Skip to content
Hoody Documentation
Download Page (.md)

Network Configuration

Section titled “Network Configuration”

Change where your container’s traffic exits to the internet. Route through SOCKS5/HTTP/HTTPS proxies, or block all outbound traffic—with zero configuration inside the container.

API Endpoints Summary

Section titled “API Endpoints Summary”

Complete endpoint documentation:

Two Different “Proxies” on Hoody

Section titled “Two Different “Proxies” on Hoody”

⚠️ CRITICAL: Don’t confuse these two systems:

SystemDirectionPurpose
Hoody ProxyInternet → ContainerMakes services accessible via URLs
Network Configuration (this page)Container → InternetChanges exit IP address

Key distinction:

  • Hoody Proxy = How others ACCESS your containers (inbound)
  • Network Configuration = How your container ACCESSES the internet (outbound)

Both work together. Hoody Proxy handles inbound service requests. Network Configuration handles outbound connections.

Four Routing Types

Section titled “Four Routing Types”
Section titled “1. SOCKS5 Proxy (Recommended)”

Routes ALL TCP traffic through SOCKS5:

Terminal window
# Route all container traffic through SOCKS5 proxy
hoody network update --container $CONTAINER_ID \
  --type socks5 \
  --proxy "socks5://username:password@proxy.example.com:1080" \
  --dns-servers "1.1.1.1,1.0.0.1"

What happens:

  • All container TCP connections route through SOCKS5 proxy
  • Container appears to originate from proxy’s IP
  • Supports authentication (username:password)

Why SOCKS5 is best:

  • Natively forwards ANY TCP protocol without CONNECT tunneling
  • SSH, databases, Git, custom protocols all work
  • Many providers (including VPN services) offer SOCKS5 with credentials
  • Zero in-container configuration needed

2. HTTP Proxy

Section titled “2. HTTP Proxy”
Terminal window
# Route container traffic through HTTP proxy
hoody network update --container $CONTAINER_ID \
  --type http \
  --proxy "http://user:pass@corporate-proxy.com:8080"

Use for: Corporate proxy requirements, environments that mandate an HTTP forward proxy

Note: type: http configures the upstream as an HTTP proxy. Hoody still DNATs all container TCP egress through it (using the proxy’s CONNECT tunneling for non-HTTP destinations), so this isn’t limited to plain HTTP payloads. SOCKS5 remains the most broadly compatible upstream.

3. HTTPS Proxy

Section titled “3. HTTPS Proxy”
Terminal window
# Route container traffic through HTTPS proxy
hoody network update --container $CONTAINER_ID \
  --type https \
  --proxy "https://user:pass@secure-proxy.com:443"

Use for: Encrypted HTTP proxy connections

Note: type: https configures the upstream as an HTTPS proxy (CONNECT tunneling); all TCP egress is DNATed through it just as with the http type, so this isn’t restricted to HTTPS payloads.

4. Block (Complete Isolation)

Section titled “4. Block (Complete Isolation)”
Terminal window
# Block all outbound internet traffic
hoody network update --container $CONTAINER_ID --type block

Blocks all outbound internet. Container can still:

  • ✅ Be accessed via Hoody Proxy URLs (terminal, files, display)
  • ✅ Access localhost services and /ramdisk
  • ❌ Make ANY outbound connections

Perfect for running untrusted code or processing sensitive data.

Host-Level Routing Power

Section titled “Host-Level Routing Power”

Traditional approach: Configure proxy inside every application:

Terminal window
export HTTP_PROXY=http://proxy:8080
npm config set proxy http://proxy:8080
git config http.proxy http://proxy:8080
# Every single application needs configuration

Hoody approach: One API call, affects ALL applications:

Terminal window
# Configure SOCKS5 proxy for all container traffic
hoody network update --container $CONTAINER_ID \
  --type socks5 \
  --proxy "socks5://user:pass@proxy.example.com:1080"

Now all applications automatically route through SOCKS5: npm downloads, curl requests, Python/Node.js/Go apps, SSH connections, database connections—zero in-container configuration.

