Table of Contents

The FluxzySetting class

The FluxzySetting is the main starting point to configure the proxy behaviour.

We recommend to use static methods CreateDefault to obtain an new instance. Public constructor is obsolete and is used only for System.Text.Json serialization which does not currently supports non public constructor.


Once the proxy is started, any modification to the used FluxzySetting instance will not be taken into account.

Specifying listen addresses and ports

The CreateDefault methods accepts addresses and ports as parameters. If not provided, the default port used by fluxzy is 44344 and the proxy listen to IPV4 loopback address (

var fluxzySetting = FluxzySetting
    .CreateDefault(IPAddress.Loopback, 44344);

Additionally, you can add more endpoints by calling

// Listen on 8080 on ::1 
    .AddBoundAddress(IPAddress.IPv6Loopback, 8080); 

// Listen on 8081 on any IPv4 address
    .AddBoundAddress("", 8081); 

You can use port 0 to let the OS choose a free port.

Fluxzy doesn't change any firewall rules, so you need to ensure that the port is not blocked by the firewall if necessary.

Changing the default CA certificate

By default, fluxzy provides a built-in certificates that is used to produce on the fly certificates for HTTPS interception. You can gather this certificate by calling the following code:

// Will return a System.Security.Cryptography.X509Certificates.X509Certificate2
var defaultCertificate = Certificate.UseDefault().GetX509Certificate();

You can also provide your own certificate by calling using Certificate.LoadFrom.. methods. Supported methods are: from p12 file and from the default store.

// Load from a PKCS12 file
var p12Certificate = Certificate.LoadFromPkcs12("pcks12File.p12", "password");

// Load from default user store 
var storeCertificate = Certificate.LoadFromUserStoreByThumbprint("certificateThumbprint"); 

Then you call SetCaCertificate to set the certificate to use.


The certificate must be a valid CA certificate and must contains the private key. You can use fluxzy CLI to generate a CA compatible certificate.

Save to disk

By default, fluxzy doesn't save the trafic to disk. To enable this feature, you need to specify the an archiving policy by calling SetArchivingPolicy method.

// Save the trafic to the directory

alternatively SetOutDirectory is a shortcut to SetArchivingPolicy(ArchivingPolicy.CreateFromDirectory("out_directory"))

Live capturing can only output to a directory, if you wish to package the result as fluxzy file or HAR file, you need to use the Packager class (see Save Http Traffic).

Add save filter

Save filter is a way to filter the traffic that is saved to disk.

// Save only requests that are made to
fluxzySetting.SetSaveFilter(new HostFilter("", StringSelectorOperation.EndsWith));

This method supports a Filter object but is only limited filters that triggers on RequestHeaderReceivedFromClient or earlier.

Add alteration rules

Alteration rules are key configuration when you want to transform the traffic that is traversing fluxzy. A rule is a combination of a filter and multiple actions.

You can add alteration rules by calling AddAlterationRules method.

// Add a rule that append a response header to any response
    new Rule(
        new AddResponseHeaderAction("X-Proxy", "Passed through fluxzy"),

You can add as many rules as you want, the order of evaluation is the order of AddAlterationRules calls.

Alteration rules can also be added in a fluent fashion by calling ConfigureRule method and chaining When and Do methods.

        .Do(new AddResponseHeaderAction("X-Proxy", "Passed through fluxzy"));

Finally, you can load rules from a rule file with the method AddAlterationRules(string).

Use Bouncy Castle as SSL provider

By default, fluxzy uses the default SSL provider of .NET to connect to the remote host. You can use Bouncy Castle as SSL provider by calling UseBouncyCastleSslEngine method. Bouncy Castle provides the necessary support to gather NSS key from the SSL session.


You can revert back to the default SSL provider by calling UseOsSslEngine method.


Limit the number of concurrent connections

This methods applies only HTTP/1.1 connections. H2 connetions are multiplexed and are not limited by this setting.


Skip SSL decryption

You can avoid decrypting certain hosts by calling AddTunneledHosts method.

fluxzySetting.AddTunneledHosts("", "");

Alternatively, for more complex filters you can use the SkipSslTunnelingAction action:

fluxzySetting.AddAlterationRules(new Rule(new SkipSslTunnelingAction(),
    new HostFilter(@"google\.(com)|(fr)$", StringSelectorOperation.Regex)));

Any filter applied must be trigger on OnAuthorityReceived .

As a result of this, calling the following will disable global SSL interception.

fluxzySetting.AddAlterationRules(new Rule(new SkipSslTunnelingAction(), AnyFilter.Default));