codex-reset-proxy
A Python reverse proxy that detects when Codex stalls before sending response headers, fails fast after a configurable timeout, and retries the full request automatically, with HTTP, SOCKS5, MITM, and WebSocket bridge modes.
codex-reset-proxy is a small reverse proxy written in Python, built to handle a specific failure mode in Codex (OpenAI's coding model) requests. When the upstream server accepts a connection but then stalls without ever sending response headers, a normal client will simply wait. This proxy detects that condition, fails fast after a configurable timeout, and retries the request from the beginning.
The retry behavior is intentionally careful. Request bodies are buffered in memory so the proxy can replay the full request on a retry. Retries only happen before any response headers arrive: once the upstream starts sending a response, the proxy switches to simply forwarding bytes and does not interrupt. This avoids the risk of replaying a request that was already partially processed by the upstream.
The proxy runs in one of three protocol modes. The standard mode is a plain HTTP reverse proxy that forwards any path to the configured upstream base URL, optionally injecting an API key. A second mode runs as a SOCKS5 tunnel, which passes traffic through without intercepting it. A third mode is a SOCKS5 man-in-the-middle proxy for clients that hard-code the Codex endpoint URL and cannot be redirected; it generates a local certificate authority, decrypts the HTTPS traffic, applies the fast-fail retry logic, then re-encrypts before sending to the actual upstream.
For the Codex Responses protocol specifically, there is also a WebSocket bridge mode. In this mode, each incoming HTTP request is translated into an upstream WebSocket connection, the request body is wrapped in the correct message format, and the upstream WebSocket messages are streamed back to the HTTP client as server-sent events. An optional connection pool reuses idle WebSocket connections across requests with the same authentication credentials, keyed by a hash of the auth headers.
The project is designed to run via Docker Compose with environment variables for all configuration. A helper script is included for installing the generated CA certificate into other containers that need to trust the MITM proxy.
Where it fits
- Wrap Codex requests to automatically retry after a stall instead of hanging indefinitely waiting for response headers.
- Run a SOCKS5 MITM proxy for clients that hard-code the Codex endpoint URL and cannot be pointed at a different address.
- Bridge the Codex Responses WebSocket protocol to HTTP clients using server-sent events so they do not need a WebSocket library.
- Reuse idle WebSocket connections across multiple Codex requests with the same credentials using the built-in connection pool.