diff options
Diffstat (limited to 'doc-src/transparent/osx.html')
| -rw-r--r-- | doc-src/transparent/osx.html | 81 |
1 files changed, 0 insertions, 81 deletions
diff --git a/doc-src/transparent/osx.html b/doc-src/transparent/osx.html deleted file mode 100644 index c1ae823d..00000000 --- a/doc-src/transparent/osx.html +++ /dev/null @@ -1,81 +0,0 @@ - - -OSX Lion integrated the [pf](http://www.openbsd.org/faq/pf/) packet filter from -the OpenBSD project, which mitmproxy uses to implement transparent mode on OSX. -Note that this means we don't support transparent mode for earlier versions of -OSX. - -<ol class="tlist"> - - <li> <a href="@!urlTo('ssl.html')!@">Install the mitmproxy - certificates on the test device</a>. </li> - - <li> Enable IP forwarding: - - <pre class="terminal">sudo sysctl -w net.inet.ip.forwarding=1</pre> - </li> - - <li> Place the following two lines in a file called, say, <b>pf.conf</b>: - -<pre class="terminal">rdr on en2 inet proto tcp to any port 80 -> 127.0.0.1 port 8080 -rdr on en2 inet proto tcp to any port 443 -> 127.0.0.1 port 8080 -</pre> - - These rules tell pf to redirect all traffic destined for port 80 or 443 - to the local mitmproxy instance running on port 8080. You should - replace <b>en2</b> with the interface on which your test device will - appear. - - </li> - - <li> Configure pf with the rules: - - <pre class="terminal">sudo pfctl -f pf.conf</pre> - - </li> - - <li> And now enable it: - - <pre class="terminal">sudo pfctl -e</pre> - - </li> - - <li> Configure sudoers to allow mitmproxy to access pfctl. Edit the file - <b>/etc/sudoers</b> on your system as root. Add the following line to the end - of the file: - - <pre>ALL ALL=NOPASSWD: /sbin/pfctl -s state</pre> - - Note that this allows any user on the system to run the command - "/sbin/pfctl -s state" as root without a password. This only allows - inspection of the state table, so should not be an undue security risk. If - you're special feel free to tighten the restriction up to the user running - mitmproxy.</li> - - <li> Fire up mitmproxy. You probably want a command like this: - - <pre class="terminal">mitmproxy -T --host</pre> - - The <b>-T</b> flag turns on transparent mode, and the <b>--host</b> - argument tells mitmproxy to use the value of the Host header for URL - display. - - </li> - - <li> Finally, configure your test device to use the host on which mitmproxy is - running as the default gateway.</li> - - -</ol> - -Note that the **rdr** rules in the pf.conf given above only apply to inbound -traffic. This means that they will NOT redirect traffic coming from the box -running pf itself. We can't distinguish between an outbound connection from a -non-mitmproxy app, and an outbound connection from mitmproxy itself - if you -want to intercept your OSX traffic, you should use an external host to run -mitmproxy. None the less, pf is flexible to cater for a range of creative -possibilities, like intercepting traffic emanating from VMs. See the -**pf.conf** man page for more. - - - |