Rockxy is a native, open-source macOS proxy debugger for inspecting HTTP, HTTPS, WebSocket, and GraphQL traffic — locally, with no cloud account. Two new capabilities extend what you can do with it in real-world network environments:
- Upstream Proxy (External Proxy) — route all outbound traffic from Rockxy through a second proxy server, such as a corporate gateway, VPN proxy, staging network proxy, or a chained security tool.
- WebSocket Protobuf heuristic decoding — decode binary WebSocket frames using Protocol Buffers wire-format parsing, without needing a
.protoschema file.
This guide walks through both features end to end. It is written for mobile app developers, backend engineers, QA engineers, and API platform teams who need to debug traffic behind corporate proxies, VPNs, test networks, or chained proxy setups — and for anyone debugging realtime services that send binary WebSocket messages.
What you need before starting
- ✓Rockxy installed and running on macOS — download here
- ✓The host and port of your upstream proxy server (for Part 1)
- ✓An app or service that uses WebSocket with binary frames (for Part 2)
- ✓macOS Sequoia or later recommended; works on Sonoma
Upstream Proxy — Route Rockxy Through an External Proxy
What is an upstream proxy?
Rockxy acts as a local HTTP/HTTPS proxy on your Mac. It intercepts outbound requests from apps and devices, lets you inspect and modify them, then forwards them to their destinations. An upstream proxy — sometimes called an external proxy or chained proxy — is a second proxy server that sits between Rockxy and the internet.
When you enable upstream proxy, every outbound request that Rockxy would normally send directly is instead forwarded through the configured proxy server first. The full traffic path looks like this:
App / device
↓
Rockxy (captures, inspects, filters)
↓
Upstream Proxy (corporate gateway / VPN / security proxy)
↓
Internet / API serverRockxy retains full capture and inspection capabilities at its layer. The upstream proxy handles the outbound routing. The two roles are independent.
When should you use upstream proxy?
Use upstream proxy when your network requires it or when you are reproducing an environment that uses one:
| Scenario | Why upstream proxy helps |
|---|---|
| Corporate or enterprise network | Your IT policy requires all outbound traffic to pass through a specific proxy. Without upstream proxy, Rockxy bypasses it. |
| Staging or test network gateway | Your staging environment enforces a proxy route. Configure Rockxy to forward through it so your captures match production network behavior. |
| Chained debugging tools | Route Rockxy's output through a second proxy tool (security scanner, traffic logger, Burp Suite) for layered inspection. |
| Reproducing customer environments | A customer's environment sits behind an external proxy. Mirror that routing locally to reproduce bugs accurately. |
| VPN-adjacent proxy routing | Your VPN requires a proxy for outbound traffic. Rockxy captures the traffic while the VPN proxy handles egress. |
| Traffic egress auditing | Forward all Rockxy traffic through a monitoring proxy to audit what leaves your local network. |
Step-by-step: Enable External Proxy in Rockxy
Follow these steps exactly. Each step includes what to expect so you can confirm you are in the right place before moving forward.
Open Rockxy
Launch the app from your Applications folder or Dock. You should see the traffic capture window. Capture does not need to be active yet.
Open Proxy Settings
In the menu bar, go to Tools → Proxy Settings. This opens the proxy configuration panel where all outbound routing options live.
Click "Use External Proxy"
Toggle Use External Proxy on. If you have not yet entered a proxy server, Rockxy will open External Proxy Settings automatically — skip ahead to step 4. When the feature is active, a checkmark appears next to the menu item.
Open External Proxy Settings
Click External Proxy Settings…. A dialog opens with fields for protocol, host, port, and bypass rules.
Choose the proxy protocol
Select HTTP or HTTPS. This controls how Rockxy connects to the upstream proxy server — not the protocol of the app traffic being proxied. See the table below for guidance.
Enter the proxy server host and port
Type the hostname or IP address of your upstream proxy server and its port number. Examples: proxy.company.com port 8080, or 10.0.0.5 port 3128.
Add bypass rules (recommended)
Add hostnames that should go direct, skipping the upstream proxy. At minimum, keep localhost in the list (it is added by default). See the bypass rules section below for wildcard syntax.
Test the connection
Click Test Connection. Rockxy attempts to reach the upstream proxy and complete the required handshake. A green result means the proxy is reachable and configured correctly. A failure at this step is faster to debug than a silent capture failure.
Save the configuration
Click Save (or close the dialog). Return to Proxy Settings and confirm Use External Proxy shows a checkmark. Rockxy is now routing all outbound traffic through your upstream proxy.
