2014-10-18 16:29:35 +00:00
There are two main reasons why you may want to exempt some traffic from mitmproxy's interception mechanism:
2014-09-08 11:41:25 +00:00
- **Certificate pinning:** Some traffic is is protected using
[certificate pinning](https://security.stackexchange.com/questions/29988/what-is-certificate-pinning) and mitmproxy's
interception leads to errors. For example, Windows Update or the Apple App Store fail to work if mitmproxy is active.
- **Convenience:** You really don't care about some parts of the traffic and just want them to go away.
2014-10-18 16:29:35 +00:00
If you want to peek into (SSL-protected) non-HTTP connections, check out the [tcp proxy](@!urlTo("tcpproxy.html")!@) feature.
If you want to ignore traffic from mitmproxy's processing because of large response bodies, take a look at the
2014-09-08 11:41:25 +00:00
[response streaming](@!urlTo("responsestreaming.html")!@) feature.
## How it works
< table class = "table" >
< tbody >
< tr >
< th width = "20%" > command-line< / th > < td > --ignore regex< / td >
< / tr >
< tr >
< th > mitmproxy shortcut< / th > < td > < b > I< / b > < / td >
< / tr >
< / tbody >
< / table >
mitmproxy allows you to specify a regex which is matched against a < code > host:port< / code > string (e.g. "example.com:443")
to determine hosts that should be excluded.
There are two important quirks to consider:
- **In transparent mode, the ignore pattern is matched against the IP.** While we usually infer the hostname from the
Host header if the --host argument is passed to mitmproxy, we do not have access to this information before the SSL
handshake.
- In regular mode, explicit HTTP requests are never ignored.[^explicithttp] The ignore pattern is applied on CONNECT
requests, which initiate HTTPS or clear-text WebSocket connections.
### Tutorial
If you just want to ignore one specific domain, there's usually a bulletproof method to do so:
1. Run mitmproxy or mitmdump in verbose mode (-v) and observe the host:port information in the serverconnect
messages. mitmproxy will filter on these.
2. Take the host:port string, surround it with ^ and $, escape all dots (. becomes \\.)
and use this as your ignore pattern:
< pre class = "terminal" >
$ mitmdump -v
127.0.0.1:50588: clientconnect
127.0.0.1:50588: request
-> CONNECT example.com:443 HTTP/1.1
127.0.0.1:50588: Set new server address: example.com:443
< span style = "color: white" > 127.0.0.1:50588: serverconnect
-> example.com:443< / span >
^C
$ < span style = "color: white" > mitmproxy --ignore ^example\.com:443$< / span >
< / pre >
Here are some other examples for ignore patterns:
< pre >
2015-02-08 12:24:32 +00:00
# Exempt traffic from the iOS App Store (the regex is lax, but usually just works):
2014-09-08 11:41:25 +00:00
--ignore apple.com:443
# "Correct" version without false-positives:
--ignore ^(.+\.)?apple\.com:443$
2015-02-08 12:24:32 +00:00
# Ignore example.com, but not its subdomains:
2014-09-08 11:41:25 +00:00
--ignore ^example.com:
2015-02-08 12:24:32 +00:00
# Ignore everything but example.com and mitmproxy.org:
--ignore ^(?!example\.com)(?!mitmproxy\.org)
2014-09-08 11:41:25 +00:00
# Transparent mode:
--ignore 17\.178\.96\.59:443
# IP address range:
--ignore 17\.178\.\d+\.\d+:443
< / pre >
2014-10-18 16:29:35 +00:00
### See Also
- [TCP Proxy](@!urlTo("tcpproxy.html")!@)
- [Response Streaming](@!urlTo("responsestreaming.html")!@)
2014-09-08 11:41:25 +00:00
[^explicithttp]: This stems from an limitation of explicit HTTP proxying: A single connection can be re-used for multiple target domains - a < code > GET http://example.com/< / code > request may be followed by a < code > GET http://evil.com/< / code > request on the same connection. If we start to ignore the connection after the first request, we would miss the relevant second one.