Enterprise Configuration
Socket Firewall Enterprise can be configured through environment variables or configuration files. Configuration applies to both CLI Wrapper Mode and Proxy Service Mode .
Configuration Files
By default, the proxy loads configuration from .sfw.config in your home directory and /run/secrets/dot-env-secrets (designed for use with Docker).
If the SFW_CONFIG_RELATIVE_PATHS environment variable is set, Socket Firewall will load configuration from multiple sources in order:
.sfw.config(current directory).sfw.config(parent directories).sfw.config(home directory)/run/secrets/dot-env-secrets
Configuration files use dotenv format:
SOCKET_API_KEY=sktsec_your_api_key_here_api
SFW_HOSTNAME=your.proxy.hostnameConfiguration Options
Variable | Valid Modes | Is Required | Details |
|---|---|---|---|
| ✅ Proxy Mode | Yes | Socket API token with required scopes: Get your API key from socket.dev. |
| ✅ Proxy Mode | No | Determines whether Firewall config will be loaded from paths relative to the current working directory. This is particularly useful if you're running in CLI wrapper mode and want to use different configurations for different local projects. |
| ✅ Proxy Mode | Yes (service mode) | The hostname which will be used to address the proxy server. |
| ✅ Proxy Mode | Yes (service mode) | Path to a PEM-encoded CA certificate file. See Generating Keys for instructions. |
| ✅ Proxy Mode | Yes (service mode) | Path to a PEM-encoded CA key file. See Generating Keys for instructions. |
| ✅ Proxy Mode | No | Port on which to listen for HTTP CONNECT requests. Defaults to |
| ✅ Proxy Mode | No | Port on which to listen for HTTPS CONNECT requests. Defaults to |
| ✅ Proxy Mode | No | ill ignore SSL errors when connecting to destination hosts. Must be set to the string |
| ✅ Proxy Mode | No | A comma-delimited set of custom registry entries. See Custom Registries documentation below for details. Example: |
| ✅ Proxy Mode | No | Action to take when encountering unknown hosts. Valid values: |
| ✅ Proxy Mode | No | Path to write a JSON report of blocked packages. |
| ✅ Proxy Mode | No | Enable debug logging. Must be set to the string |
| ✅ Proxy Mode | No | Disables telemetry reporting to Socket. Must be set to the string |
| ✅ Proxy Mode | No | Custom URL endpoint for telemetry data. Must be a valid URL. Defaults to |
Custom Registries
Socket Firewall can filter traffic for custom registries. Each entry must take the form kind:fqdn or kind:fqdn/url-prefix.
Valid Registry Kinds
npm- npm registrypypi- Python Package Indexmaven- Maven repositorygolang- Go modules proxygem- RubyGems registrycargo- Rust crates registrynuget- NuGet package registryblock- All traffic to the specified host will be blockedwrap- All traffic to the specified host will be blindly forwarded without inspecting requests
FQDN Matching
The FQDN value should match the exact hostname that your package manager is configured to use.
URL Prefix (Optional)
An optional URL prefix is allowed. Some private registry services support multiple types of package manager, determined by the first part of the path. For example, you might have an .npmrc file that looks something like this:
; The trailing slash is required
registry=https://packages.example.com/npm-mirror/
; Auth token scoped to the exact host + path prefix
always-auth=true
//packages.example.com/npm-mirror/:_authToken=${NPM_TOKEN}
; You've installed the Socket Firewall CA locally, so you can trust the proxied TLS connection
strict-ssl=trueIf this were your npm configuration, the corresponding custom registry config would look like this:
export SFW_CUSTOM_REGISTRIES='npm:packages.example.com/npm-mirror'When configured in this way, Socket Firewall will intercept traffic to packages.example.com in the same way it does for standard public registries.
Multiple Custom Registries
Multiple prefixed registry entries are allowed. For example, the following configuration is valid:
export SFW_CUSTOM_REGISTRIES='npm:packages.example.com/npm-mirror,pypi:packages.example.com/pypi-mirror'Updated about 19 hours ago