mirror of
https://github.com/Grasscutters/mitmproxy.git
synced 2024-11-27 10:26:23 +00:00
d88c3a0e95
because wouldnt work with default bash settings as its part of history expansion in bash
85 lines
3.4 KiB
HTML
85 lines
3.4 KiB
HTML
There are two main reasons why you may want to exempt some traffic from mitmproxy's interception mechanism:
|
|
|
|
- **Certificate pinning:** Some traffic is is protected using
|
|
[certificate pinning](https://security.stackexchange.com/questions/29988/what-is-certificate-pinning) and mitmproxy's
|
|
interception leads to errors. For example, Windows Update or the Apple App Store fail to work if mitmproxy is active.
|
|
- **Convenience:** You really don't care about some parts of the traffic and just want them to go away.
|
|
|
|
If you want to peek into (SSL-protected) non-HTTP connections, check out the [tcp proxy](@!urlTo("tcpproxy.html")!@) feature.
|
|
If you want to ignore traffic from mitmproxy's processing because of large response bodies, take a look at the
|
|
[response streaming](@!urlTo("responsestreaming.html")!@) feature.
|
|
|
|
## How it works
|
|
|
|
|
|
<table class="table">
|
|
<tbody>
|
|
<tr>
|
|
<th width="20%">command-line</th> <td>--ignore regex</td>
|
|
</tr>
|
|
<tr>
|
|
<th>mitmproxy shortcut</th> <td><b>I</b></td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
|
|
|
|
mitmproxy allows you to specify a regex which is matched against a <code>host:port</code> string (e.g. "example.com:443")
|
|
to determine hosts that should be excluded.
|
|
|
|
There are two important quirks to consider:
|
|
|
|
- **In transparent mode, the ignore pattern is matched against the IP.** While we usually infer the hostname from the
|
|
Host header if the --host argument is passed to mitmproxy, we do not have access to this information before the SSL
|
|
handshake.
|
|
- In regular mode, explicit HTTP requests are never ignored.[^explicithttp] The ignore pattern is applied on CONNECT
|
|
requests, which initiate HTTPS or clear-text WebSocket connections.
|
|
|
|
|
|
### Tutorial
|
|
|
|
If you just want to ignore one specific domain, there's usually a bulletproof method to do so:
|
|
|
|
1. Run mitmproxy or mitmdump in verbose mode (-v) and observe the host:port information in the serverconnect
|
|
messages. mitmproxy will filter on these.
|
|
2. Take the host:port string, surround it with ^ and $, escape all dots (. becomes \\.)
|
|
and use this as your ignore pattern:
|
|
|
|
<pre class="terminal">
|
|
$ mitmdump -v
|
|
127.0.0.1:50588: clientconnect
|
|
127.0.0.1:50588: request
|
|
-> CONNECT example.com:443 HTTP/1.1
|
|
127.0.0.1:50588: Set new server address: example.com:443
|
|
<span style="color: white">127.0.0.1:50588: serverconnect
|
|
-> example.com:443</span>
|
|
^C
|
|
$ <span style="color: white">mitmproxy --ignore ^example\.com:443$</span>
|
|
</pre>
|
|
|
|
Here are some other examples for ignore patterns:
|
|
<pre>
|
|
# Exempt traffic from the iOS App Store (the regex is lax, but usually just works):
|
|
--ignore apple.com:443
|
|
# "Correct" version without false-positives:
|
|
--ignore "^(.+\.)?apple\.com:443$"
|
|
|
|
# Ignore example.com, but not its subdomains:
|
|
--ignore "^example.com:"
|
|
|
|
# Ignore everything but example.com and mitmproxy.org:
|
|
--ignore '^(?!example\.com)(?!mitmproxy\.org)'
|
|
|
|
# Transparent mode:
|
|
--ignore 17\.178\.96\.59:443
|
|
# IP address range:
|
|
--ignore 17\.178\.\d+\.\d+:443
|
|
</pre>
|
|
|
|
### See Also
|
|
|
|
- [TCP Proxy](@!urlTo("tcpproxy.html")!@)
|
|
- [Response Streaming](@!urlTo("responsestreaming.html")!@)
|
|
|
|
[^explicithttp]: This stems from an limitation of explicit HTTP proxying: A single connection can be re-used for multiple target domains - a <code>GET http://example.com/</code> request may be followed by a <code>GET http://evil.com/</code> request on the same connection. If we start to ignore the connection after the first request, we would miss the relevant second one.
|