Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings
NotificationsYou must be signed in to change notification settings

coder/boundary

Repository files navigation

Network isolation tool for monitoring and restricting HTTP/HTTPS requests from processes.

boundary creates an isolated network environment for target processes, intercepting HTTP/HTTPS traffic through a transparent proxy that enforces user-defined allow rules.

Features

  • Process-level network isolation (Linux namespaces, macOS process groups)
  • HTTP/HTTPS interception with transparent proxy and TLS certificate injection
  • Wildcard pattern matching for URL patterns
  • Request logging and monitoring
  • Cross-platform support (Linux and macOS)
  • Default deny-all security model

Installation

curl -fsSL https://raw.githubusercontent.com/coder/boundary/main/install.sh| bash

For installation options, manual installation, and release details, seeRELEASES.md.

Usage

# Allow only requests to github.comboundary --allow"github.com" -- curl https://github.com# Allow full access to GitHub issues API, but only GET/HEAD elsewhere on GitHubboundary \  --allow"github.com/api/issues/*" \  --allow"GET,HEAD github.com" \  -- npm install# Default deny-all: everything is blocked unless explicitly allowedboundary -- curl https://example.com

Allow Rules

Format

--allow "pattern"                    # All HTTP methods allowed--allow "METHOD[,METHOD] pattern"    # Specific methods only

Examples

boundary --allow"github.com" -- git pullboundary --allow"*.github.com" -- npm install# GitHub subdomainsboundary --allow"api.*" -- ./app# Any API domainboundary --allow"GET,HEAD api.github.com" -- curl https://api.github.com

Wildcards:* matches any characters. All traffic is denied unless explicitly allowed.

Logging

boundary --log-level info --allow"*" -- npm install# Show all requestsboundary --log-level debug --allow"github.com" -- git pull# Debug info

Log Levels:error,warn (default),info,debug

Unprivileged Mode

When you can't or don't want to run with sudo privileges, use--unprivileged:

# Run without network isolation (uses HTTP_PROXY/HTTPS_PROXY environment variables)boundary --unprivileged --allow"github.com" -- npm install# Useful in containers or restricted environmentsboundary --unprivileged --allow"*.npmjs.org" --allow"registry.npmjs.org" -- npm install

Unprivileged Mode:

  • No network namespaces or firewall rules
  • Works without sudo privileges
  • Uses proxy environment variables instead
  • Applications must respect HTTP_PROXY/HTTPS_PROXY settings
  • Less secure but more compatible

Platform Support

PlatformImplementationSudo Required
LinuxNetwork namespaces + iptablesYes
macOSProcess groups + PF rulesYes
WindowsNot supported-

Command-Line Options

boundary [flags] -- command [args...]--allow <SPEC>             Allow rule (repeatable)--log-level <LEVEL>        Set log level (error, warn, info, debug)--unprivileged             Run without network isolation-h, --help                 Print help

Development

make build# Build for current platformmake build-all# Build for all platformsmaketest# Run testsmake test-coverage# Run tests with coveragemake clean# Clean build artifactsmake fmt# Format codemake lint# Lint code

License

MIT License - see LICENSE file for details.

About

No description, website, or topics provided.

Resources

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

No packages published

Contributors3

  •  
  •  
  •  
[8]ページ先頭
©2009-2025 Movatter.jp