HTTP and CONNECT
Proxies HTTP traffic and HTTPS tunnels through direct, manual, PAC, or system proxy routes.
HTTP/HTTPS Proxy · NTLM · Kerberos
pxgo
Run a local proxy that lets browsers, package managers, CLIs, and build tools authenticate cleanly through enterprise upstream proxies.
Go 1.24+ • local default 127.0.0.1:3128 • Docker-ready runtime
Enterprise auth
Supports NTLM, Negotiate, Digest, Basic, Kerberos ticket refresh, and optional local client auth.
PAC and bypass rules
Loads local or remote PAC files and applies host, suffix, CIDR, range, and wildcard bypass rules.
Windows startup
Builds install and uninstall commands for Windows startup while keeping other platforms explicit.
Single Go binary
Runs as a compact CLI, Docker image, or locally built executable with no Python runtime required.
Race-tested core
Proxy state, Kerberos renewal, config parsing, PAC helpers, and bypass behavior have focused Go tests.
#pxgo Documentation
pxgo is a single-binary HTTP/HTTPS proxy for developer machines, build agents, and local services that need to authenticate through corporate upstream proxies.
By default pxgo listens on 127.0.0.1:3128 and can be configured with CLI
flags, environment variables, .env, or pxgo.ini.
#Try it
Build and run pxgo from this repository:
make build
./bin/pxgoPoint your browser, package manager, or CLI at the local proxy:
HTTP proxy: 127.0.0.1:3128
HTTPS proxy: 127.0.0.1:3128Add an upstream proxy or PAC file when your network needs one:
pxgo --proxy=proxy.company.com:8080
pxgo --pac=http://proxy.company.com/proxy.pac#Pick your path
#What pxgo handles
- Upstream authentication. Select
ANY,ANYSAFE,NEGOTIATE,NTLM,DIGEST,BASIC, or pass-through modes. - Kerberos workflows. Create and refresh per-process credential caches using host Kerberos tooling.
- PAC and bypass rules. Load PAC files and bypass upstream proxies for local hosts, domains, CIDR ranges, IP ranges, and wildcard IPv4 globs.
- Remote access controls. Keep the default loopback-only listener or opt in to gateway and host-only modes.