From 9baaf9dfdb1ec4423459c44cd67b807c93bd87d5 Mon Sep 17 00:00:00 2001 From: Maximilian Hils Date: Mon, 29 Mar 2021 17:42:24 +0200 Subject: [PATCH] minor cleanups (#4530) --- CHANGELOG.md | 5 ++- docs/src/content/overview-features.md | 50 ++++----------------------- mitmproxy/addons/block.py | 9 +++-- mitmproxy/addons/blocklist.py | 2 +- mitmproxy/flowfilter.py | 5 ++- 5 files changed, 15 insertions(+), 56 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b75dada7f..02a1518a7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,10 +26,9 @@ Mitmproxy has a completely new proxy core, fixing many longstanding issues: We wanted to bring these improvements out, so we have a few temporary regressions: -* HTTP trailers were added in mitmproxy 5.2, but have not made it into the new core yet. * Support for HTTP/2 Push Promises has been dropped. -* Message Injection for WebSocket and TCP connections is not implemented yet. -* SOCKS/5 Proxy Mode is not implemented yet. +* body_size_limit is currently unsupported. +* upstream_auth is currently unsupported. If you depend on these features, please raise your voice in [#4348](https://github.com/mitmproxy/mitmproxy/issues/4348)! diff --git a/docs/src/content/overview-features.md b/docs/src/content/overview-features.md index 2da4712ad..da42d4efa 100644 --- a/docs/src/content/overview-features.md +++ b/docs/src/content/overview-features.md @@ -24,7 +24,7 @@ menu: ## Anticache When the `anticache` option is set, it removes headers (`if-none-match` and -`if-modified-since`) that might elicit a `304 not modified` response from the +`if-modified-since`) that might elicit a `304 Not Modified` response from the server. This is useful when you want to make sure you capture an HTTP exchange in its totality. It's also often used during client-side replay, when you want to make sure the server responds with complete data. @@ -88,7 +88,7 @@ and transparently returned to the client. * **flow-filter** is an optional mitmproxy [filter expression]({{< relref "concepts-filters">}}) that additionally constrains which requests will be redirected. -### Examples +#### Examples Pattern | Description ------- | ----------- @@ -164,7 +164,7 @@ that defines which requests the `map_remote` option applies to. The _separator_ is arbitrary, and is defined by the first character. -### Examples +#### Examples Map all requests ending with `.jpg` to `https://placedog.net/640/480?random`. Note that this might fail if the original HTTP request destination uses HTTP2 but the replaced @@ -210,7 +210,7 @@ whether the hook triggers on the request, response or both using the filter pattern. If you need finer-grained control than this, it's simple to create a script using the replacement API on Flow components. -### Examples +#### Examples Replace `foo` with `bar` in bodies of requests: @@ -258,7 +258,7 @@ whether the hook triggers on the request, response or both using the filter pattern. If you need finer-grained control than this, it's simple to create a script using the replacement API on Flow components. -### Examples +#### Examples Set the `Host` header to `example.org` for all requests (existing `Host` headers are replaced): @@ -289,7 +289,7 @@ Remove existing `Host` headers from all requests: ## Proxy Authentication -Asks the user for authentication before they are permitted to use the proxy. +The `proxyauth` option asks the user for authentication before they are permitted to use the proxy. Authentication headers are stripped from the flows, so they are not passed to upstream servers. For now, only HTTP Basic Authentication is supported. @@ -329,18 +329,6 @@ updated in a similar way. You can turn off this behaviour by setting the `server_replay_refresh` option to `false`. -### Replaying a session recorded in Reverse-proxy Mode - -If you have captured the session in reverse proxy mode, in order to replay it -you still have to specify the server URL, otherwise you may get the error: 'HTTP -protocol error in client request: Invalid HTTP request form (expected authority -or absolute...)'. - -During replay, when the client's requests match previously recorded requests, -then the respective recorded responses are simply replayed by mitmproxy. -Otherwise, the unmatched requests is forwarded to the upstream server. If -forwarding is not desired, you can use the --kill (-k) switch to prevent that. - ## Sticky auth The `stickyauth` option is analogous to the sticky cookie option, in that HTTP @@ -386,29 +374,3 @@ streamed. Requests/Responses that should be tagged for streaming by setting their ``.stream`` attribute to ``True``: {{< example src="examples/addons/http-stream-simple.py" lang="py" >}} - -### Websockets - -The `stream_websockets` option enables an analogous behaviour for websockets. -When WebSocket streaming is enabled, portions of the code which may perform -changes to the WebSocket message payloads will not have any effect on the actual -payload sent to the server as the frames are immediately forwarded to the -server. In contrast to HTTP streaming, where the body is not stored, the message -payload will still be stored in the WebSocket flow. - -## Upstream Certificates - -When mitmproxy receives a connection destined for an SSL-protected service, it -freezes the connection before reading its request data, and makes a connection -to the upstream server to "sniff" the contents of its SSL certificate. The -information gained - the **Common Name** and **Subject Alternative Names** - is -then used to generate the interception certificate, which is sent to the client -so the connection can continue. - -This rather intricate little dance lets us seamlessly generate correct -certificates even if the client has specified only an IP address rather than the -hostname. It also means that we don't need to sniff additional data to generate -certs in transparent mode. - -Upstream cert sniffing is on by default, and can optionally be turned off with -the `upstream_cert` option. diff --git a/mitmproxy/addons/block.py b/mitmproxy/addons/block.py index c1aa83408..37ef39a88 100644 --- a/mitmproxy/addons/block.py +++ b/mitmproxy/addons/block.py @@ -7,16 +7,15 @@ class Block: loader.add_option( "block_global", bool, True, """ - Block connections from globally reachable networks, as defined in - the IANA special purpose registries. + Block connections from public IP addresses. """ ) loader.add_option( "block_private", bool, False, """ - Block connections from private networks, as defined in the IANA - special purpose registries. This option does not affect loopback - addresses. + Block connections from local (private) IP addresses. + This option does not affect loopback addresses (connections from the local machine), + which are always permitted. """ ) diff --git a/mitmproxy/addons/blocklist.py b/mitmproxy/addons/blocklist.py index 4d356b977..ceb6de91d 100644 --- a/mitmproxy/addons/blocklist.py +++ b/mitmproxy/addons/blocklist.py @@ -46,7 +46,7 @@ class BlockList: """ Block matching requests and return an empty response with the specified HTTP status. Option syntax is "/flow-filter/status-code", where flow-filter describes - which requests this rule should be applied to and status-code is the HTTP status code to return for + which requests this rule should be applied to and status-code is the HTTP status code to return for blocked requests. The separator ("/" in the example) can be any character. Setting a non-standard status code of 444 will close the connection without sending a response. """ diff --git a/mitmproxy/flowfilter.py b/mitmproxy/flowfilter.py index 384670ddf..5b67c0766 100644 --- a/mitmproxy/flowfilter.py +++ b/mitmproxy/flowfilter.py @@ -160,14 +160,13 @@ def _check_content_type(rex, message): class FAsset(_Action): code = "a" - help = "Match asset in response: CSS, Javascript, Flash, images." + help = "Match asset in response: CSS, JavaScript, images." ASSET_TYPES = [re.compile(x) for x in [ b"text/javascript", b"application/x-javascript", b"application/javascript", b"text/css", - b"image/.*", - b"application/x-shockwave-flash" + b"image/.*" ]] @only(http.HTTPFlow)