The proxy is a small Node service. The hosted instance at proxy.busymate.net is already running and streaming to your dashboard — you only need to run your own copy if you want a local instance.
The hosted proxy
Most of the time there's nothing to install. The team runs a shared instance at proxy.busymate.net that's already wired to your dashboard. To use it, you just point a client at it and trust its CA — skip straight there.
Run your own only if you want captures on localhost, an isolated environment, or to develop the proxy itself.
Run a local instance
cd web/proxy-server
npm install
npm run devThe proxy reads its Supabase credentials from the environment so it can stream captures to your dashboard. The service-role key is a secret — keep it out of any committed file:
export SUPABASE_URL=https://your-project.supabase.co
export SUPABASE_SERVICE_ROLE_KEY=<service-role-key>Without both of these the proxy exits at boot.
First run
On first boot the proxy creates ~/.busymate-proxy/ and writes a few things into it:
config.json— the boot config (ports, base domain, port-pool range). Edit it and restart to change defaults.ca.pem+ca.key— the certificate authority it generates for itself. This is the root you'll trust on your clients.port-map.json— the per-device port allocations (see Connect a client).identity.json— a stable UUID for this proxy install, so it shows up as one consistent device in your dashboard across restarts.
All of this state survives restarts. Everything else — captured entries, settings, breakpoint history — lives in Supabase, not on disk.
Default ports
| Port | Purpose |
|---|---|
8888 | HTTP proxy + management endpoints (/ca/bundle, /allocate, /proxy.pac, …) |
8443 | TLS proxy listener (SNI-attributed) |
9000–9999 | Per-device port pool — one dedicated port per device |
The same :8888 listener handles both plain HTTP forwards and CONNECT (HTTPS) tunnels.
Heads up: If you bind the proxy to a non-loopback address (a public IP) without configuring an authentication password, it refuses to start. That's an open-relay guard. On a laptop, leave the listen address unset (LAN-local is fine). On any public-IP host, either bind to
127.0.0.1and tunnel in over SSH, or set the cert-bundle password inconfig.json. The egress is further protected by a source-IP gate — see Proxy server architecture.
Registered to your dashboard
Once running, the proxy upserts its own device row and a periodic heartbeat, so it appears in Devices as online. Every captured exchange streams to your feed in real time over Supabase Realtime — there's no polling and no extra wiring.
Next
- Connect a client — point a browser, phone, or backend at the proxy.
- Trust the CA — so HTTPS can be decrypted on the client.