diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/certinstall.rst | 5 | ||||
| -rw-r--r-- | docs/howmitmproxy.rst | 8 | ||||
| -rw-r--r-- | docs/install.rst | 6 | ||||
| -rw-r--r-- | docs/scripting/overview.rst | 24 |
4 files changed, 18 insertions, 25 deletions
diff --git a/docs/certinstall.rst b/docs/certinstall.rst index 1bd6df99..2594c439 100644 --- a/docs/certinstall.rst +++ b/docs/certinstall.rst @@ -24,6 +24,9 @@ something like this: Click on the relevant icon, follow the setup instructions for the platform you're on and you are good to go. +For iOS version 10.3 or up, you need to make sure ``mitmproxy`` is enabled in +``Certificate Trust Settings``, you can check it by going to +``Settings > General > About > Certificate Trust Settings``. Installing the mitmproxy CA certificate manually ------------------------------------------------ @@ -132,7 +135,7 @@ mitmproxy-ca-cert.cer Same file as .pem, but with an extension expected by some Using a custom certificate -------------------------- -You can use your own certificate by passing the ``--cert [domain=]path_to_certificate`` option to +You can use your own (leaf) certificate by passing the ``--cert [domain=]path_to_certificate`` option to mitmproxy. Mitmproxy then uses the provided certificate for interception of the specified domain instead of generating a certificate signed by its own CA. diff --git a/docs/howmitmproxy.rst b/docs/howmitmproxy.rst index 133863e3..4f3c804e 100644 --- a/docs/howmitmproxy.rst +++ b/docs/howmitmproxy.rst @@ -43,7 +43,7 @@ client connects to the proxy and makes a request that looks like this: CONNECT example.com:443 HTTP/1.1 -A conventional proxy can neither view nor manipulate an TLS-encrypted data +A conventional proxy can neither view nor manipulate a TLS-encrypted data stream, so a CONNECT request simply asks the proxy to open a pipe between the client and server. The proxy here is just a facilitator - it blindly forwards data in both directions without knowing anything about the contents. The @@ -63,7 +63,7 @@ exactly this attack, by allowing a trusted third-party to cryptographically sign a server's certificates to verify that they are legit. If this signature doesn't match or is from a non-trusted party, a secure client will simply drop the connection and refuse to proceed. Despite the many shortcomings of the CA system -as it exists today, this is usually fatal to attempts to MITM an TLS connection +as it exists today, this is usually fatal to attempts to MITM a TLS connection for analysis. Our answer to this conundrum is to become a trusted Certificate Authority ourselves. Mitmproxy includes a full CA implementation that generates interception certificates on the fly. To get the client to trust these @@ -143,7 +143,7 @@ Lets put all of this together into the complete explicitly proxied HTTPS flow. 2. Mitmproxy responds with a ``200 Connection Established``, as if it has set up the CONNECT pipe. 3. The client believes it's talking to the remote server, and initiates the TLS connection. It uses SNI to indicate the hostname it is connecting to. -4. Mitmproxy connects to the server, and establishes an TLS connection using the SNI hostname +4. Mitmproxy connects to the server, and establishes a TLS connection using the SNI hostname indicated by the client. 5. The server responds with the matching certificate, which contains the CN and SAN values needed to generate the interception certificate. @@ -217,7 +217,7 @@ explicit HTTPS connections to establish the CN and SANs, and cope with SNI. destination was. 3. The client believes it's talking to the remote server, and initiates the TLS connection. It uses SNI to indicate the hostname it is connecting to. -4. Mitmproxy connects to the server, and establishes an TLS connection using the SNI hostname +4. Mitmproxy connects to the server, and establishes a TLS connection using the SNI hostname indicated by the client. 5. The server responds with the matching certificate, which contains the CN and SAN values needed to generate the interception certificate. diff --git a/docs/install.rst b/docs/install.rst index b37d9c91..7753dc44 100644 --- a/docs/install.rst +++ b/docs/install.rst @@ -123,12 +123,12 @@ You can check you Python version by running ``python3 --version``. sudo zypper install python3-pip python3-devel libffi-devel openssl-devel gcc-c++ sudo pip3 install mitmproxy - + .. _install-source-windows: -🐱💻 Installation from Source on Windows -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Installation from Source on Windows +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. note:: Mitmproxy's console interface is not supported on Windows, but you can use diff --git a/docs/scripting/overview.rst b/docs/scripting/overview.rst index 6ec0caaa..5ceb5da3 100644 --- a/docs/scripting/overview.rst +++ b/docs/scripting/overview.rst @@ -29,6 +29,12 @@ will be added to all responses passing through the proxy: >>> mitmdump -s add_header.py +Examples +-------- + +A collection of addons that demonstrate popular features can be found at :src:`examples/simple`. + + Using classes ------------- @@ -54,24 +60,8 @@ and is replaced by the class instance. Handling arguments ------------------ -Scripts can handle their own command-line arguments, just like any other Python -program. Let's build on the example above to do something slightly more -sophisticated - replace one value with another in all responses. Mitmproxy's -`HTTPRequest <api.html#mitmproxy.models.http.HTTPRequest>`_ and `HTTPResponse -<api.html#mitmproxy.models.http.HTTPResponse>`_ objects have a handy `replace -<api.html#mitmproxy.models.http.HTTPResponse.replace>`_ method that takes care -of all the details for us. - -.. literalinclude:: ../../examples/simple/script_arguments.py - :caption: :src:`examples/simple/script_arguments.py` - :language: python - -We can now call this script on the command-line like this: - ->>> mitmdump -dd -s "./script_arguments.py html faketml" -Whenever a handler is called, mitpmroxy rewrites the script environment so that -it sees its own arguments as if it was invoked from the command-line. +FIXME Logging and the context |