Pass the port as cli arg

proxy/Cargo.lock

@@ -54,6 +54,56 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "anstream"
+version = "0.6.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "43d5b281e737544384e969a5ccad3f1cdd24b48086a0fc1b2a5262a26b8f4f4a"
+dependencies = [
+ "anstyle",
+ "anstyle-parse",
+ "anstyle-query",
+ "anstyle-wincon",
+ "colorchoice",
+ "is_terminal_polyfill",
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle"
+version = "1.0.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5192cca8006f1fd4f7237516f40fa183bb07f8fbdfedaa0036de5ea9b0b45e78"
+
+[[package]]
+name = "anstyle-parse"
+version = "0.2.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4e7644824f0aa2c7b9384579234ef10eb7efb6a0deb83f9630a49594dd9c15c2"
+dependencies = [
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle-query"
+version = "1.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "anstyle-wincon"
+version = "3.0.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d"
+dependencies = [
+ "anstyle",
+ "once_cell_polyfill",
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "anyhow"
 version = "1.0.100"
@@ -351,6 +401,46 @@ dependencies = [
  "libloading",
 ]
 
+[[package]]
+name = "clap"
+version = "4.5.53"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c9e340e012a1bf4935f5282ed1436d1489548e8f72308207ea5df0e23d2d03f8"
+dependencies = [
+ "clap_builder",
+ "clap_derive",
+]
+
+[[package]]
+name = "clap_builder"
+version = "4.5.53"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d76b5d13eaa18c901fd2f7fca939fefe3a0727a953561fefdf3b2922b8569d00"
+dependencies = [
+ "anstream",
+ "anstyle",
+ "clap_lex",
+ "strsim",
+]
+
+[[package]]
+name = "clap_derive"
+version = "4.5.49"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a0b5487afeab2deb2ff4e03a807ad1a03ac532ff5a2cee5d86884440c7f7671"
+dependencies = [
+ "heck",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "clap_lex"
+version = "0.7.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1d728cc89cf3aee9ff92b05e62b19ee65a02b5702cff7d5a377e32c6ae29d8d"
+
 [[package]]
 name = "cmake"
 version = "0.1.54"
@@ -360,6 +450,12 @@ dependencies = [
  "cc",
 ]
 
+[[package]]
+name = "colorchoice"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75"
+
 [[package]]
 name = "compression-codecs"
 version = "0.4.34"
@@ -1119,6 +1215,12 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "is_terminal_polyfill"
+version = "1.70.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695"
+
 [[package]]
 name = "itertools"
 version = "0.13.0"
@@ -1411,6 +1513,12 @@ dependencies = [
  "portable-atomic",
 ]
 
+[[package]]
+name = "once_cell_polyfill"
+version = "1.70.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
+
 [[package]]
 name = "openssl-macros"
 version = "0.1.1"
@@ -2335,6 +2443,7 @@ checksum = "28d3b2b1366ec20994f1fd18c3c594f05c5dd4bc44d8bb0c1c632c8d6829481f"
 name = "safe-chain-proxy"
 version = "0.1.0"
 dependencies = [
+ "clap",
  "rama",
  "tokio",
 ]
@@ -2554,6 +2663,12 @@ version = "1.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596"
 
+[[package]]
+name = "strsim"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
+
 [[package]]
 name = "subtle"
 version = "2.6.1"
@@ -2976,6 +3091,12 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
 
+[[package]]
+name = "utf8parse"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
+
 [[package]]
 name = "uuid"
 version = "1.19.0"

proxy/Cargo.toml

@@ -4,5 +4,6 @@ version = "0.1.0"
 edition = "2021"
 
 [dependencies]
+clap = { version = "4.5.53", features = ["derive"] }
 rama = { git = "https://github.com/plabayo/rama", features = ["http-full", "dns", "boring"] }
-tokio = { version = "1", features = ["full"] }
+tokio = { version = "1.48.0", features = ["full"] }

proxy/README.md

@@ -0,0 +1,156 @@
+# Safe-chain Proxy
+
+A security-focused HTTP/HTTPS proxy that works with the Safe-chain package scanner.
+
+## Quick Start
+
+### Running the Proxy
+
+Simply run the executable:
+
+```bash
+# macOS/Linux
+./safe-chain-proxy
+
+# Windows
+safe-chain-proxy.exe
+```
+
+The proxy will automatically find an available port and display it:
+
+```
+Safe-chain proxy running on 127.0.0.1:54321
+```
+
+### Specify a Port
+
+Use the `--port` or `-p` flag to use a specific port:
+
+```bash
+# Long form
+./safe-chain-proxy --port 3128
+
+# Short form
+./safe-chain-proxy -p 3128
+```
+
+### Get Help
+
+```bash
+./safe-chain-proxy --help
+```
+
+## Using the Proxy
+
+Configure your package manager or HTTP client to route traffic through the proxy.
+
+### npm / Node.js
+
+```bash
+npm config set proxy http://127.0.0.1:3128
+npm config set https-proxy http://127.0.0.1:3128
+
+# Now npm install will route through the proxy
+npm install
+```
+
+To revert:
+```bash
+npm config delete proxy
+npm config delete https-proxy
+```
+
+### Yarn
+
+```bash
+yarn config set httpProxy http://127.0.0.1:3128
+yarn config set httpsProxy http://127.0.0.1:3128
+```
+
+### pnpm
+
+```bash
+pnpm config set proxy http://127.0.0.1:3128
+pnpm config set https-proxy http://127.0.0.1:3128
+```
+
+### Bun
+
+```bash
+export http_proxy=http://127.0.0.1:3128
+export https_proxy=http://127.0.0.1:3128
+bun install
+```
+
+### curl
+
+```bash
+curl -x http://127.0.0.1:3128 https://example.com
+```
+
+### Environment Variables (any tool)
+
+Set these environment variables to make any HTTP client use the proxy:
+
+```bash
+# macOS/Linux
+export http_proxy=http://127.0.0.1:3128
+export https_proxy=http://127.0.0.1:3128
+
+# Windows (Command Prompt)
+set http_proxy=http://127.0.0.1:3128
+set https_proxy=http://127.0.0.1:3128
+
+# Windows (PowerShell)
+$env:http_proxy = "http://127.0.0.1:3128"
+$env:https_proxy = "http://127.0.0.1:3128"
+```
+
+## Troubleshooting
+
+### Port Already in Use
+
+If you get a "port already in use" error:
+1. Try running without `--port` to let the OS assign an available port
+2. Or choose a different port: `./safe-chain-proxy --port 8080`
+
+### Proxy Not Working
+
+1. Verify the proxy is running and note the port from the console output
+2. Check your client is configured with the correct port
+3. Ensure firewall settings allow connections to the proxy
+
+### Verbose Logging
+
+Enable debug logging to troubleshoot issues:
+
+```bash
+# macOS/Linux
+RUST_LOG=debug ./safe-chain-proxy
+
+# Windows (Command Prompt)
+set RUST_LOG=debug
+safe-chain-proxy.exe
+
+# Windows (PowerShell)
+$env:RUST_LOG = "debug"
+.\safe-chain-proxy.exe
+```
+
+## Stopping the Proxy
+
+Press `Ctrl+C` to stop the proxy. It will gracefully shut down, waiting up to 30 seconds for active connections to complete.
+
+## What Does It Do?
+
+The Safe-chain proxy intercepts HTTP/HTTPS traffic from package managers and other tools, allowing Safe-chain to:
+- Scan packages for malware before installation
+- Monitor registry requests
+- Block malicious packages
+- Provide visibility into dependency downloads
+
+## Security
+
+- The proxy only listens on `127.0.0.1` (localhost) - it cannot be accessed from other machines
+- All HTTPS traffic is tunneled securely using CONNECT
+- Body size limits prevent memory exhaustion attacks

proxy/src/main.rs

@@ -1,10 +1,7 @@
-use std::{convert::Infallible, time::Duration};
+use clap::Parser;
-
 use rama::{
-    Layer, Service,
     extensions::ExtensionsMut,
     http::{
-        Request, Response, StatusCode,
         client::EasyHttpWebClient,
         layer::{
             remove_header::{RemoveRequestHeaderLayer, RemoveResponseHeaderLayer},
@@ -14,6 +11,7 @@ use rama::{
         matcher::MethodMatcher,
         server::HttpServer,
         service::web::response::IntoResponse,
+        Request, Response, StatusCode,
     },
     layer::ConsumeErrLayer,
     net::{http::RequestContext, proxy::ProxyTarget, stream::layer::http::BodyLimitLayer},
@@ -23,14 +21,23 @@ use rama::{
     telemetry::tracing::{
         self,
         metadata::LevelFilter,
-        subscriber::{EnvFilter, fmt, layer::SubscriberExt, util::SubscriberInitExt},
+        subscriber::{fmt, layer::SubscriberExt, util::SubscriberInitExt, EnvFilter},
     },
+    Layer, Service,
 };
+use std::{convert::Infallible, time::Duration};
+
+#[derive(Parser, Debug)]
+struct Args {
+    #[arg(short, long, default_value_t = 0)]
+    port: u16,
+}
 
 #[tokio::main]
 async fn main() {
+    let args = Args::parse();
     setup_tracing();
-    run_server().await;
+    run_server(args.port).await;
 }
 
 fn setup_tracing() {
@@ -45,10 +52,10 @@ fn setup_tracing() {
     tracing::info!("Tracing is set up");
 }
 
-async fn run_server() {
+async fn run_server(port: u16) {
     let graceful = rama::graceful::Shutdown::default();
 
-    graceful.spawn_task_fn(server_task);
+    graceful.spawn_task_fn(move |guard| server_task(guard, port));
 
     graceful
         .shutdown_with_limit(Duration::from_secs(30))
@@ -56,11 +63,17 @@ async fn run_server() {
         .expect("graceful shutdown");
 }
 
-async fn server_task(guard: rama::graceful::ShutdownGuard) {
+async fn server_task(guard: rama::graceful::ShutdownGuard, port: u16) {
+    let tcp_address = format!("127.0.0.1:{}", port);
+
     let tcp_service = TcpListener::build()
-        .bind("127.0.0.1:3128")
+        .bind(tcp_address)
         .await
-        .expect("bind tcp proxy to 127.0.0.1:3128");
+        .expect("bind tcp proxy");
+
+    let local_address = tcp_service.local_addr().expect("tcp proxy assigned a port");
+    tracing::info!("Safe-chain proxy running on {local_address}");
+
     let exec = Executor::graceful(guard.clone());
 
     let http_service = HttpServer::auto(exec).service(