From f47d89ff4e710f6d2df755fe526e91a5cf236cfa Mon Sep 17 00:00:00 2001 From: Aldo Cortesi Date: Mon, 27 Jan 2014 14:16:23 +1300 Subject: Revert "Move the doc tree out into its own repo." This reverts commit 8f88fcedd601c0033b4469b66626a83011879baf. --- doc-src/transparent/index.py | 6 ++++ doc-src/transparent/linux.html | 43 ++++++++++++++++++++++ doc-src/transparent/osx.html | 81 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 130 insertions(+) create mode 100644 doc-src/transparent/index.py create mode 100644 doc-src/transparent/linux.html create mode 100644 doc-src/transparent/osx.html (limited to 'doc-src/transparent') diff --git a/doc-src/transparent/index.py b/doc-src/transparent/index.py new file mode 100644 index 00000000..091b3471 --- /dev/null +++ b/doc-src/transparent/index.py @@ -0,0 +1,6 @@ +from countershape import Page + +pages = [ + Page("osx.html", "OSX"), + Page("linux.html", "Linux"), +] diff --git a/doc-src/transparent/linux.html b/doc-src/transparent/linux.html new file mode 100644 index 00000000..96b7132a --- /dev/null +++ b/doc-src/transparent/linux.html @@ -0,0 +1,43 @@ +On Linux, mitmproxy integrates with the iptables redirection mechanism to +achieve transparent mode. + +
    + +
  1. Install the mitmproxy + certificates on the test device.
    2. + +
  2. Enable IP forwarding: + + 
    sysctl -w net.ipv4.ip_forward=1
    + + You may also want to consider enabling this permanently in + /etc/sysctl.conf. + +
    3. + +
  3. Create an iptables ruleset that redirects the desired traffic to the + mitmproxy port. Details will differ according to your setup, but the + ruleset should look something like this: + +
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
+iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
    + +
    4. + +
  4. Fire up mitmproxy. You probably want a command like this: + + 
    mitmproxy -T --host
    + + The -T flag turns on transparent mode, and the --host + argument tells mitmproxy to use the value of the Host header for URL + display. + +
    5. + +
  5. Finally, configure your test device to use the host on which mitmproxy is + running as the default gateway.
    6. + +
+ + +For a detailed walkthrough, have a look at the Transparently proxify virtual machines tutorial. diff --git a/doc-src/transparent/osx.html b/doc-src/transparent/osx.html new file mode 100644 index 00000000..c1ae823d --- /dev/null +++ b/doc-src/transparent/osx.html @@ -0,0 +1,81 @@ + + +OSX Lion integrated the [pf](http://www.openbsd.org/faq/pf/) packet filter from +the OpenBSD project, which mitmproxy uses to implement transparent mode on OSX. +Note that this means we don't support transparent mode for earlier versions of +OSX. + +
    + +
  1. Install the mitmproxy + certificates on the test device.
    2. + +
  2. Enable IP forwarding: + + 
    sudo sysctl -w net.inet.ip.forwarding=1
    +
    3. + +
  3. Place the following two lines in a file called, say, pf.conf: + +
    rdr on en2 inet proto tcp to any port 80 -> 127.0.0.1 port 8080
+rdr on en2 inet proto tcp to any port 443 -> 127.0.0.1 port 8080
+
    + + These rules tell pf to redirect all traffic destined for port 80 or 443 + to the local mitmproxy instance running on port 8080. You should + replace en2 with the interface on which your test device will + appear. + +
    4. + +
  4. Configure pf with the rules: + + 
    sudo pfctl -f pf.conf
    + +
    5. + +
  5. And now enable it: + + 
    sudo pfctl -e
    + +
    6. + +
  6. Configure sudoers to allow mitmproxy to access pfctl. Edit the file + /etc/sudoers on your system as root. Add the following line to the end + of the file: + + 
    ALL ALL=NOPASSWD: /sbin/pfctl -s state
    + + Note that this allows any user on the system to run the command + "/sbin/pfctl -s state" as root without a password. This only allows + inspection of the state table, so should not be an undue security risk. If + you're special feel free to tighten the restriction up to the user running + mitmproxy.
    7. + +
  7. Fire up mitmproxy. You probably want a command like this: + + 
    mitmproxy -T --host
    + + The -T flag turns on transparent mode, and the --host + argument tells mitmproxy to use the value of the Host header for URL + display. + +
    8. + +
  8. Finally, configure your test device to use the host on which mitmproxy is + running as the default gateway.
    9. + + +
+ +Note that the **rdr** rules in the pf.conf given above only apply to inbound +traffic. This means that they will NOT redirect traffic coming from the box +running pf itself. We can't distinguish between an outbound connection from a +non-mitmproxy app, and an outbound connection from mitmproxy itself - if you +want to intercept your OSX traffic, you should use an external host to run +mitmproxy. None the less, pf is flexible to cater for a range of creative +possibilities, like intercepting traffic emanating from VMs. See the +**pf.conf** man page for more. + + + -- cgit v1.2.3