Skip to main content
This feature is currently in public preview and is not recommended for production use.
The Blaxel SDK supports two network features when creating sandboxes:
  • Proxy routing with secrets injection - the Blaxel proxy performs man-in-the-middle (MITM) interception on outbound HTTPS traffic and injects headers, body fields, and secrets server-side.
  • Domain filtering - the Blaxel proxy controls which external domains the sandbox can reach.
Proxy and network configuration can be updated after creation: you can rotate secrets, add or remove routing rules, and change the domain allowlist or denylist on a running sandbox.
You cannot enable the proxy on a sandbox that was created without it, or fully disable the proxy on a sandbox that was created with it. Enabling or disabling the proxy requires a new sandbox. If you remove all routing rules and domain filters from an existing proxy-enabled sandbox, the proxy remains active transparently — traffic continues to flow through it without any secret injection or domain blocking.

How it works

When a sandbox is created with a proxy config, Blaxel:
  1. Sets HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables inside the sandbox
  2. Installs a CA certificate and sets NODE_EXTRA_CA_CERTS and SSL_CERT_FILE so TLS clients trust the proxy
  3. Performs MITM on outbound HTTPS via CONNECT tunneling
  4. Matches each request against routing rules by destination domain
  5. Injects configured headers and body fields, resolving {{SECRET:name}} placeholders server-side
  6. Adds an X-Blaxel-Request-Id header to every proxied request for tracing
Most HTTP clients work transparently because they read the injected HTTP_PROXY, HTTPS_PROXY, and SSL_CERT_FILE environment variables — curl, pip, npm, git, Python requests, and Python httpx all work out of the box. Lower-level libraries that don’t follow these conventions (for example, calling urllib3 directly) need to be pointed at the proxy explicitly.
Localhost (127.0.0.1), private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), 169.254.169.254, .local, and .internal are always bypassed automatically.

Configuration reference

All network settings are passed via the network key in the sandbox creation options:

SandboxNetwork

ProxyConfig

ProxyTarget

Region availability

Proxy availability is region-dependent. The Region type includes a proxyAvailable boolean field. Check region support before relying on proxy features:

Environment variables set inside the sandbox

When proxy is configured, the sandbox automatically has:

CLI tool compatibility

When proxy is enabled, common CLI tools and high-level clients work transparently inside the sandbox with no extra configuration: Python’s stdlib urllib.request is not recommended with the proxy. Prefer requests or httpx, or configure urllib3.ProxyManager directly if you need lower-level control:

Behavior details

  • Wildcard matching: *.example.com matches sub.example.com and a.b.example.com but not example.com itself
  • No cross-route leakage: Headers/secrets from one routing rule are never applied to requests matching a different rule
  • User headers preserved: The proxy adds injected headers alongside any headers the sandbox code sends — it does not overwrite user-sent headers
  • Body merge: Injected body fields are merged into JSON request bodies up to 1 MB. User-sent fields take precedence on key collisions. Requests over 1 MB, requests without a known Content-Length (e.g. chunked uploads), and streaming RPCs are forwarded unchanged — use header injection for credentials in those cases
  • Tracing: Every proxied request gets an X-Blaxel-Request-Id header for observability
  • Local traffic: Requests to localhost / 127.0.0.1 are never routed through the proxy

HTTP/2 and gRPC

The proxy supports HTTP/2 and gRPC. Clients that previously required HTTP/1.1 workarounds now work without any flags or downgrades:
  • gRPC SDKs in Go, Python (grpcio), and Node (@grpc/grpc-js)
  • curl --http2
  • Go net/http (HTTP/2 is the default)
All four gRPC RPC styles — unary, server-streaming, client-streaming, and bidirectional — flow through, and gRPC trailers (grpc-status, grpc-message) are preserved end-to-end. A few things to keep in mind:
  • Header injection works on every request, including streaming RPCs.
  • Body injection is skipped on streaming requests (gRPC streams, chunked uploads). Use header injection to attach credentials on streaming workloads — see the body injection limits in Behavior details.

Update proxy configuration

You can update proxy routing rules, secrets, domain filters, and bypass lists on a running sandbox using the SDK’s updateNetwork method. This fetches the current sandbox, merges the new network config, and applies the update in one call:
The update replaces the entire network configuration. Include all routing rules, domain filters, and secrets you want active after the update.
You cannot enable the proxy on a sandbox that was created without it, or fully disable the proxy on a sandbox that was created with it. Removing all routing rules and domain filters does not disable the proxy — traffic continues to flow through it transparently without any injection or blocking.

Full example: agent sandbox with proxy + firewall

Last modified on July 1, 2026