.. _passthrough: Ignore Domains ============== There are two main reasons why you may want to exempt some traffic from mitmproxy's interception mechanism: - **Certificate pinning:** Some traffic is is protected using `Certificate Pinning`_ and mitmproxy's interception leads to errors. For example, the Twitter app, Windows Update or the Apple App Store fail to work if mitmproxy is active. - **Convenience:** You really don't care about some parts of the traffic and just want them to go away. If you want to peek into (SSL-protected) non-HTTP connections, check out the :ref:`tcpproxy` feature. If you want to ignore traffic from mitmproxy's processing because of large response bodies, take a look at the :ref:`responsestreaming` feature. How it works ------------ ================== ============================= command-line :option:`--ignore regex` mitmproxy shortcut :kbd:`o` then :kbd:`I` ================== ============================= mitmproxy allows you to specify a regex which is matched against a ``host:port`` string (e.g. "example.com:443") to determine hosts that should be excluded. There are two important quirks to consider: - **In transparent mode, the ignore pattern is matched against the IP.** While we usually infer the hostname from the Host header if the :option:`--host` argument is passed to mitmproxy, we do not have access to this information before the SSL handshake. - In regular mode, explicit HTTP requests are never ignored. [#explicithttp]_ The ignore pattern is applied on CONNECT requests, which initiate HTTPS or clear-text WebSocket connections. Tutorial -------- If you just want to ignore one specific domain, there's usually a bulletproof method to do so: 1. Run mitmproxy or mitmdump in verbose mode (:option:`-v`) and observe the ``host:port`` information in the serverconnect messages. mitmproxy will filter on these. 2. Take the ``host:port`` string, surround it with ^ and $, escape all dots (. becomes \\.) and use this as your ignore pattern: .. code-block:: none :emphasize-lines: 6,7,9 >>> mitmdump -v 127.0.0.1:50588: clientconnect 127.0.0.1:50588: request -> CONNECT example.com:443 HTTP/1.1 127.0.0.1:50588: Set new server address: example.com:443 127.0.0.1:50588: serverconnect -> example.com:443 ^C >>> mitmproxy --ignore ^example\.com:443$ Here are some other examples for ignore patterns: .. code-block:: none # Exempt traffic from the iOS App Store (the regex is lax, but usually just works): --ignore apple.com:443 # "Correct" version without false-positives: --ignore '^(.+\.)?apple\.com:443$' # Ignore example.com, but not its subdomains: --ignore '^example.com:' # Ignore everything but example.com and mitmproxy.org: --ignore '^(?!example\.com)(?!mitmproxy\.org)' # Transparent mode: --ignore 17\.178\.96\.59:443 # IP address range: --ignore 17\.178\.\d+\.\d+:443 .. seealso:: - :ref:`tcpproxy` - :ref:`responsestreaming` .. rubric:: Footnotes .. [#explicithttp] This stems from an limitation of explicit HTTP proxying: A single connection can be re-used for multiple target domains - a ``GET http://example.com/`` request may be followed by a ``GET http://evil.com/`` request on the same connection. If we start to ignore the connection after the first request, we would miss the relevant second one. .. _Certificate Pinning: https://security.stackexchange.com/questions/29988/what-is-certificate-pinning