Revert "Move the doc tree out into its own repo."

This reverts commit 8f88fcedd601c0033b4469b66626a83011879baf.

1 files changed, 81 insertions, 0 deletions

diff --git a/doc-src/transparent/osx.html b/doc-src/transparent/osx.html
new file mode 100644
index 00000000..c1ae823d
--- /dev/null
+++ b/doc-src/transparent/osx.html
@@ -0,0 +1,81 @@
+
+
+OSX Lion integrated the [pf](http://www.openbsd.org/faq/pf/) packet filter from
+the OpenBSD project, which mitmproxy uses to implement transparent mode on OSX.
+Note that this means we don't support transparent mode for earlier versions of
+OSX.
+
+<ol class="tlist">
+
+    <li> <a href="@!urlTo('ssl.html')!@">Install the mitmproxy
+    certificates on the test device</a>. </li>
+
+    <li> Enable IP forwarding:
+
+    <pre class="terminal">sudo sysctl -w net.inet.ip.forwarding=1</pre>
+    </li>
+
+    <li>  Place the following two lines in a file called, say, <b>pf.conf</b>:
+
+<pre class="terminal">rdr on en2 inet proto tcp to any port 80 -&gt; 127.0.0.1 port 8080
+rdr on en2 inet proto tcp to any port 443 -&gt; 127.0.0.1 port 8080
+</pre>
+
+        These rules tell pf to redirect all traffic destined for port 80 or 443
+        to the local mitmproxy instance running on port 8080. You should
+        replace <b>en2</b> with the interface on which your test device will
+        appear.
+
+    </li>
+
+    <li> Configure pf with the rules:
+
+        <pre class="terminal">sudo pfctl -f pf.conf</pre>
+
+    </li>
+
+    <li> And now enable it:
+
+        <pre class="terminal">sudo pfctl -e</pre>
+
+    </li>
+
+    <li> Configure sudoers to allow mitmproxy to access pfctl. Edit the file
+    <b>/etc/sudoers</b> on your system as root. Add the following line to the end
+    of the file:
+
+    <pre>ALL ALL=NOPASSWD: /sbin/pfctl -s state</pre>
+
+    Note that this allows any user on the system to run the command
+    "/sbin/pfctl -s state" as root without a password. This only allows
+    inspection of the state table, so should not be an undue security risk. If
+    you're special feel free to tighten the restriction up to the user running
+    mitmproxy.</li>
+
+    <li> Fire up mitmproxy. You probably want a command like this:
+
+        <pre class="terminal">mitmproxy -T --host</pre>
+
+        The <b>-T</b> flag turns on transparent mode, and the <b>--host</b>
+        argument tells mitmproxy to use the value of the Host header for URL
+        display.
+
+    </li>
+
+    <li> Finally, configure your test device to use the host on which mitmproxy is
+    running as the default gateway.</li>
+
+
+</ol>
+
+Note that the **rdr** rules in the pf.conf given above only apply to inbound
+traffic. This means that they will NOT redirect traffic coming from the box
+running pf itself. We can't distinguish between an outbound connection from a
+non-mitmproxy app, and an outbound connection from mitmproxy itself - if you
+want to intercept your OSX traffic, you should use an external host to run
+mitmproxy. None the less, pf is flexible to cater for a range of creative
+possibilities, like intercepting traffic emanating from VMs.  See the
+**pf.conf** man page for more.
+
+
+