Skip to main content

Migrating from Sauce Connect Proxy 4

This topic describes how to migrate to the new Sauce Connect Proxy version 5 from a previous install of Sauce Connect Proxy version 4.

Installing and Upgrading Sauce Connect 5

You can now install or upgrade Sauce Connect version 5 with a package manager system such as Homebrew, Debian or RPM, and upgrading to the latest release is now much easier. If you prefer, there is still the option to download binary files as before. See Sauce Connect 5 Install for more details.

Major Differences

  • sc run is now used to start a tunnel, as there are now other subcommands that can be used.
  • --tunnel-name is now required.
  • --region is now required.
  • SSL Certificate Bumping is now OFF by default, and is called TLS Resigning.
  • Domain matching for deny/direct/tunnel domains now uses the standard regex format.

Unsupported Features

  • Selenium Relay has been removed.
  • PID file has been removed.
  • Readyfile has been removed.
  • Log rotation has been removed.
  • Proxy autodetection is not supported.

Quick Start using sc legacy

The sc legacy command is used to translate SC4 configuration to SC5.

For a quick sanity check, you can start Sauce Connect with the legacy command:

$ sc5 legacy -c orig.yaml
2024/01/31 21:57:42.194037 [control] [INFO] Sauce Connect Proxy version=5.0.0
2024/01/31 21:57:42.194381 [control] [INFO] please wait for 'you may start your tests' to start your tests
2024/01/31 21:57:42.194387 [control] [INFO] provisioning Sauce Connect region=us-west name=v4-tunnel
2024/01/31 21:57:49.183799 [control] [INFO] Sauce Connect running id=b45cb99acace494eb7f5ea0de5384b78
2024/01/31 21:57:49.183896 [tunnel] [INFO] waiting for Sauce Connect server to be reachable
2024/01/31 21:57:49.394606 [tunnel] [INFO] connecting to
2024/01/31 21:57:50.027660 [tunnel] [INFO] connecting to
2024/01/31 21:57:50.027703 [tunnel] [INFO] established connection to Sauce Connect server active=1/2
2024/01/31 21:57:50.396688 [control] [INFO] Sauce Connect is up, you may start your tests
2024/01/31 21:57:50.500205 [tunnel] [INFO] established connection to Sauce Connect server active=2/2

However, the legacy option will be removed in later versions of Sauce Connect, so we recommend using the legacy command to translate the config file to the new version. You can then use the new config file with the sc run command:

$ cat orig.yaml
api-key: xxxx
region: us-west
tunnel-name: v4-tunnel
user: saucebot
$ sc5 legacy -c orig.yaml --output-config-file new.yaml
$ cat new.yaml
access-key: xxxx
region: us-west
tunnel-name: v4-tunnel
username: saucebot
$ sc run -c new.yaml
2024/01/31 21:57:42.194037 [control] [INFO] Sauce Connect Proxy version=5.0.0

Note that there are some options that are removed in SC5, and will be dropped from the new config file.

If there are any options that require manual intervention, the command will fail with an error message.

NOTE: The legacy command will use the config file, environment variables, and CLI flags to generate the SC5 configuration file. If you're using environment variables and CLI flags to dynamically generate Sauce Connect configuration, you should review the configuration file that is generated. Options that should be in environment variables or CLI flags should be extracted from the config file.

CLI Changes in Sauce Connect 5

The following flags have changed or been removed with Sauce Connect 5. In addition, to start a tunnel, you'll need to use sc run (previously just sc in version 4). Refer to the Sauce Connect CLI for more details.

Changed Flags

Version 4.xVersion 5.x
--shared-tunnel--shared (accepts values: all)
--verbose--log-level, --log-http
--fast-fail-regexps (URL regex)--deny-domains (list of domain regexps)
--no-ssl-bump-domains (list of domain globs)--tls-passthrough-domains (list of domain regexps)
--tunnel-domains (list of domain globs)--tunnel-domains (list of domain regexps)
--direct-domains (list of domain globs)--direct-domains (list of domain regexps)
--pac-auth, --proxy-userpwd--auth
--proxy-localhost (flag, send localhost through proxy)--proxy-localhost (configure localhost access: allow, direct, deny)
--proxy-tunnel (proxy saucelabs tunnel connection)--proxy-sauce (proxy any connection)
--status-address (status info only)--api-address (several endpoints, including metrics)

Removed Flags

Version 4.xVersion 5.x
--readyfilesee Readiness Checks

New Behavior in Sauce Connect 5


Any credentials (proxy, sites under test) to be used have been consolidated into the --auth flag which is in the <username[:password]@host:port> format.

For example, if you have a parent proxy with authorization, but also have a SUT with authorization, you would use:

--proxy --auth foo:bar@ --auth test:testpass@

Domain Regexes

The following options now use standard regexes to control SC5 behavior:

  • deny-domains
  • direct-domains
  • tls-passthrough-domains
  • tls-resign-domains
  • tunnel-domains

For example, to deny access to any domain, you would use:

--deny-domains '^.*\.google\.com$'

You can also prefix the option with a - character to remove it from the list, so to deny access to any domain, but allow, you could use:

--deny-domains '^.*\.google\.com$'  --deny-domains '-^mail\.google\.com$'

Regex 101 is an excellent site to troubleshoot regexes.

NOTE: Pay attention to shell wildcard rules if you're using CLI flags for these settings. The options should be wrapped with quotation marks to avoid issues. Using config files is recommended to avoid shell wildcard expansion issues.

NOTE: . is a wildcard, so if you're matching domains separated by periods, they should be escaped with backslashes.

NOTE: To ensure you're not matching any extra domains, use the ^ and $ characters to mark the start and end of the domain to be matched.

Alternatives to Deprecated Features

Readiness Checks

SC5 has been designed to integrate with Kubernetes and other container management systems. The readyfile and status-address options have been replaced by the api-address option. See Readiness Checks for more details.

PID Files

Tracking process state through a PID file is error-prone and no longer recommended, and the PID file option has been removed. If you need to track process health, we recommend running it as a system service (ie SystemD) or as a Docker container.

Log Rotation

SC5 leaves log management to third party tools such as journald. It can log to stdout or a single file.

Proxy Updates

Sauce Connect 5 no longer uses the HTTP(S)_PROXY and NO_PROXY environment variables.

To send REST API (ie, starting or stopping a tunnel) traffic through the proxy, use the --proxy-sauce option.

To send tunnel (site under test) traffic through a proxy, use the --proxy option.

Most proxy combinations can be controlled with these two options. However, if you were using the NO_PROXY option to exclude various sites under test from using a parent proxy, you will likely need to use a PAC file instead. The endpoints listed in the NO_PROXY option would use a 'DIRECT' mode in the PAC, and the default would be the proxy.

For example, if you wanted to skip the proxy, and everything else to go through the proxy, you would use the following PAC file:

function FindProxyForURL(url, host) {
if (dnsDomainIs(host, ""))
return "DIRECT";

return "PROXY localhost:3128";

Transition Timeline

Sauce Connect version 5 was released January 16, 2024 and Sauce Connect version 4 is now in maintenance mode until its scheduled End of Life on December 31, 2024. During this period, other than security patches and bug fixes, all new features for Sauce Connect will be released on version 5 only.