Grasscutters/mitmproxy
3
0
Fork 0
mirror of https://github.com/Grasscutters/mitmproxy.git synced 2024-11-22 15:37:45 +00:00
Code Issues Projects Releases Wiki Activity

docs: consistently use backticks for highlighting

Browse Source
This commit is contained in:
Maximilian Hils 2020-07-04 11:27:00 +02:00
parent c3d3b75517
commit c60c3dbb75
16 changed files with 177 additions and 177 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
docs/src/content/addons-commands.md
View File

@ -23,16 +23,16 @@ Let's begin with a simple example.
To see this example in action, start mitmproxy console with the addon loaded:
{{< highlight bash >}}
```bash
> mitmproxy -s ./examples/addons/commands-simple.py
{{< /highlight >}}
```
Now, make sure the event log is showing, and then execute the command at the
prompt (started by typing ":"):
{{< highlight none>}}
```
:myaddon.inc
{{< /highlight >}}
```
Notice that tab completion works - our addon command has complete parity with
builtin commands. There are a few things to note about this example:
@ -67,28 +67,28 @@ filters]({{< relref addons-options >}}) available. Let's try it out.
Start by loading the addon into mitmproxy and sending some traffic through so we
have flows to work with:
{{< highlight bash >}}
```bash
> mitmproxy -s ./examples/addons/commands-flows.py
{{< /highlight >}}
```
We can now invoke our toy command in various ways. Let's begin by running it
just on the currently focused flow:
{{< highlight none >}}
```
:myaddon.addheader @focus
{{< /highlight >}}
```
We can also invoke it on all flows:
{{< highlight none >}}
```
:myaddon.addheader @all
{{< /highlight >}}
```
Or only flows from **google.com**:
{{< highlight none >}}
```
:myaddon.addheader ~d google.com
{{< /highlight >}}
```
What's more, we can trivially bind these commands to keyboard shortcuts within
mitmproxy if we plan to use them frequently. Flow selectors combined with
@ -107,9 +107,9 @@ Our command calculates a histogram of the domains in the specified set of flows,
and writes it to a path which is specified as the second argument to the
command. Try invoking it like this:
{{< highlight none >}}
```
:myaddon.histogram @all /tmp/xxx
{{< /highlight >}}
```
Notice that mitmproxy provides tab completion both for the flow specification
and the path.

20
docs/src/content/addons-options.md
View File

@ -28,15 +28,15 @@ allows addons declare options and commands. In this case, the addon adds a
single `addheader` option with type `bool`. Let's try this out by running the
script in mitmproxy console:
{{< highlight bash >}}
```bash
> mitmproxy -s ./examples/addons/options-simple.py
{{< /highlight >}}
```
You can now use CURL to make a request through the proxy like this:
{{< highlight bash >}}
```bash
> env http_proxy=http://localhost:8080 curl -I http://google.com
{{< /highlight >}}
```
If you run this request immediately, you'll notice that no count header is
added. This is because our default value for the option was `false`. Press `O`
@ -45,22 +45,22 @@ mitmproxy knows this is a boolean, and lets you toggle the value between true
and false. Set the value to `true`, and you should see a result something like
this:
{{< highlight bash >}}
```bash
> env http_proxy=http://localhost:8080 curl -I http://google.com
HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Length: 219
count: 1
{{< /highlight >}}
```
When this addon is loaded, the `addheader` setting is available in the
persistent [YAML configuration file]({{< relref "concepts-options" >}}). You can
also over-ride the value directly from the command-line for any of the tools
using the `--set` flag:
{{< highlight bash >}}
```bash
mitmproxy -s ./examples/addons/options-simple.py --set addheader=true
{{< /highlight >}}
```
## Handling configuration updates
@ -85,11 +85,11 @@ called with our default value (`None`), and then later with an updated value if
the option is changed. If we try to load the script with an incorrect value, we
now see an error:
{{< highlight none >}}
```
> mitmdump -s ./examples/addons/options-configure.py --set addheader=1000
Loading script: ./examples/addons/options-configure.py
/Users/cortesi/mitmproxy/mitmproxy/venv/bin/mitmdump: addheader must be <= 100
{{< /highlight >}}
```
## Supported Types

