All docs

Codex

Codex uses WebSocket over TLS to connect to chatgpt.com with OAuth authentication. It cannot be proxied via a simple base URL override. Squeezr runs a TLS-terminating MITM proxy on port 8081 that intercepts and compresses WebSocket frames.

Setup

First, run squeezr setup if you haven't already. It generates the MITM CA certificate and imports it into the Windows Certificate Store (Windows) or creates a CA bundle (macOS/Linux/WSL) so Codex trusts the proxy's TLS.

squeezr setup   # one-time — generates and installs the MITM CA
squeezr start

Then, in the terminal where you run Codex, set HTTPS_PROXY:

# Windows (PowerShell) — set only in this terminal, not globally
$env:HTTPS_PROXY = "http://localhost:8081"
codex

# Linux / macOS / WSL
HTTPS_PROXY=http://localhost:8081 codex

Important: do not set HTTPS_PROXY globally

Setting HTTPS_PROXY globally (e.g. via setx on Windows or in your shell profile) will route all HTTPS traffic through the MITM proxy, breaking tools like npm, git, and Claude Code. Always set it only in the terminal session where you run Codex.

How the MITM proxy works

The MITM proxy on port 8081 operates as a TLS-terminating CONNECT proxy:

  • chatgpt.com traffic — TLS is terminated, WebSocket frames are inspected and compressed, then re-encrypted and forwarded to chatgpt.com.
  • All other HTTPS traffic — passed through as a transparent TCP tunnel. The proxy establishes a CONNECT tunnel without intercepting or reading the content. No certificate is needed.

This means only chatgpt.com traffic is intercepted. npm, git, and any other tool that happens to use HTTPS_PROXY will work normally.

CA certificate

To terminate TLS for chatgpt.com, Squeezr generates a local Certificate Authority (CA) and signs a certificate for chatgpt.com on the fly. squeezr setup installs this CA so your system trusts it:

  • Windows: imported into the Windows Certificate Store at user level (no admin required). Rust-based CLIs like Codex use the Windows trust store automatically.
  • macOS/Linux/WSL: CA bundle written to ~/.squeezr/mitm-ca/bundle.crt. The NODE_EXTRA_CA_CERTS env var is set to point at this bundle.

WebSocket compression

Codex exchanges JSON frames over the WebSocket connection. Squeezr intercepts each frame and applies the same three-layer compression pipeline used for HTTP requests:

  1. Deterministic preprocessing (ANSI, deduplication, whitespace)
  2. Tool-specific patterns (git, test, build output)
  3. Adaptive pressure based on context window usage

Compressed frames use the same subscription as your normal Codex session — no extra API cost.

Troubleshooting

TLS certificate errors

If Codex reports a certificate error, re-run squeezr setup to reinstall the CA certificate. On Windows, you may need to restart Codex after the CA is imported.

Proxy not intercepting

Verify HTTPS_PROXY is set in the current terminal and the proxy is running:

squeezr status
echo $HTTPS_PROXY    # should print http://localhost:8081