Skip to content

Live Preview 401 on remote tunnel with corporate MITM proxy: cert mismatch when host is 127.0.0.1 #843

Description

@chirag127

Summary

When VS Code is on a corporate network with a TLS-intercepting (MITM) proxy, Live Preview's built-in server binds to 127.0.0.1. Accessing the preview via a remote tunnel (e.g. https://<id>-3000.aue.devtunnels.ms/) returns 401. The root cause is distinct from the host-header issue described in #462: here, the corp proxy intercepts the TLS handshake and presents a corporate CA-signed cert for 127.0.0.1, which the tunnel ingress rejects with a 401/SSL error.

Related: #462 (generic tunnel 401, host-header workaround)

Environment

  • OS: Windows 11 Enterprise 10.0.26200
  • VS Code: 1.122+
  • Live Preview extension: latest
  • Network: corp SSO + TLS-intercepting proxy (Zscaler / BlueCoat class)
  • Node: 24.x (used by extension host)
  • PowerShell: 7.6

Steps to Reproduce

  1. Connect VS Code to a corp network with an HTTPS-intercepting proxy.
  2. Open any HTML file → Live Preview: Start Server.
  3. Open Command Palette → Ports: Forward a Port → forward port 3000.
  4. Open the forwarded devtunnel URL (https://<id>-3000.aue.devtunnels.ms/) from a browser outside the corp network (or from a mobile device).
  5. Observe 401 Unauthorized response.

Expected Behavior

The preview loads normally via the forwarded tunnel URL (as it does on non-proxied networks).

Actual Behavior

401 response. Browser network trace shows the proxy presents its own TLS certificate for 127.0.0.1; the tunnel ingress sees a cert it didn't issue and rejects the connection.

Notes

  • The mitmproxy / ngrok workarounds in 401 when using remote tunnel #462 do work, but they require installing extra tools that are often blocked on corp machines.
  • The simplest corp-safe fix would be a livePreview.serverCertificatePolicy setting or an explicit opt-in to skip TLS for loopback-only addresses, or a proxyBypass config that tells VS Code's http.proxy to exclude 127.0.0.1 from interception.
  • "no_proxy": "127.0.0.1,localhost" in settings.jsonhttp.noProxy does NOT help because the interception happens at the OS/Zscaler driver level, below VS Code's Node http stack.

Workaround

Set "http.proxySupport": "off" in VS Code settings and ensure 127.0.0.1 is in the system NO_PROXY env var. Partial relief only — the tunnel ingress still validates the cert chain.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions