diff options
Diffstat (limited to 'docs/src')
| -rw-r--r-- | docs/src/content/howto-transparent.md | 38 |
1 files changed, 36 insertions, 2 deletions
diff --git a/docs/src/content/howto-transparent.md b/docs/src/content/howto-transparent.md index 00db189e..ea1b1076 100644 --- a/docs/src/content/howto-transparent.md +++ b/docs/src/content/howto-transparent.md @@ -221,13 +221,47 @@ Note that the **rdr** rules in the pf.conf given above only apply to inbound traffic. **This means that they will NOT redirect traffic coming from the box running pf itself.** We can't distinguish between an outbound connection from a non-mitmproxy app, and an outbound connection -from mitmproxy itself - if you want to intercept your OSX traffic, you -should use an external host to run mitmproxy. Nonetheless, pf is +from mitmproxy itself. If you want to intercept your own macOS traffic, see the work-around below or use an external host to run mitmproxy. In fact, PF is flexible to cater for a range of creative possibilities, like intercepting traffic emanating from VMs. See the **pf.conf** man page for more. {{% /note %}} +### Work-around to redirect traffic originating from the machine itself + +Follow the steps **1, 2** as above. In step **3** change the contents of the file **pf.conf** to + +{{< highlight none >}} +#The ports to redirect to proxy +redir_ports = "{http, https}" + +#The address the transparent proxy is listening on +tproxy = "127.0.0.1 port 8080" + +#The user the transparent proxy is running as +tproxy_user = "nobody" + +#The users whose connection must be redirected. +# +#This cannot involve the user which runs the +#transparent proxy as that would cause an infinite loop. +# +#Here we redirect for all users which don't run transparent proxy. +redir_users = "{ !=" $tproxy_user "}" + +#If you only wish to redirect traffic for particular users +#you may also do: +#redir_users = "{= john, = jane}" + +rdr pass proto tcp from any to any port $redir_ports -> $tproxy +pass out route-to (lo0 127.0.0.1) proto tcp from any to any port $redir_ports user $redir_users +{{< / highlight >}} + +Follow steps **4-6** above. This will redirect the packets from all users other than `nobody` on the machine to mitmproxy. To avoid circularity, run mitmproxy as the user `nobody`. Hence step **7** should look like: + +{{< highlight bash >}} +sudo -u nobody mitmproxy --mode transparent --showhost +{{< / highlight >}} ## "Full" transparent mode on Linux |