Description
The Codex Local Access gateway in codex_local_access.rs uses a bare reqwest::Client::new() for upstream requests, which does not respect the proxy environment variables (HTTP_PROXY/HTTPS_PROXY) that Cockpit correctly syncs for managed processes.
This means users behind firewalls (e.g., China) who need a proxy to reach chatgpt.com cannot use the Codex platform feature — the gateway receives the local request but cannot forward it upstream through the proxy.
Evidence
Code location: src-tauri/src/modules/codex_local_access.rs lines 214-215
fn upstream_http_client() -> &'static Client {
UPSTREAM_HTTP_CLIENT.get_or_init(Client::new) // No proxy, no env var support
}Upstream URL: https://chatgpt.com/backend-api/codex (line 49) — this endpoint is behind Cloudflare protection and unreachable from restricted networks without a proxy.
What happens:
- Cockpit's global proxy settings are correctly synced via
sync_global_proxy_env() in config.rs (lines 960-979)
- The gateway receives local requests from Codex Desktop at
http://127.0.0.1:50237/v1/responses
- The gateway tries to proxy upstream to
https://chatgpt.com/backend-api/codex/v1/responses using Client::new()
- Since
Client::new() has no proxy configured, the request either times out or hits Cloudflare's HTML challenge page
- The gateway returns
502 Bad Gateway to Codex Desktop
Error from Codex Desktop log:
Structured turn failed: unexpected status 502 Bad Gateway: Unknown error
url: http://127.0.0.1:50237/v1/responses
Suggested Fix
The upstream HTTP client should be built with proxy support. Either:
-
Respect env vars: Use Client::builder() and let reqwest pick up HTTP_PROXY/HTTPS_PROXY from the environment (reqwest does this by default when built via Client::builder() — only Client::new() skips it)
-
Explicit proxy config: Pass the user's proxy settings from UserConfig into the client builder
Relevant Cargo.toml dependency: reqwest with default features enables proxy support; the issue is just that Client::new() bypasses it.
Environment
- OS: Windows 10 Pro
- Cockpit Tools: latest main
- Proxy: SOCKS5/HTTP SSH tunnel at
127.0.0.1:18888
- Network: behind GFW, cannot reach
chatgpt.com directly
Description
The Codex Local Access gateway in
codex_local_access.rsuses a barereqwest::Client::new()for upstream requests, which does not respect the proxy environment variables (HTTP_PROXY/HTTPS_PROXY) that Cockpit correctly syncs for managed processes.This means users behind firewalls (e.g., China) who need a proxy to reach
chatgpt.comcannot use the Codex platform feature — the gateway receives the local request but cannot forward it upstream through the proxy.Evidence
Code location:
src-tauri/src/modules/codex_local_access.rslines 214-215Upstream URL:
https://chatgpt.com/backend-api/codex(line 49) — this endpoint is behind Cloudflare protection and unreachable from restricted networks without a proxy.What happens:
sync_global_proxy_env()inconfig.rs(lines 960-979)http://127.0.0.1:50237/v1/responseshttps://chatgpt.com/backend-api/codex/v1/responsesusingClient::new()Client::new()has no proxy configured, the request either times out or hits Cloudflare's HTML challenge page502 Bad Gatewayto Codex DesktopError from Codex Desktop log:
Suggested Fix
The upstream HTTP client should be built with proxy support. Either:
Respect env vars: Use
Client::builder()and let reqwest pick upHTTP_PROXY/HTTPS_PROXYfrom the environment (reqwest does this by default when built viaClient::builder()— onlyClient::new()skips it)Explicit proxy config: Pass the user's proxy settings from
UserConfiginto the client builderRelevant
Cargo.tomldependency:reqwestwith default features enables proxy support; the issue is just thatClient::new()bypasses it.Environment
127.0.0.1:18888chatgpt.comdirectly