diff options
| author | Aldo Cortesi <aldo@corte.si> | 2018-02-22 20:48:17 +1300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-02-22 20:48:17 +1300 |
| commit | 443409e32bcc28a7f0475d7af42efff03473b72f (patch) | |
| tree | 9d749a57929a950f0e177a9bf4d6cd7d9a88c16b /docs/transparent.rst | |
| parent | 1cacefa104626e4e0df5ffb2aa8b0c6f16b615b2 (diff) | |
| parent | 982508d30f887b4fe8b2a855792ae1e33f378222 (diff) | |
| download | mitmproxy-443409e32bcc28a7f0475d7af42efff03473b72f.tar.gz mitmproxy-443409e32bcc28a7f0475d7af42efff03473b72f.tar.bz2 mitmproxy-443409e32bcc28a7f0475d7af42efff03473b72f.zip | |
Merge pull request #2890 from mitmproxy/newdocs
All new documentation
Diffstat (limited to 'docs/transparent.rst')
| -rw-r--r-- | docs/transparent.rst | 53 |
1 files changed, 0 insertions, 53 deletions
diff --git a/docs/transparent.rst b/docs/transparent.rst deleted file mode 100644 index 889079af..00000000 --- a/docs/transparent.rst +++ /dev/null @@ -1,53 +0,0 @@ -.. _transparent: - -==================== -Transparent Proxying -==================== - -When a transparent proxy is used, traffic is redirected into a proxy at the -network layer, without any client configuration being required. This makes -transparent proxying ideal for those situations where you can't change client -behaviour - proxy-oblivious Android applications being a common example. - -To set up transparent proxying, we need two new components. The first is a -redirection mechanism that transparently reroutes a TCP connection destined for -a server on the Internet to a listening proxy server. This usually takes the -form of a firewall on the same host as the proxy server - iptables_ on Linux -or pf_ on OSX. When the proxy receives a redirected connection, it sees a vanilla -HTTP request, without a host specification. This is where the second new component -comes in - a host module that allows us to query the redirector for the original -destination of the TCP connection. - -At the moment, mitmproxy supports transparent proxying on OSX Lion and above, -and all current flavors of Linux. - -Fully transparent mode -====================== - -By default mitmproxy will use its own local ip address for its server-side connections. -In case this isn't desired, the --spoof-source-address argument can be used to -use the client's ip address for server-side connections. The following config is -required for this mode to work:: - - CLIENT_NET=192.168.1.0/24 - TABLE_ID=100 - MARK=1 - - echo "$TABLE_ID mitmproxy" >> /etc/iproute2/rt_tables - iptables -t mangle -A PREROUTING -d $CLIENT_NET -j MARK --set-mark $MARK - iptables -t nat -A PREROUTING -p tcp -s $CLIENT_NET --match multiport --dports 80,443 -j REDIRECT --to-port 8080 - - ip rule add fwmark $MARK lookup $TABLE_ID - ip route add local $CLIENT_NET dev lo table $TABLE_ID - -This mode does require root privileges though. There's a wrapper in the examples directory -called 'mitmproxy_shim.c', which will enable you to use this mode with dropped priviliges. -It can be used as follows:: - - gcc examples/complex/full_transparency_shim.c -o mitmproxy_shim -lcap - sudo chown root:root mitmproxy_shim - sudo chmod u+s mitmproxy_shim - ./mitmproxy_shim $(which mitmproxy) -T --spoof-source-address - -.. _iptables: http://www.netfilter.org/ -.. _pf: https://en.wikipedia.org/wiki/PF_\(firewall\) |