From aca3456fee699c88647619e938395a8bd2aa4371 Mon Sep 17 00:00:00 2001 From: Maximilian Hils Date: Tue, 3 Aug 2021 16:31:57 +0200 Subject: [PATCH] docs: update ignore domains tutorial --- docs/src/content/howto-ignoredomains.md | 50 ++++++++++--------------- mitmproxy/proxy/server.py | 2 +- 2 files changed, 21 insertions(+), 31 deletions(-) diff --git a/docs/src/content/howto-ignoredomains.md b/docs/src/content/howto-ignoredomains.md index c953a2e32..bcdff4f07 100644 --- a/docs/src/content/howto-ignoredomains.md +++ b/docs/src/content/howto-ignoredomains.md @@ -44,7 +44,7 @@ There are two important quirks to consider: information before the SSL handshake. If the client uses SNI however, then we treat the SNI host as an ignore target. - **In regular and upstream proxy mode, explicit HTTP requests are never - ignored.**\[1\] The ignore pattern is applied on CONNECT requests, which + ignored.**[^1] The ignore pattern is applied on CONNECT requests, which initiate HTTPS or clear-text WebSocket connections. ## Tutorial @@ -52,21 +52,23 @@ There are two important quirks to consider: If you just want to ignore one specific domain, there's usually a bulletproof method to do so: -1. Run mitmproxy or mitmdump in verbose mode (`-v`) and observe the `host:port` - information in the serverconnect messages. mitmproxy will filter on these. +1. Run mitmproxy or mitmdump and observe the `host:port` + information following the `server connect` messages in the event log. + mitmproxy will filter on these. 2. Take the `host:port` string, surround it with ^ and $, escape all dots (. becomes \\.) and use this as your ignore pattern: ``` ->>> mitmdump -v -127.0.0.1:50588: clientconnect -127.0.0.1:50588: request - -> CONNECT example.com:443 HTTP/1.1 -127.0.0.1:50588: Set new server address: example.com:443 -127.0.0.1:50588: serverconnect - -> example.com:443 +>>> mitmdump +Proxy server listening at http://*:8080 +127.0.0.1:57089: client connect +127.0.0.1:57089: server connect example.com:443 (93.184.216.34:443) +127.0.0.1:57089: GET https://example.com/ HTTP/2.0 + << HTTP/2.0 200 OK 1.23k +127.0.0.1:57089: client disconnect +127.0.0.1:57089: server disconnect example.com:443 (93.184.216.34:443) ^C ->>> mitmproxy --ignore-hosts ^example\.com:443$ +>>> mitmproxy --ignore-hosts '^example\.com:443$' ``` Here are some other examples for ignore patterns: @@ -86,23 +88,11 @@ Here are some other examples for ignore patterns: --ignore-hosts 17\.178\.\d+\.\d+:443 ``` -This option can also be used to only allow some specific domains through negative lookahead expressions. However, ignore -patterns are always matched against the IP address of the target before being matched against its domain name. Thus, the -pattern must allow any IP addresses using an expression like `^(?![0-9\.]+:)` in order for this to work. -Here are examples of such patterns: +If you want to capture some specific domains only, you can use the `--allow-hosts` option, which makes mitmproxy +ignore all other traffic. -``` -# Ignore everything but example.com and mitmproxy.org (not subdomains): ---ignore-hosts '^(?![0-9\.]+:)(?!example\.com:)(?!mitmproxy\.org:)' - -# Ignore everything but example.com and its subdomains: ---ignore-hosts '^(?![0-9\.]+:)(?!([^\.:]+\.)*example\.com:)' -``` - -**Footnotes** - -1. This stems from an limitation of explicit HTTP proxying: A single connection - can be re-used for multiple target domains - a `GET http://example.com/` - request may be followed by a `GET http://evil.com/` request on the same - connection. If we start to ignore the connection after the first request, we - would miss the relevant second one. +[^1]: This stems from an limitation of explicit HTTP proxying: A single connection + can be re-used for multiple target domains - a `GET http://example.com/` + request may be followed by a `GET http://evil.com/` request on the same + connection. If we start to ignore the connection after the first request, we + would miss the relevant second one. diff --git a/mitmproxy/proxy/server.py b/mitmproxy/proxy/server.py index 18a421e87..cb434f650 100644 --- a/mitmproxy/proxy/server.py +++ b/mitmproxy/proxy/server.py @@ -173,7 +173,7 @@ class ConnectionHandler(metaclass=abc.ABCMeta): assert command.connection.peername if command.connection.address[0] != command.connection.peername[0]: - addr = f"{command.connection.address[0]} ({human.format_address(command.connection.peername)})" + addr = f"{human.format_address(command.connection.address)} ({human.format_address(command.connection.peername)})" else: addr = human.format_address(command.connection.address) self.log(f"server connect {addr}")