aboutsummaryrefslogtreecommitdiffstats
path: root/doc-src/transparent/osx.html
blob: 77eea63b4af82452f0fc33602a96efb0969b68e9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
OSX Lion integrated the [pf](http://www.openbsd.org/faq/pf/) packet filter from
the OpenBSD project, which mitmproxy uses to implement transparent mode on OSX.
Note that this means we don't support transparent mode for earlier versions of
OSX.

<ol class="tlist">

    <li> <a href="@!urlTo("ssl.html")!@">Install the mitmproxy
    certificates on the test device</a>. </li>

    <li> Enable IP forwarding:

    <pre class="terminal">sudo sysctl -w net.inet.ip.forwarding=1</pre>
    </li>

    <li>  Place the following two lines in a file called, say, <b>pf.conf</b>:

<pre class="terminal">rdr on en2 inet proto tcp to any port 80 -&gt; 127.0.0.1 port 8080
rdr on en2 inet proto tcp to any port 443 -&gt; 127.0.0.1 port 8080
</pre>

        These rules tell pf to redirect all traffic destined for port 80 or 443
        to the local mitmproxy instance running on port 8080. You should
        replace <b>en2</b> with the interface on which your test device will
        appear.

    </li>

    <li> Configure pf with the rules:

        <pre class="terminal">sudo pfctl -f pf.conf</pre>

    </li>

    <li> And now enable it:

        <pre class="terminal">sudo pfctl -e</pre>

    </li>

    <li> Configure sudoers to allow mitmproxy to access pfctl. Edit the file
    <b>/etc/sudoers</b> on your system as root. Add the following line to the end
    of the file:

    <pre>ALL ALL=NOPASSWD: /sbin/pfctl -s state</pre>

    Note that this allows any user on the system to run the command
    "/sbin/pfctl -s state" as root without a password. This only allows
    inspection of the state table, so should not be an undue security risk. If
    you're special feel free to tighten the restriction up to the user running
    mitmproxy.</li>

    <li> Fire up mitmproxy. You probably want a command like this:

        <pre class="terminal">mitmproxy -T --host</pre>

        The <b>-T</b> flag turns on transparent mode, and the <b>--host</b>
        argument tells mitmproxy to use the value of the Host header for URL
        display.

    </li>

    <li> Finally, configure your test device to use the host on which mitmproxy is
    running as the default gateway.</li>


</ol>