Benefits:

  • Universal routing (every TCP protocol)
  • Zero application configuration
  • Tamper-proof (container cannot bypass)
  • Easy VPN provider switching

Common Use Cases

Section titled “Common Use Cases”

Change Exit IP for Geo-Restricted APIs

Section titled “Change Exit IP for Geo-Restricted APIs”

Server in Germany, but API requires US IP:

Terminal window
# Route through US proxy for geo-restricted APIs
hoody network update --container $CONTAINER_ID \
  --type socks5 \
  --proxy "socks5://user:pass@us-proxy.example.com:1080"

Container requests appear to originate from the proxy’s location.

Route Through Corporate Proxy

Section titled “Route Through Corporate Proxy”
Terminal window
# Route through corporate HTTP proxy for compliance
hoody network update --container $CONTAINER_ID \
  --type http \
  --proxy "http://employee:pass@corporate-proxy.com:8080"

All HTTP traffic logged by corporate proxy for compliance.

Secure AI Code Sandbox

Section titled “Secure AI Code Sandbox”
Terminal window
# Block all outbound traffic for AI sandbox
hoody network update --container $CONTAINER_ID --type block

AI-generated code cannot:

  • Call external APIs
  • Download malicious packages
  • Exfiltrate data

Even if compromised, it’s isolated.

Multi-Region Testing

Section titled “Multi-Region Testing”

Spawn containers with different exit IPs to test from multiple regions simultaneously:

PATCH Configure US region proxy
/api/v1/containers/{container_id}/network
Click "Run" to execute the request
PATCH Configure EU region proxy
/api/v1/containers/{container_id}/network
Click "Run" to execute the request
PATCH Configure Asia region proxy
/api/v1/containers/{container_id}/network
Click "Run" to execute the request

Test your API from multiple regions simultaneously.

Network + Firewall + Permissions

Section titled “Network + Firewall + Permissions”

Three-layer defense for complete traffic control:

Step 1: Route through VPN:

PATCH Route all traffic through VPN
/api/v1/containers/{container_id}/network
Click "Run" to execute the request

Step 2: Only allow HTTPS through VPN (firewall):

POST Allow HTTPS traffic (port 443)
/api/v1/containers/{container_id}/firewall/egress
Click "Run" to execute the request
POST Block all other TCP traffic
/api/v1/containers/{container_id}/firewall/egress
Click "Run" to execute the request

Result: Traffic routes through VPN, but only HTTPS permitted by firewall.

Three-layer security:

LayerControlsPage
Network ConfigExit IP routing (outbound)This page
FirewallPacket filtering (ingress/egress)Firewall →
Proxy PermissionsHTTP service access (inbound)Permissions →

Layer all three for defense-in-depth.

Managing Network Configuration

Section titled “Managing Network Configuration”

Get Current Config

Section titled “Get Current Config”
Terminal window
# View current network configuration
hoody network get --container $CONTAINER_ID

Remove Config (Restore Default)

Section titled “Remove Config (Restore Default)”
Terminal window
# Remove network config, restore direct connection
hoody network delete --container $CONTAINER_ID

Start / Stop Network Proxy

Section titled “Start / Stop Network Proxy”
Terminal window
# Start network proxy/blocking
hoody network start --container $CONTAINER_ID


# Stop network proxy/blocking
hoody network stop --container $CONTAINER_ID

Verify Exit IP

Section titled “Verify Exit IP”

Test from inside container:

Terminal window
# Via hoody-terminal
curl ifconfig.me


# Should show VPN IP, not server IP

Best Practices

Section titled “Best Practices”

1. Use SOCKS5 for Universal Routing

Section titled “1. Use SOCKS5 for Universal Routing”

Hoody DNATs all container TCP egress regardless of proxy type, but a SOCKS5 upstream natively forwards ANY TCP protocol (SSH, databases, custom protocols) without relying on CONNECT tunneling. Use SOCKS5 unless your environment specifically requires an HTTP/HTTPS forward proxy.

2. Test Config Before Production

Section titled “2. Test Config Before Production”

Test in dev container first:

PATCH Test proxy configuration in dev container
/api/v1/containers/{container_id}/network
Click "Run" to execute the request

Verify exit IP with curl ifconfig.me from inside the container, test app connectivity, then apply to production.