HTTP proxy vs HTTPS proxy — which one to choose
The protocol setting describes how Rockxy connects to the upstream proxy server. It does not limit what kind of app traffic Rockxy can forward. Both options support HTTP and HTTPS app traffic.
| Protocol | Use when | How it connects |
|---|---|---|
| HTTP | Standard development and staging proxies, most corporate HTTP gateways | Rockxy connects to the upstream proxy over plain HTTP. This is correct for most development environments. |
| HTTPS | Enterprise gateways and security proxies that enforce TLS on the proxy connection itself | Rockxy wraps the upstream proxy connection in TLS. The proxy endpoint must present a valid certificate. |
If you are unsure, start with HTTP. HTTPS proxy is only needed when the proxy server itself requires an encrypted inbound connection — not simply because your app traffic is HTTPS.
Diagnosing a failed test connection
Run the connection test before starting a capture session. If it fails, work through these checks in order:
1. Verify the host and port
A typo in the hostname or a wrong port number is the most common cause. Double-check both against the documentation or IT policy for your proxy server.
2. Check your network connection
If the proxy is behind a VPN, confirm the VPN is active. If it is on a corporate network, confirm your Mac is on that network (wired, Wi-Fi, or VPN).
3. Confirm CONNECT support
Rockxy uses the HTTP CONNECT method to tunnel HTTPS traffic through a proxy. Some proxy servers restrict or disable CONNECT. Ask your network team if this applies.
4. Check local firewall rules
macOS firewall or a third-party security tool on your Mac may be blocking outbound connections on the proxy port. Check System Settings → Network → Firewall, and any endpoint security software.
Bypass rules — controlling which hosts skip the upstream proxy
Bypass rules define a list of hostnames that Rockxy routes directly, bypassing the upstream proxy entirely. This prevents local development traffic and internal APIs from accidentally going through an external server.
Localhost bypass is on by default. Traffic to localhost and 127.0.0.1 always goes direct. Only remove this rule if you explicitly need localhost traffic forwarded through the upstream proxy.
Bypass rules support two wildcard characters:
| Pattern | Matches | Example |
|---|---|---|
| * | Any number of characters | *.internal.dev matches api.internal.dev and auth.internal.dev |
| ? | Exactly one character | ?pi.example.com matches api.example.com but not grpc.example.com |
A practical bypass list for a developer working on a local API against a staging network proxy:
# Always bypass local dev
localhost
127.0.0.1
# Bypass all subdomains of your local dev domain
*.local.dev
# Bypass specific internal API host
api.internal.test
# Bypass staging backend to test direct path comparison
staging-api.example.comWebSocket Protobuf Decoding — Read Binary Frames Without a Schema
What is WebSocket Protobuf decoding?
WebSocket is the transport layer used by most realtime app features — live data feeds, multiplayer game state, chat, collaboration tools, financial tickers. A large share of these systems encode their WebSocket payloads using Protocol Buffers (Protobuf), a binary serialization format from Google. Protobuf is compact and efficient on the wire, but completely unreadable to humans without decoding.
Without a decoder, a Protobuf WebSocket frame in a standard proxy debugger looks like this:
0a 07 63 72 65 61 74 65 64 10 2a 1a 0c 0a 08 75 73 65 72 5f 31 32 33 10 80 c0 c3 d5 06Rockxy's heuristic Protobuf decoder reads the wire format directly and presents a structured field tree — without requiring a .proto schema file. The same bytes above become:
field 1 (length-delimited) → "created"
field 2 (varint) → 42
field 3 (message)
field 1 (length-delimited) → "user_123"
field 2 (varint) → 1716537600Field names are stored in the .proto schema, not in the encoded binary, so heuristic mode shows field numbers and wire types instead. That is usually enough to verify field presence, check values, identify nested messages, and compare frames across requests and responses.
What heuristic decoding shows you
| Element | What it means |
|---|---|
| Field number | The integer tag assigned to each field. Maps to a name only if you have the schema. |
| Wire type | How the field is encoded: varint, 64-bit fixed, length-delimited, or 32-bit fixed. |
| Varint value | Decoded integer, including booleans, enums, and signed integers encoded as varints. |
| UTF-8 string | A length-delimited field decoded as a string when the bytes are valid UTF-8. |
| Nested message | A length-delimited field that itself contains valid Protobuf structure — expanded recursively. |
| Raw bytes | Fields that could not be decoded further — shown as hex for manual inspection. |
Step-by-step: Decode Protobuf WebSocket frames in Rockxy
Start capture
Click Start in Rockxy to begin intercepting traffic. If your app uses HTTPS WebSocket (wss://), make sure SSL proxying is enabled for the target host so the WebSocket frames are decrypted.
