diff options
Diffstat (limited to 'docs/src/content')
| -rw-r--r-- | docs/src/content/addons-overview.md | 2 | ||||
| -rw-r--r-- | docs/src/content/concepts-certificates.md | 12 | ||||
| -rw-r--r-- | docs/src/content/howto-transparent.md | 38 |
3 files changed, 43 insertions, 9 deletions
diff --git a/docs/src/content/addons-overview.md b/docs/src/content/addons-overview.md index fea5feb2..bfde7f27 100644 --- a/docs/src/content/addons-overview.md +++ b/docs/src/content/addons-overview.md @@ -64,7 +64,7 @@ Here are a few things to note about the code above: finds into the addons mechanism. - Addons are just objects - in this case our addon is an instance of `Counter`. - The `request` method is an example of an **event**. Addons simply implement a - method for each event they wan to handle. Each event has a signature + method for each event they want to handle. Each event has a signature consisting of arguments that are passed to the method. For `request`, this is an instance of `mitmproxy.http.HTTPFlow`. - Finally, the `ctx` module is a holdall module that exposes a set of standard diff --git a/docs/src/content/concepts-certificates.md b/docs/src/content/concepts-certificates.md index e6586576..1dcb2f97 100644 --- a/docs/src/content/concepts-certificates.md +++ b/docs/src/content/concepts-certificates.md @@ -32,7 +32,7 @@ reason. Below is a list of pointers to manual certificate installation documentation for some common platforms. The mitmproxy CA cert is located in `~/.mitmproxy` after it has been generated at the first start of mitmproxy. -- [IOS](http://jasdev.me/intercepting-ios-traffic) +- [IOS](http://jasdev.me/intercepting-ios-traffic) On iOS 10.3 and onwards, you also need to enable full trust for the mitmproxy root certificate: 1. Go to Settings > General > About > Certificate Trust Settings. @@ -42,12 +42,12 @@ documentation for some common platforms. The mitmproxy CA cert is located in - [Java](https://docs.oracle.com/cd/E19906-01/820-4916/geygn/index.html) - [Android/Android Simulator](http://wiki.cacert.org/FAQ/ImportRootCert#Android_Phones_.26_Tablets) - [Windows](https://web.archive.org/web/20160612045445/http://windows.microsoft.com/en-ca/windows/import-export-certificates-private-keys#1TC=windows-7) -- [Windows (automated)](https://technet.microsoft.com/en-us/library/cc732443.aspx) +- [Windows (automated)](https://technet.microsoft.com/en-us/library/cc732443.aspx) {{< highlight bash >}} certutil.exe -importpfx Root mitmproxy-ca-cert.p12 {{< / highlight >}} - + - [Mac OS X](https://support.apple.com/kb/PH20129) - [Ubuntu/Debian]( https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate/94861#94861) - [Mozilla Firefox](https://wiki.mozilla.org/MozillaRootCertificate#Mozilla_Firefox) @@ -143,14 +143,14 @@ mitmproxy --cert *.example.com=cert.pem By default, mitmproxy will use `~/.mitmproxy/mitmproxy-ca.pem` as the certificate authority to generate certificates for all domains for which no custom certificate is provided (see above). You can use your own -certificate authority by passing the `--cadir DIRECTORY` option to +certificate authority by passing the `--set confdir=DIRECTORY` option to mitmproxy. Mitmproxy will then look for `mitmproxy-ca.pem` in the specified directory. If no such file exists, it will be generated automatically. ## Using a client side certificate -You can use a client certificate by passing the `--client-certs DIRECTORY|FILE` +You can use a client certificate by passing the `--set client_certs=DIRECTORY|FILE` option to mitmproxy. Using a directory allows certs to be selected based on hostname, while using a filename allows a single specific certificate to be used for all SSL connections. Certificate files must be in the PEM format and should @@ -158,7 +158,7 @@ contain both the unencrypted private key and the certificate. ### Multiple client certificates -You can specify a directory to `--client-certs`, in which case the matching +You can specify a directory to `--set client_certs=DIRECTORY`, in which case the matching certificate is looked up by filename. So, if you visit example.org, mitmproxy looks for a file named `example.org.pem` in the specified directory and uses this as the client cert. diff --git a/docs/src/content/howto-transparent.md b/docs/src/content/howto-transparent.md index ee5b9f57..07a21ec9 100644 --- a/docs/src/content/howto-transparent.md +++ b/docs/src/content/howto-transparent.md @@ -221,13 +221,47 @@ Note that the **rdr** rules in the pf.conf given above only apply to inbound traffic. **This means that they will NOT redirect traffic coming from the box running pf itself.** We can't distinguish between an outbound connection from a non-mitmproxy app, and an outbound connection -from mitmproxy itself - if you want to intercept your OSX traffic, you -should use an external host to run mitmproxy. Nonetheless, pf is +from mitmproxy itself. If you want to intercept your own macOS traffic, see the work-around below or use an external host to run mitmproxy. In fact, PF is flexible to cater for a range of creative possibilities, like intercepting traffic emanating from VMs. See the **pf.conf** man page for more. {{% /note %}} +### Work-around to redirect traffic originating from the machine itself + +Follow the steps **1, 2** as above. In step **3** change the contents of the file **pf.conf** to + +{{< highlight none >}} +#The ports to redirect to proxy +redir_ports = "{http, https}" + +#The address the transparent proxy is listening on +tproxy = "127.0.0.1 port 8080" + +#The user the transparent proxy is running as +tproxy_user = "nobody" + +#The users whose connection must be redirected. +# +#This cannot involve the user which runs the +#transparent proxy as that would cause an infinite loop. +# +#Here we redirect for all users which don't run transparent proxy. +redir_users = "{ !=" $tproxy_user "}" + +#If you only wish to redirect traffic for particular users +#you may also do: +#redir_users = "{= john, = jane}" + +rdr pass proto tcp from any to any port $redir_ports -> $tproxy +pass out route-to (lo0 127.0.0.1) proto tcp from any to any port $redir_ports user $redir_users +{{< / highlight >}} + +Follow steps **4-6** above. This will redirect the packets from all users other than `nobody` on the machine to mitmproxy. To avoid circularity, run mitmproxy as the user `nobody`. Hence step **7** should look like: + +{{< highlight bash >}} +sudo -u nobody mitmproxy --mode transparent --showhost +{{< / highlight >}} ## "Full" transparent mode on Linux |