From 8f88fcedd601c0033b4469b66626a83011879baf Mon Sep 17 00:00:00 2001 From: Aldo Cortesi Date: Wed, 22 Jan 2014 13:33:02 +1300 Subject: Move the doc tree out into its own repo. --- doc-src/transparent/index.py | 6 ---- doc-src/transparent/linux.html | 43 ---------------------- doc-src/transparent/osx.html | 81 ------------------------------------------ 3 files changed, 130 deletions(-) delete mode 100644 doc-src/transparent/index.py delete mode 100644 doc-src/transparent/linux.html delete mode 100644 doc-src/transparent/osx.html (limited to 'doc-src/transparent') diff --git a/doc-src/transparent/index.py b/doc-src/transparent/index.py deleted file mode 100644 index 091b3471..00000000 --- a/doc-src/transparent/index.py +++ /dev/null @@ -1,6 +0,0 @@ -from countershape import Page - -pages = [ - Page("osx.html", "OSX"), - Page("linux.html", "Linux"), -] diff --git a/doc-src/transparent/linux.html b/doc-src/transparent/linux.html deleted file mode 100644 index 96b7132a..00000000 --- a/doc-src/transparent/linux.html +++ /dev/null @@ -1,43 +0,0 @@ -On Linux, mitmproxy integrates with the iptables redirection mechanism to -achieve transparent mode. - -
    - -
  1. Install the mitmproxy - certificates on the test device.
    2. - -
  2. Enable IP forwarding: - - 
    sysctl -w net.ipv4.ip_forward=1
    - - You may also want to consider enabling this permanently in - /etc/sysctl.conf. - -
    3. - -
  3. Create an iptables ruleset that redirects the desired traffic to the - mitmproxy port. Details will differ according to your setup, but the - ruleset should look something like this: - -
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
-iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
    - -
    4. - -
  4. Fire up mitmproxy. You probably want a command like this: - - 
    mitmproxy -T --host
    - - The -T flag turns on transparent mode, and the --host - argument tells mitmproxy to use the value of the Host header for URL - display. - -
    5. - -
  5. Finally, configure your test device to use the host on which mitmproxy is - running as the default gateway.
    6. - -
- - -For a detailed walkthrough, have a look at the Transparently proxify virtual machines tutorial. diff --git a/doc-src/transparent/osx.html b/doc-src/transparent/osx.html deleted file mode 100644 index c1ae823d..00000000 --- a/doc-src/transparent/osx.html +++ /dev/null @@ -1,81 +0,0 @@ - - -OSX Lion integrated the [pf](http://www.openbsd.org/faq/pf/) packet filter from -the OpenBSD project, which mitmproxy uses to implement transparent mode on OSX. -Note that this means we don't support transparent mode for earlier versions of -OSX. - -
    - -
  1. Install the mitmproxy - certificates on the test device.
    2. - -
  2. Enable IP forwarding: - - 
    sudo sysctl -w net.inet.ip.forwarding=1
    -
    3. - -
  3. Place the following two lines in a file called, say, pf.conf: - -
    rdr on en2 inet proto tcp to any port 80 -> 127.0.0.1 port 8080
-rdr on en2 inet proto tcp to any port 443 -> 127.0.0.1 port 8080
-
    - - These rules tell pf to redirect all traffic destined for port 80 or 443 - to the local mitmproxy instance running on port 8080. You should - replace en2 with the interface on which your test device will - appear. - -
    4. - -
  4. Configure pf with the rules: - - 
    sudo pfctl -f pf.conf
    - -
    5. - -
  5. And now enable it: - - 
    sudo pfctl -e
    - -
    6. - -
  6. Configure sudoers to allow mitmproxy to access pfctl. Edit the file - /etc/sudoers on your system as root. Add the following line to the end - of the file: - - 
    ALL ALL=NOPASSWD: /sbin/pfctl -s state
    - - Note that this allows any user on the system to run the command - "/sbin/pfctl -s state" as root without a password. This only allows - inspection of the state table, so should not be an undue security risk. If - you're special feel free to tighten the restriction up to the user running - mitmproxy.
    7. - -
  7. Fire up mitmproxy. You probably want a command like this: - - 
    mitmproxy -T --host
    - - The -T flag turns on transparent mode, and the --host - argument tells mitmproxy to use the value of the Host header for URL - display. - -
    8. - -
  8. Finally, configure your test device to use the host on which mitmproxy is - running as the default gateway.
    9. - - -
- -Note that the **rdr** rules in the pf.conf given above only apply to inbound -traffic. This means that they will NOT redirect traffic coming from the box -running pf itself. We can't distinguish between an outbound connection from a -non-mitmproxy app, and an outbound connection from mitmproxy itself - if you -want to intercept your OSX traffic, you should use an external host to run -mitmproxy. None the less, pf is flexible to cater for a range of creative -possibilities, like intercepting traffic emanating from VMs. See the -**pf.conf** man page for more. - - - -- cgit v1.2.3