Network isolation tool for monitoring and restricting HTTP/HTTPS requests from processes
jail creates an isolated network environment for target processes, intercepting all HTTP/HTTPS traffic through a transparent proxy that enforces user-defined allow rules.
- π Process-level network isolation - Linux namespaces, macOS process groups
- π HTTP/HTTPS interception - Transparent proxy with TLS certificate injection
- π― Wildcard pattern matching - Simple
*wildcards for URL patterns - π Request logging - Monitor and log all HTTP/HTTPS requests
- π₯οΈ Cross-platform - Native support for Linux and macOS
- β‘ Zero configuration - Works out of the box with sensible defaults
- π‘οΈ Default deny-all - Secure by default, only allow what you explicitly permit
# Build the tool go build -o jail . # Allow only requests to github.com ./jail --allow "github.com" -- curl https://github.com # Allow full access to GitHub issues API, but only GET/HEAD elsewhere on GitHub ./jail \ --allow "github.com/api/issues/*" \ --allow "GET,HEAD github.com" \ -- npm install # Default deny-all: everything is blocked unless explicitly allowed ./jail -- curl https://example.comjail uses simple wildcard patterns for URL matching.
--allow "pattern" --allow "METHOD[,METHOD] pattern" - If only a pattern is provided, all HTTP methods are allowed
- If methods are provided, only those HTTP methods are allowed (case-insensitive)
- Patterns use wildcards:
*(matches any characters)
# Basic patterns jail --allow "github.com" -- git pull # Wildcard patterns jail --allow "*.github.com" -- npm install # GitHub subdomains jail --allow "api.*" -- ./app # Any API domain # Method-specific rules jail --allow "GET,HEAD api.github.com" -- curl https://api.github.comDefault Policy: All traffic is denied unless explicitly allowed.
# Monitor all requests with info logging jail --log-level info --allow "*" -- npm install # Debug logging for troubleshooting jail --log-level debug --allow "github.com" -- git pull # Error-only logging jail --log-level error --allow "*" -- ./appLog Levels:
error: Shows only errorswarn: Shows blocked requests and errors (default)info: Shows all requests (allowed and blocked)debug: Shows detailed information including TLS operations
When a request is blocked, jail provides helpful guidance:
π« Request Blocked by Jail Request: GET / Host: google.com Reason: No matching allow rules (default deny-all policy) To allow this request, restart jail with: --allow "google.com" # Allow all methods to this host --allow "GET google.com" # Allow only GET requests to this host For more help: https://github.com/coder/jail | Platform | Implementation | Sudo Required |
|---|---|---|
| Linux | Network namespaces + iptables | Yes |
| macOS | Process groups + PF rules | Yes |
| Windows | Not supported | - |
Linux:
- Linux kernel 3.8+ (network namespace support)
- iptables
- Go 1.21+ (for building)
- sudo access
macOS:
- macOS 10.15+ (Catalina or later)
- pfctl (included)
- Go 1.21+ (for building)
- sudo access
git clone https://github.com/coder/jail cd jail go build -o jail .jail automatically generates a Certificate Authority (CA) to intercept HTTPS traffic:
- CA stored in
~/.config/jail/(or$XDG_CONFIG_HOME/jail/) - CA certificate provided via
JAIL_CA_CERTenvironment variable - Certificates generated on-demand for intercepted domains
- CA expires after 1 year
jail --no-tls-intercept --allow "*" -- ./appjail [flags] -- command [args...] OPTIONS: --allow <SPEC> Allow rule (repeatable) Format: "pattern" or "METHOD[,METHOD] pattern" --log-level <LEVEL> Set log level (error, warn, info, debug) --no-tls-intercept Disable HTTPS interception -h, --help Print help # Build go build -o jail . # Test go test ./... # Cross-compile GOOS=linux GOARCH=amd64 go build -o jail-linux . GOOS=darwin GOARCH=amd64 go build -o jail-macos .MIT License - see LICENSE file for details.