The Atlas WebSocket proxy (atlas-proxy) is a WebSocket-to-TCP bridge required for browser deployments. It forwards raw bytes between browser WebSocket connections and TEE TCP endpoints.
Key characteristics
- Byte-level forwarding - No TLS termination
- No access to encrypted traffic - All attestation verification happens in the browser
- Required for browser deployments - Browsers cannot make raw TCP connections
- Allowlist enforcement - Prevents SSRF attacks by restricting target endpoints
Quick start
# Set required allowlist and start proxy
export ATLS_PROXY_ALLOWLIST="vllm.example.com:443,tee2.example.com:8443"
export ATLS_PROXY_LISTEN="127.0.0.1:9000"
cargo run -p atlas-proxy
Environment variables
| Variable | Description | Default | Required |
|---|
ATLS_PROXY_LISTEN | Address and port to listen on | 127.0.0.1:9000 | No |
ATLS_PROXY_TARGET | Default target endpoint | 127.0.0.1:8443 | No |
ATLS_PROXY_ALLOWLIST | Comma-separated list of allowed targets | None | Yes |
The ATLS_PROXY_ALLOWLIST environment variable is required. The proxy rejects all connections by default to prevent SSRF attacks.
Configuration examples
Development (local testing)
# Allow connections to local TEE and production endpoint
export ATLS_PROXY_ALLOWLIST="localhost:8443,vllm.concrete-security.com:443"
export ATLS_PROXY_LISTEN="127.0.0.1:9000"
cargo run -p atlas-proxy
Production (public proxy)
# Listen on all interfaces, restrict to production TEEs
export ATLS_PROXY_ALLOWLIST="tee1.example.com:443,tee2.example.com:443"
export ATLS_PROXY_LISTEN="0.0.0.0:9000"
# In production, consider:
# - Running behind reverse proxy (nginx, caddy) for TLS termination
# - Using systemd/docker for process management
# - Implementing rate limiting and monitoring
cargo run --release -p atlas-proxy
Multiple endpoints
# Allow multiple TEE endpoints on different ports
export ATLS_PROXY_ALLOWLIST="tee1.example.com:443,tee1.example.com:8443,tee2.example.com:443"
export ATLS_PROXY_LISTEN="0.0.0.0:9000"
cargo run -p atlas-proxy
Client configuration
Browser clients specify the target via query parameters:
import { createAtlsFetch } from "@concrete-security/atlas-wasm"
// Target specified in proxyUrl query string
const fetch = createAtlsFetch({
proxyUrl: "ws://127.0.0.1:9000?target=vllm.example.com:443",
targetHost: "vllm.example.com"
})
// Uses ATLS_PROXY_TARGET default if not specified in URL
const fetch = createAtlsFetch({
proxyUrl: "ws://127.0.0.1:9000",
targetHost: "vllm.example.com" // Must be in allowlist
})
Architecture
┌─────────────────────────────────────────────────────┐
│ Browser │
│ ┌──────────────────────────────────────────────┐ │
│ │ WASM (atlas_wasm) │ │
│ │ - TLS 1.3 client │ │
│ │ - Attestation verification │ │
│ │ - HTTP/1.1 protocol handling │ │
│ └──────────────────────────────────────────────┘ │
└─────────────────┬───────────────────────────────────┘
│ WebSocket (encrypted TLS data)
│
┌─────────────────▼───────────────────────────────────┐
│ Proxy (atlas-proxy) │
│ - WebSocket server │
│ - Allowlist enforcement │
│ - Byte forwarding only (no decrypt) │
└─────────────────┬───────────────────────────────────┘
│ TCP (encrypted TLS data)
│
┌─────────────────▼───────────────────────────────────┐
│ TEE Endpoint │
│ - TLS 1.3 server │
│ - Quote generation │
│ - Application (vLLM, etc.) │
└─────────────────────────────────────────────────────┘
- Proxy never sees plaintext (TLS is end-to-end from browser to TEE)
- Proxy only enforces allowlist and forwards bytes
- All security-critical operations happen in browser WASM or TEE
See also