📖 Set Up HTTPS Interception for a Container

Learn how to enable cella's transparent MITM proxy to observe all HTTPS traffic from a container.

How It Works

cella starts a transparent proxy listener on the host
An nftables PREROUTING REDIRECT rule diverts the container's outbound port-443 traffic to the proxy
cella generates an ECDSA P-256 root CA and dynamically signs per-host certificates
The root CA is automatically injected into the container's trust store
NODE_EXTRA_CA_CERTS is set for Node.js applications

Step 1: Open the Audit Panel

In cella, press A to open the API Audit panel.

Step 2: Set Up the Proxy

With a container selected, press p. cella will:

Create the nftables REDIRECT chain for this container
Generate a root CA (if not already created)
Push the CA certificate into the container
Set NODE_EXTRA_CA_CERTS environment variable

You'll see a confirmation flash: ✅ Proxy set up for <container-name>

Step 3: Watch the Traffic

The Audit panel now shows intercepted requests in real time:

15:04:02 ✅🔓 my-container POST → api.openai.com /v1/chat/completions [200] (2.1s)
15:04:05 ✅🔓 my-container GET  → api.github.com /zen                [200] (146ms)

Each entry shows: timestamp, status, MITM indicator (🔓), container, method, domain, path, HTTP status, and latency.

Step 4: Domain Approval

When a new domain is first seen, an approval overlay appears:

Y — Always allow this domain
y — Allow this once
n — Deny this request

Step 5: Undo

Press u in the Audit panel to remove the proxy setup for the selected container. This tears down the nftables rule and removes the CA cert.

⚠️ Warning: MITM interception decrypts all TLS traffic. Only use this in controlled environments for debugging and auditing purposes.

← Monitor Container Next: Generate Seccomp Profile →