mitmproxy/doc-src/features/passthrough.html

There are two main reasons why you may want to exempt some traffic from mitmproxy's interception mechanism:

- **Certificate pinning:** Some traffic is is protected using
  [certificate pinning](https://security.stackexchange.com/questions/29988/what-is-certificate-pinning) and mitmproxy's
  interception leads to errors. For example, Windows Update or the Apple App Store fail to work if mitmproxy is active.
- **Convenience:** You really don't care about some parts of the traffic and just want them to go away.

If you want to peek into (SSL-protected) non-HTTP connections, check out the [tcp proxy](@!urlTo("tcpproxy.html")!@) feature.
If you want to ignore traffic from mitmproxy's processing because of large response bodies, take a look at the
[response streaming](@!urlTo("responsestreaming.html")!@) feature.

## How it works


<table class="table">
    <tbody>
        <tr>
            <th width="20%">command-line</th> <td>--ignore regex</td>
        </tr>
        <tr>
            <th>mitmproxy shortcut</th> <td><b>I</b></td>
        </tr>
    </tbody>
</table>


mitmproxy allows you to specify a regex which is matched against a <code>host:port</code> string (e.g. "example.com:443")
to determine hosts that should be excluded. 

There are two important quirks to consider:

- **In transparent mode, the ignore pattern is matched against the IP.** While we usually infer the hostname from the 
  Host header if the --host argument is passed to mitmproxy, we do not have access to this information before the SSL
  handshake.
- In regular mode, explicit HTTP requests are never ignored.[^explicithttp] The ignore pattern is applied on CONNECT
  requests, which initiate HTTPS or clear-text WebSocket connections.


### Tutorial

If you just want to ignore one specific domain, there's usually a bulletproof method to do so:

1. Run mitmproxy or mitmdump in verbose mode (-v) and observe the host:port information in the serverconnect 
messages. mitmproxy will filter on these.
2. Take the host:port string, surround it with ^ and $, escape all dots (. becomes \\.) 
and use this as your ignore pattern:

<pre class="terminal">
$ mitmdump -v
127.0.0.1:50588: clientconnect
127.0.0.1:50588: request
  -> CONNECT example.com:443 HTTP/1.1
127.0.0.1:50588: Set new server address: example.com:443
<span style="color: white">127.0.0.1:50588: serverconnect
  -> example.com:443</span>
^C
$ <span style="color: white">mitmproxy --ignore ^example\.com:443$</span>    
</pre>

Here are some other examples for ignore patterns:
<pre>
# Exempt traffic from the iOS App Store (usually just works):
--ignore apple.com:443  
# "Correct" version without false-positives:
--ignore ^(.+\.)?apple\.com:443$ 
    
# Ignore example.com on all ports, but no subdomains:
--ignore ^example.com:
    
# Transparent mode:
--ignore 17\.178\.96\.59:443
# IP address range:
--ignore 17\.178\.\d+\.\d+:443
</pre>

### See Also

- [TCP Proxy](@!urlTo("tcpproxy.html")!@)
- [Response Streaming](@!urlTo("responsestreaming.html")!@)

[^explicithttp]: This stems from an limitation of explicit HTTP proxying: A single connection can be re-used for multiple target domains - a <code>GET http://example.com/</code> request may be followed by a <code>GET http://evil.com/</code> request on the same connection. If we start to ignore the connection after the first request, we would miss the relevant second one.
add generic tcp proxying, fix #374 2014-10-18 16:29:35 +00:00			`There are two main reasons why you may want to exempt some traffic from mitmproxy's interception mechanism:`
document --ignore, fix #350 2014-09-08 11:41:25 +00:00
			`- Certificate pinning: Some traffic is is protected using`
			`[certificate pinning](https://security.stackexchange.com/questions/29988/what-is-certificate-pinning) and mitmproxy's`
			`interception leads to errors. For example, Windows Update or the Apple App Store fail to work if mitmproxy is active.`
			`- Convenience: You really don't care about some parts of the traffic and just want them to go away.`

add generic tcp proxying, fix #374 2014-10-18 16:29:35 +00:00			`If you want to peek into (SSL-protected) non-HTTP connections, check out the [tcp proxy](@!urlTo("tcpproxy.html")!@) feature.`
			`If you want to ignore traffic from mitmproxy's processing because of large response bodies, take a look at the`
document --ignore, fix #350 2014-09-08 11:41:25 +00:00			`[response streaming](@!urlTo("responsestreaming.html")!@) feature.`

			`## How it works`


			`<table class="table">`
			`<tbody>`
			`<tr>`
			`<th width="20%">command-line</th> <td>--ignore regex</td>`
			`</tr>`
			`<tr>`
			`<th>mitmproxy shortcut</th> <td><b>I</b></td>`
			`</tr>`
			`</tbody>`
			`</table>`


			`mitmproxy allows you to specify a regex which is matched against a <code>host:port</code> string (e.g. "example.com:443")`
			`to determine hosts that should be excluded.`

			`There are two important quirks to consider:`

			`- In transparent mode, the ignore pattern is matched against the IP. While we usually infer the hostname from the`
			`Host header if the --host argument is passed to mitmproxy, we do not have access to this information before the SSL`
			`handshake.`
			`- In regular mode, explicit HTTP requests are never ignored.[^explicithttp] The ignore pattern is applied on CONNECT`
			`requests, which initiate HTTPS or clear-text WebSocket connections.`


			`### Tutorial`

			`If you just want to ignore one specific domain, there's usually a bulletproof method to do so:`

			`1. Run mitmproxy or mitmdump in verbose mode (-v) and observe the host:port information in the serverconnect`
			`messages. mitmproxy will filter on these.`
			`2. Take the host:port string, surround it with ^ and $, escape all dots (. becomes \\.)`
			`and use this as your ignore pattern:`

			`<pre class="terminal">`
			`$ mitmdump -v`
			`127.0.0.1:50588: clientconnect`
			`127.0.0.1:50588: request`
			`-> CONNECT example.com:443 HTTP/1.1`
			`127.0.0.1:50588: Set new server address: example.com:443`
			`<span style="color: white">127.0.0.1:50588: serverconnect`
			`-> example.com:443</span>`
			`^C`
			`$ <span style="color: white">mitmproxy --ignore ^example\.com:443$</span>`
			`</pre>`

			`Here are some other examples for ignore patterns:`
			`<pre>`
			`# Exempt traffic from the iOS App Store (usually just works):`
			`--ignore apple.com:443`
			`# "Correct" version without false-positives:`
			`--ignore ^(.+\.)?apple\.com:443$`

			`# Ignore example.com on all ports, but no subdomains:`
			`--ignore ^example.com:`

			`# Transparent mode:`
			`--ignore 17\.178\.96\.59:443`
			`# IP address range:`
			`--ignore 17\.178\.\d+\.\d+:443`
			`</pre>`

add generic tcp proxying, fix #374 2014-10-18 16:29:35 +00:00			`### See Also`

			`- [TCP Proxy](@!urlTo("tcpproxy.html")!@)`
			`- [Response Streaming](@!urlTo("responsestreaming.html")!@)`

document --ignore, fix #350 2014-09-08 11:41:25 +00:00			`[^explicithttp]: This stems from an limitation of explicit HTTP proxying: A single connection can be re-used for multiple target domains - a <code>GET http://example.com/</code> request may be followed by a <code>GET http://evil.com/</code> request on the same connection. If we start to ignore the connection after the first request, we would miss the relevant second one.`