aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--examples/ignore_websocket.py27
-rw-r--r--libmproxy/protocol/http.py6
2 files changed, 33 insertions, 0 deletions
diff --git a/examples/ignore_websocket.py b/examples/ignore_websocket.py
new file mode 100644
index 00000000..1ee81d38
--- /dev/null
+++ b/examples/ignore_websocket.py
@@ -0,0 +1,27 @@
+# This script makes mitmproxy switch to passthrough mode for all HTTP
+# responses with "Connection: Upgrade" header. This is useful to make
+# WebSockets work in untrusted environments.
+#
+# Note: Chrome (and possibly other browsers), when explicitly configured
+# to use a proxy (i.e. mitmproxy's regular mode), send a CONNECT request
+# to the proxy before they initiate the websocket connection.
+# To make WebSockets work in these cases, supply
+# `--ignore :80$` as an additional parameter.
+# (see http://mitmproxy.org/doc/features/passthrough.html)
+
+from libmproxy.protocol.http import HTTPRequest
+from libmproxy.protocol.tcp import TCPHandler
+from libmproxy.protocol import KILL
+from libmproxy.script import concurrent
+
+HTTPRequest._headers_to_strip_off.remove("Connection")
+HTTPRequest._headers_to_strip_off.remove("Upgrade")
+
+@concurrent
+def response(context, flow):
+ if flow.response.headers.get_first("Connection", None) == "Upgrade":
+ # We need to send the response manually now...
+ flow.client_conn.send(flow.response.assemble())
+ # ...and then delegate to tcp passthrough.
+ TCPHandler(flow.live.c, log=False).handle_messages()
+ flow.reply(KILL) \ No newline at end of file
diff --git a/libmproxy/protocol/http.py b/libmproxy/protocol/http.py
index 89af85b0..87af8e6d 100644
--- a/libmproxy/protocol/http.py
+++ b/libmproxy/protocol/http.py
@@ -1401,6 +1401,12 @@ class HTTPHandler(ProtocolHandler):
# In practice, nobody issues a CONNECT request to send unencrypted HTTP requests afterwards.
# If we don't delegate to TCP mode, we should always negotiate a SSL connection.
+ #
+ # FIXME:
+ # Turns out the previous statement isn't entirely true. Chrome on Windows CONNECTs to :80
+ # if an explicit proxy is configured and a websocket connection should be established.
+ # We don't support websocket at the moment, so it fails anyway, but we should come up with
+ # a better solution to this if we start to support WebSockets.
should_establish_ssl = (
address.port in self.c.config.ssl_ports
or
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-31 07:49:31 +0000