Locally proxied hosts

When you add a target in local proxy mode, netsleuth starts a HTTP server on your machine. It listens for incoming requests and forwards them to the target HTTP server. You are able to use the inspector GUI to see the requests and responses.

Generally, only software running on your machine (or LAN, if allowed) can make requests through the proxy server. Servers and devices on the public internet will be unable to reach your proxy server – the public gateway helps you make local services available to the public internet.

The target server (that receives the forwarded traffic) can be any HTTP(S) server reachable from your machine – whether a server running locally, behind a VPN, or on the public internet.

Using the forward proxy

netsleuth automatically runs a forward proxy on port 9000.

To use the forward proxy, you must configure client apps and devices to use the HTTP proxy. How to do this depends on the client – you'll need to see its documentation.

Proxy: http://localhost:9000

Other devices on your LAN can also use this proxy server. Instead of localhost, use your machine's IP address (eg 192.168.1.x). Ensure that your local firewall allows incoming connections. Note that there is no access control on this proxy; you should not expose it to the internet (eg via port forwarding).

⚠️ In order for clients to make successful HTTPS requests, you will need to install your netsleuth CA certificate as a trusted CA.

In the GUI, click the first target ":9000" to open the forward proxy inspector.

Adding a local reverse proxy target

There are two ways to add a new target:

netsleuth will listen for HTTP and HTTPS connections. It will automatically self-issue a TLS certificate for the host's name and/or IP using the built-in CA.

The following options are available in both the GUI and CLI. See the CLI docs for exact usage.



The target is the destination HTTP server. It can be any HTTP(S) server reachable from your machine (local or remote).

Target TLS

This controls how netsleuth validates the target's TLS certificate when connecting over https.


If you add a temporary target, netsleuth will not save it to your configuration file (.sleuthrc). This means the target will disappear the next time the netsleuth daemon restarts.

Require Basic auth from clients

Clients connecting to your proxy server will be required to provide this shared username and password over HTTP Basic auth before the request is forwarded to the target server.

Warning: this password is stored in plain text. Do not reuse credentials that you use for anything else.

⚠️ Privileged ports

On Unix systems (Linux and Mac OS), only programs running as root may bind to ports < 1024. (Windows has no such restriction; you can skip this section.)

netsleuth includes builtin support for authbind, which allows it to listen on privileged ports without actually running its daemon as root (which is unsafe).

If netsleuth is unable to listen on the default HTTP ports, you may need to ensure that authbind is correctly installed and configured. Full details here.

Note that netsleuth's default setup only allows it to listen on privileged ports 80 and 443, so if you want to add a proxy that listens on a port 1-79, 81-442, or 444-1023, you must manually grant that permission.