8
docs/src/content/addons-overview.md
View File

@ -34,9 +34,9 @@ command-line is to use [pydoc](https://docs.python.org/3/library/pydoc.html).
Here, for example, is a command that shows the API documentation for the
mitmproxy's HTTP flow classes:
{{< highlight bash >}}
```bash
pydoc mitmproxy.http
{{< /highlight >}}
```
You will be referring to the mitmproxy API documentation frequently, so keep
**pydoc** or an equivalent handy.
@ -54,9 +54,9 @@ Take it for a spin and make sure that it does what it's supposed to, by loading
it into your mitmproxy tool of choice. We'll use mitmpdump in these examples,
but the flag is identical for all tools:
{{< highlight bash >}}
```bash
> mitmdump -s ./anatomy.py
{{< /highlight >}}
```
Here are a few things to note about the code above:

10
docs/src/content/concepts-certificates.md
View File

@ -47,9 +47,9 @@ documentation for some common platforms. The mitmproxy CA cert is located in
- [Windows](https://web.archive.org/web/20160612045445/http://windows.microsoft.com/en-ca/windows/import-export-certificates-private-keys#1TC=windows-7)
- [Windows (automated)](https://technet.microsoft.com/en-us/library/cc732443.aspx)
{{< highlight bash >}}
```bash
certutil -addstore root mitmproxy-ca-cert.cer
{{< / highlight >}}
```
- [Mac OS X](https://support.apple.com/kb/PH20129)
- [Ubuntu/Debian]( https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate/94861#94861)
@ -117,7 +117,7 @@ file roughly looks like this:
For example, you can generate a certificate in this format using these
instructions:
```
```bash
openssl genrsa -out cert.key 2048
# (Specify the mitm domain as Common Name, e.g. \*.google.com)
openssl req -new -x509 -key cert.key -out cert.crt
@ -128,13 +128,13 @@ Now, you can run mitmproxy with the generated certificate:
**For all domain names**
```
```bash
mitmproxy --cert *=cert.pem
```
**For specific domain names**
```
```bash
mitmproxy --cert *.example.com=cert.pem
```

16
docs/src/content/concepts-commands.md
View File

@ -27,9 +27,9 @@ browser (by default accessible with the `C` key binding).
Many of mitmproxy's commands take flows as arguments. For instance, the
signature for the client replay commands looks like this:
{{< highlight none >}}
```
replay.client [flow]
{{< /highlight >}}
```
That means that it expects a sequence of one or more flows. This is where [flow
@ -40,23 +40,23 @@ invoking commands.
Fire up mitmproxy console, and intercept some traffic so we have flows to work
with. Now type the following command:
{{< highlight none >}}
```
:replay.client @focus
{{< /highlight >}}
```
Make sure you try using tab completion for the command name and the flow
specification. The `@focus` specifiers expands to the currently focused flow, so
you should see this flow replay. However, replay can take any number of flows.
Try the following command:
{{< highlight none >}}
```
:replay.client @all
{{< /highlight >}}
```
Now you should see all flows replay one by one. We have the full power of the
mitmproxy filter language at our disposal here, so we could also, for example,
just replay flows for a specific domain:
{{< highlight none >}}
```
:replay.client "~d google.com"
{{< /highlight >}}
```

