Skip to main content

Proxy formats

cac supports multiple proxy formats. Pass them with the -p flag: 
cac env create work -p 1.2.3.4:1080:user:pass
cac env create work -p socks5://user:pass@1.2.3.4:1080
cac env create work -p http://1.2.3.4:8080
FormatExample
Compact with auth1.2.3.4:1080:user:pass
Compact without auth1.2.3.4:1080
Explicit SOCKS5socks5://user:pass@host:port
Explicit HTTPhttp://host:port
Explicit HTTPShttps://host:port

Protocol auto-detection

When you use the compact format (host:port:user:pass), cac automatically probes the proxy to detect the protocol:
  1. Try HTTP
  2. Try SOCKS5
  3. Try HTTPS
  4. Fall back to HTTP if all fail

TUN conflicts

If you run TUN-mode proxy software (Clash, Surge, sing-box, V2Ray), it captures all traffic — including cac’s proxy connections. This creates a double-proxy loop. cac handles this automatically: when it detects a TUN interface (tun* or utun*), it starts a local TCP relay on 127.0.0.1. Loopback traffic bypasses TUN, so the relay connects directly to your remote proxy. 
claude ──► wrapper ──► relay (127.0.0.1) ──► remote proxy ──► API
                        ↑ loopback bypasses TUN
No manual configuration needed.

Health check bypass

Claude Code pings api.anthropic.com/api/hello at startup. Through a proxy, Cloudflare returns 403 due to Node.js TLS fingerprint rejection (JA3/JA4). cac bypasses this with in-process Node.js interception: https.request and fetch calls to that URL are patched to return a fake HTTP 200 immediately — no local server, no port binding, no root needed. This is automatic and produces no network traffic.