From c331ba91fca6e5d82ab09fba417d5ee0d37504bc Mon Sep 17 00:00:00 2001 From: Jihyun Yu Date: Fri, 18 Jan 2019 15:59:58 +0900 Subject: openbsd: divert-to requires exact listen address divert-to does not work with '0.0.0.0' or similar listen address, so we need to specify listen address that we provided to `pf`. --- docs/src/content/howto-transparent.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/src/content/howto-transparent.md') diff --git a/docs/src/content/howto-transparent.md b/docs/src/content/howto-transparent.md index ae36f579..9be1e2f8 100644 --- a/docs/src/content/howto-transparent.md +++ b/docs/src/content/howto-transparent.md @@ -124,7 +124,7 @@ doas pfctl -e You probably want a command like this: {{< highlight bash >}} -mitmproxy --mode transparent --showhost +mitmproxy --mode transparent --listen-host 127.0.0.1 --showhost {{< / highlight >}} The `--mode transparent` option turns on transparent mode, and the `--showhost` argument tells -- cgit v1.2.3 From a4f8457dd3d47f09b57fd0251bd65c38fabdec1e Mon Sep 17 00:00:00 2001 From: Lucio Paiva Date: Wed, 26 Jun 2019 18:39:23 +0100 Subject: Minor fix re. macOS steps --- docs/src/content/howto-transparent.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs/src/content/howto-transparent.md') diff --git a/docs/src/content/howto-transparent.md b/docs/src/content/howto-transparent.md index 9be1e2f8..3915e4b7 100644 --- a/docs/src/content/howto-transparent.md +++ b/docs/src/content/howto-transparent.md @@ -229,7 +229,7 @@ for more. ### Work-around to redirect traffic originating from the machine itself -Follow the steps **1, 2** as above. In step **3** change the contents of the file **pf.conf** to +Follow steps **1, 2** as above, but in step **2** change the contents of the file **pf.conf** to {{< highlight none >}} #The ports to redirect to proxy @@ -257,7 +257,7 @@ rdr pass proto tcp from any to any port $redir_ports -> $tproxy pass out route-to (lo0 127.0.0.1) proto tcp from any to any port $redir_ports user $redir_users {{< / highlight >}} -Follow steps **4-6** above. This will redirect the packets from all users other than `nobody` on the machine to mitmproxy. To avoid circularity, run mitmproxy as the user `nobody`. Hence step **7** should look like: +Follow steps **3-5** above. This will redirect the packets from all users other than `nobody` on the machine to mitmproxy. To avoid circularity, run mitmproxy as the user `nobody`. Hence step **6** should look like: {{< highlight bash >}} sudo -u nobody mitmproxy --mode transparent --showhost -- cgit v1.2.3 From 586f8d2044e18f66b2a8ce531f94b659abfb8a1e Mon Sep 17 00:00:00 2001 From: king6cong Date: Tue, 30 Jul 2019 20:26:51 +0800 Subject: fix pf.conf on macOS --- docs/src/content/howto-transparent.md | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) (limited to 'docs/src/content/howto-transparent.md') diff --git a/docs/src/content/howto-transparent.md b/docs/src/content/howto-transparent.md index 3915e4b7..5f7c189a 100644 --- a/docs/src/content/howto-transparent.md +++ b/docs/src/content/howto-transparent.md @@ -50,7 +50,7 @@ a newly created `/etc/sysctl.d/mitmproxy.conf` (see [here](https://superuser.com sysctl -w net.ipv4.conf.all.send_redirects=0 {{< / highlight >}} -If your test device is on the same physical network, your machine shouldn't inform the device that +If your test device is on the same physical network, your machine shouldn't inform the device that there's a shorter route available by skipping the proxy. If you want to persist this across reboots, see above. @@ -83,7 +83,7 @@ The `--mode transparent` option turns on transparent mode, and the `--showhost` ### 5. Finally, configure your test device. -Set the test device up to use the host on which mitmproxy is running as the default gateway and +Set the test device up to use the host on which mitmproxy is running as the default gateway and [install the mitmproxy certificate authority on the test device]({{< relref "concepts-certificates" >}}). @@ -132,7 +132,7 @@ mitmproxy to use the value of the Host header for URL display. ### 6. Finally, configure your test device. -Set the test device up to use the host on which mitmproxy is running as the default gateway and +Set the test device up to use the host on which mitmproxy is running as the default gateway and [install the mitmproxy certificate authority on the test device]({{< relref "concepts-certificates" >}}). @@ -213,7 +213,7 @@ mitmproxy to use the value of the Host header for URL display. ### 7. Finally, configure your test device. -Set the test device up to use the host on which mitmproxy is running as the default gateway and +Set the test device up to use the host on which mitmproxy is running as the default gateway and [install the mitmproxy certificate authority on the test device]({{< relref "concepts-certificates" >}}). {{% note %}} @@ -246,15 +246,9 @@ tproxy_user = "nobody" #This cannot involve the user which runs the #transparent proxy as that would cause an infinite loop. # -#Here we redirect for all users which don't run transparent proxy. -redir_users = "{ !