aboutsummaryrefslogtreecommitdiffstats
path: root/docs/transparent.rst
blob: 71b485952e3c6ba7558e3e863f5ac747995f155e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
.. _transparent:

====================
Transparent Proxying
====================

When a transparent proxy is used, traffic is redirected into a proxy at the
network layer, without any client configuration being required. This makes
transparent proxying ideal for those situations where you can't change client
behaviour - proxy-oblivious Android applications being a common example.

To set up transparent proxying, we need two new components. The first is a
redirection mechanism that transparently reroutes a TCP connection destined for
a server on the Internet to a listening proxy server. This usually takes the
form of a firewall on the same host as the proxy server - iptables_ on Linux
or pf_ on OSX. When the proxy receives a redirected connection, it sees a vanilla
HTTP request, without a host specification. This is where the second new component
comes in - a host module that allows us to query the redirector for the original
destination of the TCP connection.

At the moment, mitmproxy supports transparent proxying on OSX Lion and above,
and all current flavors of Linux.

Fully transparent mode
======================

By default mitmproxy will use its own local ip address for its server-side connections.
In case this isn't desired, the --spoof-source-address argument can be used to
use the client's ip address for server-side connections. The following config is
required for this mode to work:

    CLIENT_NET=192.168.1.0/24
    TABLE_ID=100
    MARK=1

    echo "$TABLE_ID     mitmproxy" >> /etc/iproute2/rt_tables
    iptables -t mangle -A PREROUTING -d $CLIENT_NET -j MARK --set-mark $MARK
    iptables -t nat -A PREROUTING -p tcp -s $CLIENT_NET --match multiport --dports 80,443 -j REDIRECT --to-port 8080

    ip rule add fwmark $MARK lookup $TABLE_ID
    ip route add local $CLIENT_NET dev lo table $TABLE_ID

This mode does require root privileges though. There's a wrapper in the examples directory
called 'mitmproxy_shim.c', which will enable you to use this mode with dropped priviliges.
It can be used as follows:

    gcc examples/mitmproxy_shim.c -o mitmproxy_shim -lcap
    sudo chown root:root mitmproxy_shim
    sudo chmod u+s mitmproxy_shim
    ./mitmproxy_shim $(which mitmproxy) -T --spoof-source-address

.. _iptables: http://www.netfilter.org/
.. _pf: https://en.wikipedia.org/wiki/PF_\(firewall\)