16
docs/src/content/concepts-howmitmproxyworks.md
View File

@ -25,9 +25,9 @@ usually reliable. In the simplest possible interaction with mitmproxy, a
client connects directly to the proxy, and makes a request that looks
like this:
{{< highlight http >}}
```http
GET http://example.com/index.html HTTP/1.1
{{< / highlight >}}
```
This is a proxy GET request - an extended form of the vanilla HTTP GET
request that includes a schema and host specification, and it includes
@ -47,9 +47,9 @@ The process for an explicitly proxied HTTPS connection is quite
different. The client connects to the proxy and makes a request that
looks like this:
{{< highlight http >}}
```http
CONNECT example.com:443 HTTP/1.1
{{< / highlight >}}
```
A conventional proxy can neither view nor manipulate a TLS-encrypted
data stream, so a CONNECT request simply asks the proxy to open a pipe
@ -91,9 +91,9 @@ blush, it seems that the CONNECT request above gives us all we need - in this
example, both of these values are "example.com". But what if the client had
initiated the connection as follows:
{{< highlight http >}}
```http
CONNECT 10.1.1.1:443 HTTP/1.1
{{< / highlight >}}
```
Using the IP address is perfectly legitimate because it gives us enough
information to initiate the pipe, even though it doesn't reveal the
@ -182,9 +182,9 @@ server - [iptables](http://www.netfilter.org/) on Linux or
client has initiated the connection, it makes a vanilla HTTP request,
which might look something like this:
{{< highlight http >}}
```http
GET /index.html HTTP/1.1
{{< / highlight >}}
```
Note that this request differs from the explicit proxy variation, in
that it omits the scheme and hostname. How, then, do we know which

12
docs/src/content/howto-ignoredomains.md
View File

@ -60,7 +60,7 @@ method to do so:
becomes \\.) and use this as your ignore pattern:
{{< highlight none >}}
```
>>> mitmdump -v
127.0.0.1:50588: clientconnect
127.0.0.1:50588: request
@ -70,11 +70,11 @@ method to do so:
-> example.com:443
^C
>>> mitmproxy --ignore-hosts ^example\.com:443$
{{< /highlight >}}
```
Here are some other examples for ignore patterns:
{{< highlight none >}}
```
# Exempt traffic from the iOS App Store (the regex is lax, but usually just works):
--ignore-hosts apple.com:443
# "Correct" version without false-positives:
@ -87,17 +87,17 @@ Here are some other examples for ignore patterns:
--ignore-hosts 17\.178\.96\.59:443
# IP address range:
--ignore-hosts 17\.178\.\d+\.\d+:443
{{< / highlight >}}
```
This option can also be used to whitelist some domains through negative lookahead expressions. However, ignore patterns are always matched against the IP address of the target before being matched against its domain name. Thus, the pattern must allow any IP addresses using an expression like `^(?![0-9\.]+:)` in order for domains whitelisting to work. Here are examples of such patterns:
{{< highlight none >}}
```
# Ignore everything but example.com and mitmproxy.org (not subdomains):
--ignore-hosts '^(?![0-9\.]+:)(?!example\.com:)(?!mitmproxy\.org:)'
# Ignore everything but example.com and its subdomains:
--ignore-hosts '^(?![0-9\.]+:)(?!([^\.:]+\.)*example\.com:)'
{{< / highlight >}}
```
**Footnotes**