=" $tproxy_user "}" - -#If you only wish to redirect traffic for particular users -#you may also do: -#redir_users = "{= john, = jane}" rdr pass proto tcp from any to any port $redir_ports -> $tproxy -pass out route-to (lo0 127.0.0.1) proto tcp from any to any port $redir_ports user $redir_users +pass out route-to (lo0 127.0.0.1) proto tcp from any to any port $redir_ports user { != $tproxy_user } {{< / highlight >}} Follow steps **3-5** above. This will redirect the packets from all users other than `nobody` on the machine to mitmproxy. To avoid circularity, run mitmproxy as the user `nobody`. Hence step **6** should look like: -- cgit v1.2.3 From ba848e2040a50bc63fd14d79939df53869d9dcdb Mon Sep 17 00:00:00 2001 From: Tom Saleeba Date: Thu, 1 Aug 2019 15:37:25 +0930 Subject: docs: add instructions for transparent proxy on Linux for traffic originating from the mitmproxy host itself --- docs/src/content/howto-transparent.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'docs/src/content/howto-transparent.md') diff --git a/docs/src/content/howto-transparent.md b/docs/src/content/howto-transparent.md index 3915e4b7..5b4b5dd8 100644 --- a/docs/src/content/howto-transparent.md +++ b/docs/src/content/howto-transparent.md @@ -86,6 +86,29 @@ The `--mode transparent` option turns on transparent mode, and the `--showhost` Set the test device up to use the host on which mitmproxy is running as the default gateway and [install the mitmproxy certificate authority on the test device]({{< relref "concepts-certificates" >}}). +### Work-around to redirect traffic originating from the machine itself + +Follow steps **1, 2** as above, but *instead* of the commands in step **3**, run the following + +Create a user to run the mitmproxy +{{< highlight bash >}} +sudo useradd --create-home mitmproxyuser +sudo -u mitmproxyuser 'cd ~ && pip install --user mitmproxy' +{{< / highlight >}} + +Then, configure the iptables rules to redirect all traffic from our local machine to mitmproxy. **Note**, as soon as you run these, you won't be able to perform successful network calls *until* you start mitmproxy. If you run into issues, `iptables -t nat -F` is a heavy handed way to flush (clear) *all* the rules from the iptables `nat` table (which includes any other rules you had configured). +{{< highlight bash >}} +iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 80 -j REDIRECT --to-port 8080 +iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 443 -j REDIRECT --to-port 8080 +ip6tables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 80 -j REDIRECT --to-port 8080 +ip6tables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 443 -j REDIRECT --to-port 8080 +{{< / highlight >}} + +This will redirect the packets from all users other than `mitmproxyuser` on the machine to mitmproxy. To avoid circularity, run mitmproxy as the user `mitmproxyuser`. Hence step **4** should look like: +{{< highlight bash >}} +sudo -u mitmproxyuser bash -c '$HOME/.local/bin/mitmproxy --mode transparent --showhost --set block_global=false' +{{< / highlight >}} + ## OpenBSD -- cgit v1.2.3 From f47608c85ec0dcba456a759d1b862c3db8bcaddb Mon Sep 17 00:00:00 2001 From: Tom Saleeba Date: Thu, 1 Aug 2019 22:04:58 +0930 Subject: docs: correct command to install mitmproxy --- docs/src/content/howto-transparent.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'docs/src/content/howto-transparent.md') diff --git a/docs/src/content/howto-transparent.md b/docs/src/content/howto-transparent.md index 5b4b5dd8..803f8f10 100644 --- a/docs/src/content/howto-transparent.md +++ b/docs/src/content/howto-transparent.md @@ -91,12 +91,14 @@ Set the test device up to use the host on which mitmproxy is running as the defa Follow steps **1, 2** as above, but *instead* of the commands in step **3**, run the following Create a user to run the mitmproxy + {{< highlight bash >}} sudo useradd --create-home mitmproxyuser -sudo -u mitmproxyuser 'cd ~ && pip install --user mitmproxy' +sudo -u mitmproxyuser bash -c 'cd ~ && pip install --user mitmproxy' {{< / highlight >}} Then, configure the iptables rules to redirect all traffic from our local machine to mitmproxy. **Note**, as soon as you run these, you won't be able to perform successful network calls *until* you start mitmproxy. If you run into issues, `iptables -t nat -F` is a heavy handed way to flush (clear) *all* the rules from the iptables `nat` table (which includes any other rules you had configured). + {{< highlight bash >}} iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 443 -j REDIRECT --to-port 8080 -- cgit v1.2.3