From 31ee4607c892f85c5d139e54acbc3ca4f9fb6bcb Mon Sep 17 00:00:00 2001 From: Maximilian Hils Date: Mon, 7 Sep 2015 10:30:40 +0200 Subject: remove old docs --- doc-src/features/passthrough.html | 84 --------------------------------------- 1 file changed, 84 deletions(-) delete mode 100644 doc-src/features/passthrough.html (limited to 'doc-src/features/passthrough.html') diff --git a/doc-src/features/passthrough.html b/doc-src/features/passthrough.html deleted file mode 100644 index 101a337a..00000000 --- a/doc-src/features/passthrough.html +++ /dev/null @@ -1,84 +0,0 @@ -There are two main reasons why you may want to exempt some traffic from mitmproxy's interception mechanism: - -- **Certificate pinning:** Some traffic is is protected using - [certificate pinning](https://security.stackexchange.com/questions/29988/what-is-certificate-pinning) and mitmproxy's - interception leads to errors. For example, Windows Update or the Apple App Store fail to work if mitmproxy is active. -- **Convenience:** You really don't care about some parts of the traffic and just want them to go away. - -If you want to peek into (SSL-protected) non-HTTP connections, check out the [tcp proxy](@!urlTo("tcpproxy.html")!@) feature. -If you want to ignore traffic from mitmproxy's processing because of large response bodies, take a look at the -[response streaming](@!urlTo("responsestreaming.html")!@) feature. - -## How it works - - - - - - - - - - - -
command-line --ignore regex
mitmproxy shortcut o then I
- - -mitmproxy allows you to specify a regex which is matched against a host:port string (e.g. "example.com:443") -to determine hosts that should be excluded. - -There are two important quirks to consider: - -- **In transparent mode, the ignore pattern is matched against the IP.** While we usually infer the hostname from the - Host header if the --host argument is passed to mitmproxy, we do not have access to this information before the SSL - handshake. -- In regular mode, explicit HTTP requests are never ignored.[^explicithttp] The ignore pattern is applied on CONNECT - requests, which initiate HTTPS or clear-text WebSocket connections. - - -### Tutorial - -If you just want to ignore one specific domain, there's usually a bulletproof method to do so: - -1. Run mitmproxy or mitmdump in verbose mode (-v) and observe the host:port information in the serverconnect -messages. mitmproxy will filter on these. -2. Take the host:port string, surround it with ^ and $, escape all dots (. becomes \\.) -and use this as your ignore pattern: - -
-$ mitmdump -v
-127.0.0.1:50588: clientconnect
-127.0.0.1:50588: request
-  -> CONNECT example.com:443 HTTP/1.1
-127.0.0.1:50588: Set new server address: example.com:443
-127.0.0.1:50588: serverconnect
-  -> example.com:443
-^C
-$ mitmproxy --ignore ^example\.com:443$
-
- -Here are some other examples for ignore patterns: -
-# Exempt traffic from the iOS App Store (the regex is lax, but usually just works):
---ignore apple.com:443
-# "Correct" version without false-positives:
---ignore '^(.+\.)?apple\.com:443$'
-
-# Ignore example.com, but not its subdomains:
---ignore '^example.com:'
-
-# Ignore everything but example.com and mitmproxy.org:
---ignore '^(?!example\.com)(?!mitmproxy\.org)'
-
-# Transparent mode:
---ignore 17\.178\.96\.59:443
-# IP address range:
---ignore 17\.178\.\d+\.\d+:443
-
- -### See Also - -- [TCP Proxy](@!urlTo("tcpproxy.html")!@) -- [Response Streaming](@!urlTo("responsestreaming.html")!@) - -[^explicithttp]: This stems from an limitation of explicit HTTP proxying: A single connection can be re-used for multiple target domains - a GET http://example.com/ request may be followed by a GET http://evil.com/ request on the same connection. If we start to ignore the connection after the first request, we would miss the relevant second one. -- cgit v1.2.3