32
docs/src/content/howto-install-system-trusted-ca-android.md
View File

@ -23,22 +23,22 @@ Please note, that apps can decide to ignore the system certificate store and mai
## 2. Rename certificate
Enter your certificate folder
{{< highlight bash >}}
```bash
cd ~/.mitmproxy/
{{< / highlight >}}
```
- CA Certificates in Android are stored by the name of their hash, with a '0' as extension
- Now generate the hash of your certificate
{{< highlight bash >}}
```bash
openssl x509 -inform PEM -subject_hash_old -in mitmproxy-ca-cert.cer | head -1
{{< / highlight >}}
```
Lets assume, the output is `c8450d0d`
We can now copy `mitmproxy-ca-cert.cer` to `c8450d0d.0` and our system certificate is ready to use
{{< highlight bash >}}
```bash
cp mitmproxy-ca-cert.cer c8450d0d.0
{{< / highlight >}}
```
## 3. Insert certificate into system certificate store
@ -50,37 +50,37 @@ Note, that Android 9 (API LEVEL 28) was used to test the following steps and tha
- Keep in mind, that the **emulator will load a clean system image when starting without `-writable-system` option**.
- This means you always have to start the emulator with `-writable-system` option in order to use your certificate
{{< highlight bash >}}
```bash
emulator -avd <avd_name_here> -writable-system
{{< / highlight >}}
```
- Restart adb as root
{{< highlight bash >}}
```bash
adb root
{{< / highlight >}}
```
- Get write access to `/system` on the device
- In earlier versions (API LEVEL < 28) of Android you have to use `adb shell "mount -o rw,remount /system"`
{{< highlight bash >}}
```bash
adb shell "mount -o rw,remount /"
{{< / highlight >}}
```
- Push your certificate to the system certificate store and set file permissions
{{< highlight bash >}}
```bash
adb push c8450d0d.0 /system/etc/security/cacerts
adb shell "chmod 664 /system/etc/security/cacerts/c8450d0d.0"
{{< / highlight >}}
```
## 4. Reboot device and enjoy decrypted TLS traffic
- Reboot your device.
- You CA certificate should now be system trusted
{{< highlight bash >}}
```bash
adb reboot
{{< / highlight >}}
```
**Remember**: You **always** have to start the emulator using the `-writable-system` option in order to use your certificate

36
docs/src/content/howto-transparent-vms.md
View File

@ -16,9 +16,9 @@ Internal Network* setup can be applied to other setups.
First, we have to find out under which name Ubuntu has mapped our network interfaces. You can find this information with:
{{< highlight bash >}}
```bash
ip link
{{< / highlight >}}
```
Usually with Ubuntu and Virtualbox, **eth0** or **enp0s3** (Ubuntu 15.10 and newer) is connected to the internet and **eth1** or **enp0s8** (Ubuntu 15.10 and newer) is connected to the internal network that will be proxified and configured to use a static ip (192.168.3.1). If the names differ, use the ones you got from the *ip link* command.
@ -46,27 +46,27 @@ case, this needs to be disabled by changing `dns=dnsmasq` to `#dns=dnsmasq` in
**/etc/NetworkManager/NetworkManager.conf** and if on Ubuntu 16.04 or newer
running:
{{< highlight bash >}}
```bash
sudo systemctl restart NetworkManager
{{< / highlight >}}
```
If on Ubuntu 12.04 or 14.04 running:
{{< highlight bash >}}
```bash
sudo restart network-manager
{{< / highlight >}}
```
afterwards.
Now, dnsmasq can be be installed and configured:
{{< highlight bash >}}
```bash
sudo apt-get install dnsmasq
{{< / highlight >}}
```
Replace **/etc/dnsmasq.conf** with the following configuration:
{{< highlight none >}}
```
# Listen for DNS requests on the internal network
interface=eth1
bind-interfaces
@ -75,21 +75,21 @@ dhcp-range=192.168.3.10,192.168.3.100,96h
# Broadcast gateway and dns server information
dhcp-option=option:router,192.168.3.1
dhcp-option=option:dns-server,192.168.3.1
{{< / highlight >}}
```
Apply changes:
If on Ubuntu 16.04 or newer:
{{< highlight bash >}}
```bash
sudo systemctl restart dnsmasq
{{< / highlight >}}
```
If on Ubuntu 12.04 or 14.04:
{{< highlight bash >}}
```bash
sudo service dnsmasq restart
{{< / highlight >}}
```
Your **proxied machine** in the internal virtual network should now receive an
IP address via DHCP:
@ -101,19 +101,19 @@ IP address via DHCP:
To redirect traffic to mitmproxy, we need to enable IP forwarding and add two iptables
rules:
{{< highlight bash >}}
```bash
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 8080
{{< / highlight >}}
```
## 4. Run mitmproxy
Finally, we can run mitmproxy in transparent mode with
{{< highlight bash >}}
```bash
mitmproxy --mode transparent
{{< / highlight >}}
```
The proxied machine cannot to leak any data outside of HTTP or DNS requests. If
required, you can now [install the mitmproxy certificates on the proxied

