Proxy¶

Maven routes outbound HTTP through Go's http.DefaultClient by default, which automatically reads HTTPS_PROXY / HTTP_PROXY / NO_PROXY. Per-component overrides exist for channels and speech providers when the global proxy can't reach everything.

How it works¶

Every outbound call — LLM APIs, channel APIs, voice providers — uses http.DefaultClient unless a per-component proxy is set. The default transport reads:

Variable	Purpose
`HTTPS_PROXY`	Proxy URL for HTTPS traffic (e.g. `http://127.0.0.1:10255`).
`HTTP_PROXY`	Proxy URL for HTTP.
`NO_PROXY`	Comma-separated hosts to bypass.
`SSL_CERT_FILE`	CA bundle for TLS trust (required for MITM proxies).

Go's http.DefaultTransport calls http.ProxyFromEnvironment automatically. No Maven-specific code is involved for the env case.

Quick start¶

export HTTPS_PROXY=http://127.0.0.1:7890
./maven gateway

Supported schemes: http://, https://, socks5://. Authentication is in the URL: http://user:pass@host:port.

Regions without direct API access¶

If Telegram, Anthropic, or other APIs are unreachable from your network, set a proxy before starting Maven:

export HTTPS_PROXY=socks5://127.0.0.1:1080
./maven gateway

This applies to channels, LLM, and tools through one path.

TLS and custom CAs¶

Some proxies (e.g. OneCLI) terminate TLS to inject credentials. The client must trust the proxy's CA:

export SSL_CERT_FILE=/path/to/proxy-ca.pem
export HTTPS_PROXY=http://x:aoc_YOUR_TOKEN@127.0.0.1:10255
./maven gateway

Alternatively, install the CA into your OS trust store and omit SSL_CERT_FILE.

systemd¶

# /etc/systemd/system/maven.service.d/proxy.conf
[Service]
Environment=HTTPS_PROXY=http://x:aoc_YOUR_TOKEN@127.0.0.1:10255
Environment=SSL_CERT_FILE=/home/user/.onecli/gateway/ca.pem

Docker¶

services:
  maven:
    environment:
      HTTPS_PROXY: http://x:aoc_YOUR_TOKEN@onecli:10255
      SSL_CERT_FILE: /home/user/.onecli/gateway/ca.pem

Per-component overrides¶

When a single upstream can't serve all targets (e.g. Telegram blocked but Anthropic not), set proxy on the specific component. A non-empty proxy field takes precedence over HTTPS_PROXY for that component only.

{
  "channels": {
    "telegram": { "proxy": "socks5://127.0.0.1:1080" },
    "feishu":   { "proxy": "http://127.0.0.1:7890" },
    "wecom":    { "proxy": "http://127.0.0.1:7890" }
  },
  "speech": {
    "deepgram":   { "proxy": "http://127.0.0.1:7890" },
    "openai":     { "proxy": "http://127.0.0.1:7890" },
    "elevenlabs": { "proxy": "http://127.0.0.1:7890" },
    "cartesia":   { "proxy": "http://127.0.0.1:7890" }
  }
}

The proxy parser lives in internal/kernel/httpc/httpc.go and accepts http, https, socks5, socks5h.

Troubleshooting¶

Symptom	Check
`connection refused`	Proxy actually running? `curl -x $HTTPS_PROXY https://api.anthropic.com`.
`x509: certificate signed by unknown authority`	Set `SSL_CERT_FILE` to the proxy's CA bundle, or trust it OS-wide.
Some targets work, others don't	The proxy may allowlist domains. Try a per-component proxy for the failing target.
Bot connects but LLM fails (or vice versa)	If using only `HTTPS_PROXY`, all egress shares one transport — make sure the proxy allows the upstream. With per-component proxies, the env proxy does not apply to that component.