts and inspects TLS traffic to certain endpoints (AI APIs, for example). You can't control the proxy settings or install software — the machine is locked down.

The workaround: Deploy slimproxy on a second machine on the same network — an unmanaged one you control (a Raspberry Pi, an old laptop, a cloud VM). That machine connects directly to the internet. Point your tools on the locked-down desktop at slimproxy, and traffic flows through the unmanaged machine, bypassing the corporate inspection entirely.

Locked-down desktop    →    slimproxy on unmanaged host    →    internet (direct)
     HTTPS_PROXY=http://unmanaged:3128                              no inspection

Why not Squid? Squid doesn't run on Windows without Cygwin, needs a config file, and is overkill for a raw TCP forwarder. slimproxy is pip install + one command on any OS.

Installation

Install globally via uv (recommended):

uv tool install slimproxy

Or via pip:

pip install slimproxy

Or run directly without installing:

uvx slimproxy

Or from source (clone + run):

git clone https://github.com/hugobatista/slimproxy.git
cd slimproxy
uv sync
uv run slimproxy run

Or via Docker:

docker build -t slimproxy .

Usage

run — Start the proxy server

slimproxy run \
  --port 3128 \
  --basic-auth myuser:password123 \
  --allow-ips "192.168.1.0/24,10.0.0.0/8" \
  --allow-dests "api.opencode.ai,api.github.com,models.dev"

All options are optional. With no flags, the proxy listens on 0.0.0.0:3128 and forwards everything without auth or filtering.

Use --wizard for an interactive guided setup that prompts for each option:

slimproxy run --wizard

Configure your client to use it:

# Linux / macOS
export HTTPS_PROXY=http://myuser:password123@host:3128
# Windows CMD
set HTTPS_PROXY=http://myuser:password123@host:3128
# Windows PowerShell
$env:HTTPS_PROXY="http://myuser:password123@host:3128"

check — Detect SSL inspection

slimproxy check api.opencode.ai api.github.com

Connects to each target over TLS and prints the certificate issuer. If the issuer is your company, SSL inspection is active.

Options

Flag Default Description
--hostname 0.0.0.0 Address to bind to
--port 3128 Listen port
--basic-auth (none) Enable Basic auth (user:password format)
--allow-ips (none) Comma-separated client CIDRs (e.g. 192.168.1.0/24). When omitted, all IPs are allowed.
--allow-dests (none) Comma-separated upstream hosts (e.g. api.opencode.ai). When omitted, all destinations are allowed.
--log-level INFO Log level
--timeout 10 Connection timeout in seconds
--wizard (off) Guided interactive setup — prompts for hostname, port, auth, IP/dest allowlists, log level, and timeout. On Windows, also handles firewall elevation. Requires an interactive terminal.
--firewall-rule (off) Add Windows Firewall inbound rule for the proxy port (Windows only, requires admin)

Security

All three filters are optional, independent, and disabled by default — when a filter is omitted, the corresponding access is unrestricted:

  • IP allowlist: Clients outside the specified CIDR ranges are rejected with 418
  • Basic auth: Password checked against --basic-auth value on every CONNECT request
  • Dest allowlist: Upstream hosts not in the list are rejected with 403

The proxy speaks vanilla HTTP CONNECT — no TLS interception, no decryption. The end-to-end TLS handshake happens between the client and the target server.

Note: When --basic-auth is used on a non-localhost interface, credentials are transmitted in cleartext HTTP and can be intercepted by anyone on the network.

Windows Firewall

On Windows, pass --firewall-rule to auto-add an inbound firewall rule for the proxy port:

slimproxy run --port 3128 --firewall-rule

If not running as Administrator, a UAC prompt will appear to elevate. The rule is removed when the proxy stops. On other platforms the flag is accepted but ignored.

Docker

# Build
docker build -t slimproxy .

# Run
docker run -it --rm \
  -p 3128:3128 \
  slimproxy run --basic-auth myuser:password123

Published via GHCR on tagged releases:

docker run -it --rm \
  -p 3128:3128 \
  ghcr.io/hugobatista/slimproxy:latest run --basic-auth myuser:password123

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for hugobatista from gravatar.com hugobatista

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Hugo Batista <code at hugobatista.com>
  • Tags filtering , forward-proxy , http-proxy , proxy , security
  • Requires: Python >=3.11
Classifiers

Release history Release notifications | RSS feed

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

slimproxy-0.1.0.tar.gz (20.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

slimproxy-0.1.0-py3-none-any.whl (12.0 kB view details)

Uploaded Python 3

File details

Details for the file slimproxy-0.1.0.tar.gz.

File metadata

  • Download URL: slimproxy-0.1.0.tar.gz
  • Upload date:
  • Size: 20.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for slimproxy-0.1.0.tar.gz
Algorithm Hash digest
SHA256 743324919cec109ec84b70c7c75eb0a63f2b2cac39fddd952d9ee8a9bf8f2591
MD5 41fa2d5f2fe2d86112ca62e92a14dd02
BLAKE2b-256 5864973648cb76cf0916b9cc5bdab6f6752c295e81ecbb44afdbe0afd763df03

See more details on using hashes here.

Provenance

The following attestation bundles were made for slimproxy-0.1.0.tar.gz:

Publisher: pypi.yml on hugobatista/slimproxy

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file slimproxy-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: slimproxy-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 12.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for slimproxy-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 419cf5824a16034feb7468fee666667d0d7e58216cfb31d6dcf4dc25f6260b57
MD5 e2cfe77cebef3aee4d6bcf1b0adc2873
BLAKE2b-256 e835645f099ea7e754adede0d2fd95f2303fee4b66ef8d6deb9ef0f0697f547a

See more details on using hashes here.

Provenance

The following attestation bundles were made for slimproxy-0.1.0-py3-none-any.whl:

Publisher: pypi.yml on hugobatista/slimproxy

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page