88
docs/src/content/howto-transparent.md
View File

@ -34,10 +34,10 @@ achieve transparent mode.
### 1. Enable IP forwarding.
{{< highlight bash >}}
```bash
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
{{< / highlight >}}
```
This makes sure that your machine forwards packets instead of rejecting them.
@ -46,9 +46,9 @@ a newly created `/etc/sysctl.d/mitmproxy.conf` (see [here](https://superuser.com
### 2. Disable ICMP redirects.
{{< highlight bash >}}
```bash
sysctl -w net.ipv4.conf.all.send_redirects=0
{{< / highlight >}}
```
If your test device is on the same physical network, your machine shouldn't inform the device that
there's a shorter route available by skipping the proxy.
@ -60,12 +60,12 @@ If you want to persist this across reboots, see above.
Details will differ according to your setup, but the ruleset should look
something like this:
{{< highlight bash >}}
```bash
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
ip6tables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
ip6tables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
{{< / highlight >}}
```
If you want to persist this across reboots, you can use the `iptables-persistent` package (see
[here](http://www.microhowto.info/howto/make_the_configuration_of_iptables_persistent_on_debian.html)).
@ -74,9 +74,9 @@ If you want to persist this across reboots, you can use the `iptables-persistent
You probably want a command like this:
{{< highlight bash >}}
```bash
mitmproxy --mode transparent --showhost
{{< / highlight >}}
```
The `--mode transparent` option turns on transparent mode, and the `--showhost` argument tells
mitmproxy to use the value of the Host header for URL display.
@ -92,24 +92,24 @@ Follow steps **1, 2** as above, but *instead* of the commands in step **3**, run
Create a user to run the mitmproxy
{{< highlight bash >}}
```bash
sudo useradd --create-home mitmproxyuser
sudo -u mitmproxyuser bash -c 'cd ~ && pip install --user mitmproxy'
{{< / highlight >}}
```
Then, configure the iptables rules to redirect all traffic from our local machine to mitmproxy. **Note**, as soon as you run these, you won't be able to perform successful network calls *until* you start mitmproxy. If you run into issues, `iptables -t nat -F` is a heavy handed way to flush (clear) *all* the rules from the iptables `nat` table (which includes any other rules you had configured).
{{< highlight bash >}}
```bash
iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 443 -j REDIRECT --to-port 8080
ip6tables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 80 -j REDIRECT --to-port 8080
ip6tables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 443 -j REDIRECT --to-port 8080
{{< / highlight >}}
```
This will redirect the packets from all users other than `mitmproxyuser` on the machine to mitmproxy. To avoid circularity, run mitmproxy as the user `mitmproxyuser`. Hence step **4** should look like:
{{< highlight bash >}}
```bash
sudo -u mitmproxyuser bash -c '$HOME/.local/bin/mitmproxy --mode transparent --showhost --set block_global=false'
{{< / highlight >}}
```
@ -117,16 +117,16 @@ sudo -u mitmproxyuser bash -c '$HOME/.local/bin/mitmproxy --mode transparent --s
### 1. Enable IP forwarding.
{{< highlight bash >}}
```bash
sudo sysctl -w net.inet.ip.forwarding=1
{{< / highlight >}}
```
### 2. Place the following two lines in **/etc/pf.conf**.
{{< highlight none >}}
```
mitm_if = "re2"
pass in quick proto tcp from $mitm_if to port { 80, 443 } divert-to 127.0.0.1 port 8080
{{< / highlight >}}
```
These rules tell pf to divert all traffic from `$mitm_if` destined for port 80
or 443 to the local mitmproxy instance running on port 8080. You should replace
@ -134,23 +134,23 @@ or 443 to the local mitmproxy instance running on port 8080. You should replace
### 3. Configure pf with the rules.
{{< highlight bash >}}