3. Document Your Routing

Section titled “3. Document Your Routing”
Terminal window
# ✅ Good comment
{"comment": "UK VPN for BBC API - geo-restricted content"}


# ❌ Vague comment
{"comment": "vpn"}

4. Combine with Firewall for Defense-in-Depth

Section titled “4. Combine with Firewall for Defense-in-Depth”

Route through VPN + restrict allowed destinations = complete traffic control.

Useful Questions

Section titled “Useful Questions”

Does Network Configuration affect container service URLs?

Section titled “Does Network Configuration affect container service URLs?”

No. Hoody Proxy service URLs (terminal, files, display) remain accessible. Network Config only affects outbound connections FROM the container.

What happens if SOCKS5 proxy goes down?

Section titled “What happens if SOCKS5 proxy goes down?”

Container cannot make outbound connections. Update config with different proxy or DELETE /network to revert to direct connection.

Can I use multiple proxies simultaneously?

Section titled “Can I use multiple proxies simultaneously?”

One proxy per container via Network Configuration. For multi-hop, configure first SOCKS5 via Network Config, then run second SOCKS5 client inside container. Or spawn multiple containers, each with different proxy.

Does this work with WireGuard or OpenVPN?

Section titled “Does this work with WireGuard or OpenVPN?”

Not yet—currently supports SOCKS5/HTTP/HTTPS proxy routing only. WireGuard routing is planned for a future update. Many VPN providers offer SOCKS5 endpoints as an alternative.

Do changes require container restart?

Section titled “Do changes require container restart?”

No. Changes apply immediately to new connections. Existing connections may continue using old route.

Can containers communicate with each other in block mode?

Section titled “Can containers communicate with each other in block mode?”

Yes—via Hoody Proxy service URLs (HTTP-based). Block mode prevents outbound INTERNET connections, not container-to-container communication.

Troubleshooting

Section titled “Troubleshooting”

Cannot Access Internet After Configuring VPN

Section titled “Cannot Access Internet After Configuring VPN”

Solutions:

  1. Verify network service running: GET /containers/{id}/network → check "status": "running"
  2. Test proxy from host: curl --proxy socks5://user:pass@vpn.com:1080 https://ifconfig.me
  3. Check proxy URL format: socks5://username:password@host:port
  4. Remove config and test direct: DELETE /containers/{id}/network

DNS Resolution Fails

Section titled “DNS Resolution Fails”

Solutions:

  1. Configure custom DNS:
PATCH Configure SOCKS5 with custom DNS servers
/api/v1/containers/{container_id}/network
Click "Run" to execute the request
  1. Ensure firewall allows DNS:
POST Allow DNS traffic (UDP port 53)
/api/v1/containers/{container_id}/firewall/egress
Click "Run" to execute the request

Proxy Authentication Fails

Section titled “Proxy Authentication Fails”

Check:

  1. Credentials correct
  2. Special characters URL-encoded (@ = %40, : = %3A)
  3. VPN subscription active
  4. Test from host: curl --proxy socks5://user:pass@vpn.com:1080 https://ifconfig.me

Exit IP Not Changing

Section titled “Exit IP Not Changing”

Verify:

  1. Network service running: GET /network → check remote_status.is_running is true (or status is running)
  2. Test from container: curl ifconfig.me (should show proxy IP, not server IP)
  3. Check DNS leaks: curl -4 ifconfig.me (force IPv4)

What’s Next

Section titled “What’s Next”

Complete networking setup:

Understanding gained:

  • ✅ Network Configuration controls OUTBOUND traffic (exit IP)
  • ✅ Hoody Proxy controls INBOUND traffic (service URLs)
  • ✅ SOCKS5 routes ANY TCP protocol (most versatile)
  • ✅ Host-level routing = zero in-container configuration
  • ✅ Block mode = complete internet isolation

Change your exit IP with one API call.
SOCKS5 with credentials = maximum flexibility.

Network routing that just works—configured at host level, invisible to applications.