ProxyPass does not support plain HTTP connections to the cloud. Every connection — from clients to the cloud, and from the cloud through the tunnel to nodes — is encrypted with TLS. This is not configurable. There is no flag to disable it. There is no legacy compatibility mode.
The Reason Is Simple
Your API key and node ID travel in every request. Over plain HTTP, those credentials would be visible to anyone on the network path — ISPs, WiFi operators, corporate proxies, anyone running a packet sniffer. A leaked API key means unauthorized access to your tunnel and every device behind it.
Some tunneling services offer HTTP as a convenience for development or for endpoints that do not support TLS. ProxyPass does not, because the risk is not worth the convenience.
Scenario: The Coffee Shop WiFi
A developer on your team is working from a coffee shop. They need to check on a remote device through ProxyPass. If ProxyPass allowed plain HTTP, their API key would travel unencrypted over the coffee shop's WiFi. Anyone on the same network — with freely available tools — could capture that key and use it to access your entire tunnel infrastructure.
With HTTPS-only, the developer's request is encrypted before it leaves their laptop. The coffee shop's WiFi sees encrypted bytes. The API key is protected regardless of the network environment. No configuration required. No VPN needed. It just works securely.
What About HTTP Devices?
If you need to reach a device that speaks plain HTTP — and many IoT devices do — the REST Bridge handles it safely. Your request travels encrypted to the ProxyPass cloud, encrypted through the tunnel to the node, and only the last hop inside the customer's own LAN is plain HTTP. The credentials never leave the encrypted path.
Double Encryption in CONNECT Mode
For CONNECT mode, the encryption story is even stronger. Your client establishes its own TLS session directly with the target, inside the already-encrypted tunnel. ProxyPass sees only opaque bytes — double-encrypted traffic where even the tunnel operator cannot read the content.
Security by Default
HTTPS-only is a deliberate constraint that eliminates an entire class of credential-exposure vulnerabilities. It means ProxyPass works correctly by default, without relying on users to remember to check a TLS checkbox or configure certificates. You connect, and it is encrypted. Always.