```bash
doas pfctl -f /etc/pf.conf
{{< / highlight >}}
```
### 4. And now enable it.
{{< highlight bash >}}
```bash
doas pfctl -e
{{< / highlight >}}
```
### 5. Fire up mitmproxy.
You probably want a command like this:
{{< highlight bash >}}
```bash
mitmproxy --mode transparent --listen-host 127.0.0.1 --showhost
{{< / highlight >}}
```
The `--mode transparent` option turns on transparent mode, and the `--showhost` argument tells
mitmproxy to use the value of the Host header for URL display.
@ -184,16 +184,16 @@ for earlier versions of OSX.
### 1. Enable IP forwarding.
{{< highlight bash >}}
```bash
sudo sysctl -w net.inet.ip.forwarding=1
{{< / highlight >}}
```
### 2. Place the following line in a file called, say, **pf.conf**.
{{< highlight none >}}
```
rdr pass on en0 inet proto tcp to any port {80, 443} -> 127.0.0.1 port 8080
{{< / highlight >}}
```
This rule tells pf to redirect all traffic destined for port 80 or 443
to the local mitmproxy instance running on port 8080. You should replace
@ -201,24 +201,24 @@ to the local mitmproxy instance running on port 8080. You should replace
### 3. Configure pf with the rules.
{{< highlight bash >}}
```bash
sudo pfctl -f pf.conf
{{< / highlight >}}
```
### 4. And now enable it.
{{< highlight bash >}}
```bash
sudo pfctl -e
{{< / highlight >}}
```
### 5. Configure sudoers to allow mitmproxy to access pfctl.
Edit the file **/etc/sudoers** on your system as root. Add the following line to
the end of the file:
{{< highlight none >}}
```
ALL ALL=NOPASSWD: /sbin/pfctl -s state
{{< / highlight >}}
```
Note that this allows any user on the system to run the command `/sbin/pfctl -s
state` as root without a password. This only allows inspection of the state
@ -229,9 +229,9 @@ tighten the restriction up to the user running mitmproxy.
You probably want a command like this:
{{< highlight bash >}}
```bash
mitmproxy --mode transparent --showhost
{{< / highlight >}}
```
The `--mode transparent` flag turns on transparent mode, and the `--showhost` argument tells
mitmproxy to use the value of the Host header for URL display.
@ -256,7 +256,7 @@ for more.
Follow steps **1, 2** as above, but in step **2** change the contents of the file **pf.conf** to
{{< highlight none >}}
```
#The ports to redirect to proxy
redir_ports = "{http, https}"
@ -274,13 +274,13 @@ tproxy_user = "nobody"
rdr pass proto tcp from any to any port $redir_ports -> $tproxy
pass out route-to (lo0 127.0.0.1) proto tcp from any to any port $redir_ports user { != $tproxy_user }
{{< / highlight >}}
```
Follow steps **3-5** above. This will redirect the packets from all users other than `nobody` on the machine to mitmproxy. To avoid circularity, run mitmproxy as the user `nobody`. Hence step **6** should look like:
{{< highlight bash >}}
```bash
sudo -u nobody mitmproxy --mode transparent --showhost
{{< / highlight >}}
```
## "Full" transparent mode on Linux
@ -289,7 +289,7 @@ connections. In case this isn't desired, the --spoof-source-address argument can
be used to use the client's IP address for server-side connections. The
following config is required for this mode to work:
{{< highlight bash >}}
```bash
CLIENT_NET=192.168.1.0/24
TABLE_ID=100
MARK=1
@ -303,15 +303,15 @@ iptables -t nat \
ip rule add fwmark $MARK lookup $TABLE_ID
ip route add local $CLIENT_NET dev lo table $TABLE_ID
{{< / highlight >}}
```
This mode does require root privileges though. There's a wrapper in the examples
directory called 'mitmproxy_shim.c', which will enable you to use this mode with
dropped privileges. It can be used as follows:
{{< highlight bash >}}
```bash
gcc examples/complex/full_transparency_shim.c -o mitmproxy_shim -lcap
sudo chown root:root mitmproxy_shim
sudo chmod u+s mitmproxy_shim
./mitmproxy_shim $(which mitmproxy) --mode transparent --set spoof-source-address
{{< / highlight >}}
```