Trigger the WebSocket connection in your app
Open the app feature that uses WebSocket — a live feed, chat, realtime dashboard, or game session. The connection appears in Rockxy's traffic list as a WebSocket row, usually prefixed with ws:// or wss://.
Select the WebSocket connection
Click the WebSocket row in the traffic list. The detail panel opens and shows the individual frames exchanged on that connection — both client-to-server and server-to-client, with timestamps and byte sizes.
Open the frame inspector and switch to Protobuf view
Select a binary frame from the list. If the payload looks like Protobuf wire format, Rockxy activates the Protobuf tab in the frame inspector. Click it to see the decoded field tree. If the tab is not available, the payload is likely JSON, compressed, encrypted, or a non-Protobuf binary format.
Explore the field tree
The decoded tree shows each field number, its wire type, and its value. Expand nested messages by clicking the disclosure arrow. Compare field values across multiple frames — for example, check that a sequence number increments correctly or that a user ID matches what you expect.
Use raw or hex view for frames that do not decode
Not every binary frame is Protobuf. Compressed frames (gzip, deflate, zstd), encrypted payloads, and application-specific binary formats will not produce a useful Protobuf tree. Switch to the Raw or Hex tab to inspect the bytes directly.
End-to-end workflow: iOS or Android app behind an upstream proxy
This is the most common combined workflow — a mobile app that routes through a corporate or test network proxy, with binary WebSocket traffic you need to inspect.
- Configure the device proxy. On an iOS device or simulator, go to Wi-Fi settings → HTTP Proxy → Manual. Set the server to your Mac's LAN IP address and the port to Rockxy's active proxy port (shown in the Rockxy toolbar). On Android, do the same in Wi-Fi → Modify network → Advanced options → Proxy → Manual.
-
Install the Rockxy CA certificate on the device. Navigate to
rockxy.local/cert(or the equivalent URL shown in Rockxy) on the device browser. Download and install the certificate. On iOS, also go to Settings → General → About → Certificate Trust Settings and enable full trust. This allows Rockxy to inspectwss://frames. -
Enable External Proxy in Rockxy. Go to
Tools → Proxy Settings → Use External Proxy. Enter your corporate or staging upstream proxy host and port. -
Add bypass rules. Keep
localhostin the bypass list. Add any internal API hosts that should stay on a direct path. - Test the upstream proxy connection. Click Test Connection and confirm it passes before starting capture.
- Start capture and reproduce the app flow. Open the app on the device and navigate to the feature that triggers HTTP, HTTPS, and WebSocket traffic.
- Inspect HTTP and HTTPS traffic. Select rows in Rockxy to inspect request headers, response bodies, status codes, and timing.
- Inspect WebSocket frames and decode Protobuf. Select the WebSocket connection. For binary frames, open the Protobuf tab. Compare field values across frames to verify protocol behavior.
End-to-end workflow: Debugging a realtime WebSocket API
Use this when you are building or testing a realtime feature — a collaborative editor, a live dashboard, a financial data feed, a game server — and need to understand the binary message protocol.
- Start capture in Rockxy. Click Start. Filter by host if the capture is noisy.
- Trigger the WebSocket session. Open the app and navigate to the realtime feature. The WebSocket connection appears in the traffic list within seconds.
- Select the connection and review the frame list. Check frame direction (↑ client → server, ↓ server → client), frame size in bytes, and timestamps. Large or frequent frames are good candidates for closer inspection.
- Open a binary frame and switch to Protobuf view. If the payload is Protobuf wire format, the decoder activates automatically. The field tree appears in the inspector.
- Verify field structure and values. Cross-reference field numbers with what you know about the protocol. Check that numeric values are in the expected range, string fields are valid UTF-8, and nested messages expand to the expected depth.
- Compare frames across the session. Select multiple frames — for example, the initial connection message and a subsequent update message — and compare their field structure. Field numbers that appear in some frames but not others indicate optional fields.
- Use raw or hex for undecoded frames. Control frames, ping/pong frames, compressed frames, and non-Protobuf binary frames will not decode. Switch to Raw or Hex and inspect manually.
Troubleshooting
Use External Proxy does not stay checked after I enable it
Rockxy requires a valid host and port before enabling the feature. If either is missing, clicking Use External Proxy opens External Proxy Settings instead of activating. Enter a valid upstream proxy host and port, save, then enable the toggle again. The menu item shows a checkmark only when the configuration is complete.
The upstream proxy connection test fails
Work through these checks in order: confirm the host and port are correct; confirm your Mac can reach the proxy server (VPN connected, corporate Wi-Fi active); confirm the proxy server allows CONNECT tunneling for HTTPS traffic; check whether your Mac's local firewall or an endpoint security tool is blocking the outbound connection on the proxy port.
Localhost traffic is not going through the upstream proxy
This is intentional. Rockxy bypasses the upstream proxy for localhost and 127.0.0.1 by default, protecting local development traffic from inadvertently routing through an external server. Remove the localhost bypass rule in External Proxy Settings only if you intentionally need it forwarded.
A bypass rule is not matching the host I expect
Check spelling first. Then verify wildcard placement: *.example.com matches all subdomains of example.com but not example.com itself — add both if needed. Remember ? matches exactly one character, not a segment.
A WebSocket frame does not decode as Protobuf
Not all binary WebSocket frames are Protobuf. Common alternatives include gzip-compressed JSON (1f 8b magic bytes), MessagePack, CBOR, custom binary protocols, or encrypted payloads. Heuristic decoding requires valid Protobuf wire format — if the bytes do not follow that structure, the decoder will not produce a tree. Use the Raw or Hex tab to inspect the bytes manually and identify the actual encoding.
The Protobuf tree shows only field numbers, not names
Field names exist only in the .proto schema. The encoded binary contains only the field number and value — names are not transmitted on the wire. Heuristic decoding gives you the full structure, including field numbers, wire types, and values. To get human-readable names, you need the schema for that service.
Frequently asked questions
How do I route a macOS debugging proxy through another proxy?
In Rockxy, go to Tools → Proxy Settings → Use External Proxy, then open External Proxy Settings, enter your upstream proxy host and port, test the connection, and save. All traffic Rockxy captures is then forwarded through the configured external proxy before reaching the destination.
What is an upstream proxy in a macOS HTTP debugger?
An upstream proxy (or external proxy) is a secondary proxy server that sits between Rockxy and the internet. Rockxy captures and inspects traffic first, then routes outbound requests through the upstream proxy. This is standard in corporate, enterprise, and multi-tool debugging setups where network egress must pass through a controlled proxy server.
Does Rockxy support HTTPS proxy as an upstream proxy?
Yes. Select HTTPS as the upstream proxy protocol in External Proxy Settings. Use this when the upstream proxy server itself requires a TLS-encrypted inbound connection. The protocol selection controls how Rockxy connects to the proxy, not the protocol of your app traffic.
How do I bypass localhost from an upstream proxy in Rockxy?
Localhost is bypassed by default. Traffic to localhost and 127.0.0.1 goes direct, bypassing the upstream proxy. You can add additional bypass rules in External Proxy Settings using exact hostnames or wildcard patterns (*, ?).
How do I decode WebSocket Protobuf messages without a schema?
Select the WebSocket connection in Rockxy's traffic list, open a binary frame in the frame inspector, and choose the Protobuf tab. Rockxy reads the Protobuf wire format directly and displays a best-effort field tree — field numbers, wire types, varint values, UTF-8 strings, and nested messages — without needing a .proto file.
What is the difference between HTTP proxy and HTTPS proxy for upstream routing?
HTTP proxy means Rockxy connects to the upstream proxy server over plain HTTP. HTTPS proxy means Rockxy connects to the upstream proxy over TLS — used when the proxy server's own endpoint requires an encrypted connection. Both options can forward HTTP and HTTPS app traffic. Choose based on how the proxy server expects inbound connections, not based on the protocol of the traffic you are debugging.
How does Rockxy compare to Proxyman or Charles Proxy for upstream proxy and WebSocket debugging?
Rockxy is a native macOS proxy debugger with HTTP, HTTPS, WebSocket, and GraphQL support, open-source under AGPL-3.0, with no cloud account required. Developers who use tools like Proxyman or Charles Proxy may find Rockxy useful when they want a local-first workflow, source-visible codebase, or both upstream proxy and Protobuf WebSocket decoding in a single native macOS app.
Is Rockxy useful for iOS and Android API debugging?
Yes. Configure the iOS or Android device to use Rockxy as its HTTP proxy (device proxy settings → your Mac's LAN IP and Rockxy's port). Install and trust the Rockxy CA certificate on the device for HTTPS inspection. Rockxy captures and displays all HTTP, HTTPS, and WebSocket traffic from the device, including binary WebSocket frames with Protobuf decoding.
Is Rockxy free and open source?
Yes. Rockxy is free to download and open source under AGPL-3.0. The source code is publicly available on GitHub at github.com/RockxyApp/Rockxy. You can read, audit, build, and contribute to the codebase directly.
Try Rockxy — Free and Open Source
A native macOS proxy debugger for HTTP, HTTPS, WebSocket, and API traffic. Upstream proxy, Protobuf WebSocket decoding, SSL inspection, request breakpoints, and more — running entirely on your Mac. No cloud account. No subscription.
Open source · AGPL-3.0 · Native macOS · No account required · Source available to audit