4
docs/src/content/howto-wireshark-tls.md
View File

@ -13,9 +13,9 @@ Wireshark can use these log files to decrypt packets. See the [Wireshark wiki](h
Key logging is enabled by setting the environment variable `SSLKEYLOGFILE` so
that it points to a writable text file:
{{< highlight bash >}}
```bash
SSLKEYLOGFILE="$PWD/.mitmproxy/sslkeylogfile.txt" mitmproxy
{{< / highlight >}}
```
You can also `export` this environment variable to make it persistent for all applications started from your current shell session.
You can specify the key file path in Wireshark via `Edit -> Preferences ->

32
docs/src/content/overview-features.md
View File

@ -92,12 +92,12 @@ Re-route all GET requests from `example.org` to `mitmproxy.org` (using `|` as th
The `modify_body` option lets you specify an arbitrary number of patterns that
define replacements within bodies of flows. `modify_body` patterns look like this:
{{< highlight none >}}
```
/flow-filter/regex/replacement
/flow-filter/regex/@file-path
/regex/replacement
/regex/@file-path
{{< / highlight >}}
```
* **flow-filter** is an optional mitmproxy [filter expression]({{< relref "concepts-filters">}})
that defines which flows a replacement applies to.
@ -121,15 +121,15 @@ to create a script using the replacement API on Flow components.
Replace `foo` with `bar` in bodies of requests:
{{< highlight none >}}
```
/~q/foo/bar
{{< / highlight >}}
```
Replace `foo` with the data read from `~/xss-exploit`:
{{< highlight bash >}}
```bash
mitmdump --modify-body :~q:foo:@~/xss-exploit
{{< / highlight >}}
```
## Modify Headers
@ -138,12 +138,12 @@ The `modify_headers` option lets you specify a set of headers to be modified.
New headers can be added, and existing headers can be overwritten or removed.
`modify_headers` patterns look like this:
{{< highlight none >}}
```
/flow-filter/name/value
/flow-filter/name/@file-path
/name/value
/name/@file-path
{{< / highlight >}}
```
* **flow-filter** is an optional mitmproxy [filter expression]({{< relref "concepts-filters">}})
that defines which flows to modify headers on.
@ -171,29 +171,29 @@ to create a script using the replacement API on Flow components.
Set the `Host` header to `example.org` for all requests (existing `Host`
headers are replaced):
{{< highlight none >}}
```
/~q/Host/example.org
{{< / highlight >}}
```
Set the `Host` header to `example.org` for all requests that do not have an
existing `Host` header:
{{< highlight none >}}
```
/~q & !~h Host:/Host/example.org
{{< / highlight >}}
```
Set the `User-Agent` header to the data read from `~/useragent.txt` for all requests
(existing `User-Agent` headers are replaced):
{{< highlight none >}}
```
/~q/Host/@~/useragent.txt
{{< / highlight >}}
```
Remove existing `Host` headers from all requests:
{{< highlight none >}}
```
/~q/Host/
{{< / highlight >}}
```
## Proxy Authentication

4
docs/src/content/overview-installation.md
View File

@ -15,9 +15,9 @@ Please follow the steps for your operating system.
The recommended way to install mitmproxy on macOS is to use
[Homebrew](https://brew.sh/):
{{< highlight bash >}}
```bash
brew install mitmproxy
{{< / highlight >}}
```
Alternatively, you can download standalone binaries on [mitmproxy.org](https://mitmproxy.org/).

24
docs/src/content/tools-mitmdump.md
View File

@ -16,17 +16,17 @@ documentation.
### Example: Saving traffic
{{< highlight bash >}}
```bash
mitmdump -w outfile
{{< / highlight >}}
```
Start up mitmdump in proxy mode, and write all traffic to **outfile**.
### Filtering saved traffic
{{< highlight bash >}}
```bash
mitmdump -nr infile -w outfile "~m post"
{{< / highlight >}}
```
Start mitmdump without binding to the proxy port (`-n`), read all flows
from infile, apply the specified filter expression (only match POSTs),
@ -34,36 +34,36 @@ and write to outfile.
### Client replay
{{< highlight bash >}}
```bash
mitmdump -nC outfile
{{< / highlight >}}
```
Start mitmdump without binding to the proxy port (`-n`), then replay all
requests from outfile (`-C filename`). Flags combine in the obvious way,
so you can replay requests from one file, and write the resulting flows
to another:
{{< highlight bash >}}
```bash
mitmdump -nC srcfile -w dstfile
{{< / highlight >}}
```
See the [client-side replay]({{< relref "overview-features#client-side-replay"
>}}) section for more information.
### Running a script
{{< highlight bash >}}
```bash
mitmdump -s examples/simple/add_header.py
{{< / highlight >}}
```
This runs the **add_header.py** example script, which simply adds a new
header to all responses.
### Scripted data transformation
{{< highlight bash >}}
```bash
mitmdump -ns examples/simple/add_header.py -r srcfile -w dstfile
{{< / highlight >}}
```
This command loads flows from **srcfile**, transforms it according to
the specified script, then writes it back to **dstfile**.

12
docs/src/content/tute-clientreplay.md
View File

@ -25,9 +25,9 @@ how.
## 1. Run mitmdump to record our HTTP conversation to a file.
{{< highlight bash >}}
```bash
mitmdump -w wireless-login
{{< / highlight >}}
```
## 2. Point your browser at the mitmdump instance.
@ -41,9 +41,9 @@ your browser with mitmproxy's SSL certificate authority]({{< relref
And that's it\! You now have a serialised version of the login process
in the file wireless-login, and you can replay it at any time like this:
{{< highlight bash >}}
```bash
mitmdump -C wireless-login
{{< / highlight >}}
```
## Embellishments
@ -58,9 +58,9 @@ These add only a few moments to the time it takes to replay, but they're not
really needed and I somehow feel compelled to trim them anyway. So, we fire up
the mitmproxy console tool on our serialised conversation, like so:
{{< highlight bash >}}
```bash
mitmproxy -r wireless-login
{{< / highlight >}}
```
We can now go through and manually delete (using the <span
data-role="kbd">d</span> keyboard shortcut) everything we want to trim. When

12
docs/src/content/tute-highscores.md
View File

@ -33,13 +33,13 @@ of leaderboards and so forth. Then, right at the end, there's a POST to
this tantalising
URL:
{{< highlight none >}}
```
https://service.gc.apple.com/WebObjects/GKGameStatsService.woa/wa/submitScore
{{< / highlight >}}
```
The contents of the submission are particularly interesting:
{{< highlight xml >}}
```xml
<plist version="1.0">
<dict>
<key>scores</key>
@ -57,7 +57,7 @@ The contents of the submission are particularly interesting:
</array>
</dict>
</plist>
{{< / highlight >}}
```
This is a [property list](https://en.wikipedia.org/wiki/Property_list),
containing an identifier for the game, a score (55, in this case), and a
@ -75,7 +75,7 @@ for raw body. Your preferred editor (taken from the EDITOR environment
variable) will now fire up. Lets bump the score up to something a bit
more ambitious:
{{< highlight xml >}}
```xml
<plist version="1.0">
<dict>
<key>scores</key>
@ -93,7 +93,7 @@ more ambitious:
</array>
</dict>
</plist>
{{< / highlight >}}
```
Save the file and exit your editor.