mirror of
https://github.com/mitmproxy/mitmproxy.git
synced 2024-11-24 13:49:40 +00:00
certificate docs: reorg, wording, tweaks
This commit is contained in:
parent
b098556e60
commit
a9f6d53562
@ -1,6 +1,7 @@
|
||||
<ul class="nav nav-list">
|
||||
$!nav(idxpath, this, state)!$
|
||||
$!nav("install.html", this, state)!$
|
||||
$!nav("certinstall.html", this, state)!$
|
||||
$!nav("howmitmproxy.html", this, state)!$
|
||||
$!nav("modes.html", this, state)!$
|
||||
|
||||
@ -28,15 +29,12 @@
|
||||
$!nav("upstreamcerts.html", this, state)!$
|
||||
|
||||
|
||||
<li class="nav-header">Installing Certificates</li>
|
||||
$!nav("certinstall/ssl.html", this, state)!$
|
||||
|
||||
<li class="nav-header">Transparent Proxying</li>
|
||||
$!nav("transparent.html", this, state)!$
|
||||
$!nav("transparent/linux.html", this, state)!$
|
||||
$!nav("transparent/osx.html", this, state)!$
|
||||
|
||||
<li class="nav-header">Scripting mitmproxy</li>
|
||||
<li class="nav-header">Scripting</li>
|
||||
$!nav("scripting/inlinescripts.html", this, state)!$
|
||||
$!nav("scripting/libmproxy.html", this, state)!$
|
||||
|
||||
|
Before Width: | Height: | Size: 60 KiB After Width: | Height: | Size: 60 KiB |
@ -11,22 +11,31 @@
|
||||
|
||||
## <a id="docIntro"></a>Introduction
|
||||
|
||||
SSL traffic poses a potential problem when using mitmproxy, as it is encrypted, it is opaque to inspection. In order to be able to decrypt the traffic, you must use a certificate that the client, whose traffic you are intercepting, trusts. This document outlines the different options you have for either using the certificate that mitmproxy generates or using your own.
|
||||
Mitmproxy can decrypt encrypted traffic on the fly, as long as the client
|
||||
trusts its built-in certificate authority. Usually this means that the
|
||||
mitmproxy CA certificates have to be installed on the client device.
|
||||
|
||||
## <a id="docQuick"></a>Quick Setup
|
||||
|
||||
By far the easiest way to install the mitmproxy certificates is to use the built-in web app. To do this, start mitmproxy and configure your target device with the correct proxy settings. Now start a browser on the device, and visit the domain **mitm.it**.
|
||||
You should see something like this:
|
||||
By far the easiest way to install the mitmproxy certificates is to use the
|
||||
built-in certificate installation app. To do this, just start mitmproxy and
|
||||
configure your target device with the correct proxy settings. Now start a
|
||||
browser on the device, and visit the magic domain **mitm.it**. You should see
|
||||
something like this:
|
||||
|
||||
<img src="@!urlTo("webapp.png")!@"></img>
|
||||
<img src="@!urlTo("certinstall-webapp.png")!@"></img>
|
||||
|
||||
Just click on the relevant icon, and then follow the setup instructions for the platform you're on.
|
||||
Click on the relevant icon, and follow the setup instructions for the platform
|
||||
you're on, and you are good to go.
|
||||
|
||||
Certificates are installed via several different methods depending on the client. There are too many to go into in this document, consult the documentation for the client that you would to have trust the mitmproxy root certificate, for specific installation instructions.
|
||||
|
||||
## <a id="docManual"></a>Installing the mitmproxy CA certificate manually
|
||||
|
||||
Most of the time you can easily install mitmproxy's CA certificate through the webapp, and just follow the prompts. In a couple of situations, such as Java or the iOS Simulator, there aren't any obvious ways to install the CA certificate.
|
||||
Sometimes using the quick install app is not an option - Java or the IOS
|
||||
similator spring to mind - or you just need to do it manually for some other
|
||||
reason. Below is a list of pointers to manual certificate installation
|
||||
documentation for some common platforms:
|
||||
|
||||
<table class="table">
|
||||
<tr>
|
||||
<td><a href="https://github.com/ADVTOOLS/ADVTrustStore#how-to-use-advtruststore"</a>iOS Simulator</td>
|
||||
@ -53,12 +62,21 @@ Most of the time you can easily install mitmproxy's CA certificate through the w
|
||||
|
||||
## <a id="docMore"></a>More on mitmproxy certificates
|
||||
|
||||
The first time __mitmproxy__ or __mitmdump__ is run, the mitmproxy Certificate Authority(CA) is created in the config directory (~/.mitmproxy by default). This CA is used for on-the-fly generation of dummy certificates for each of the SSL sites that your client visits. Since your browser won't trust the __mitmproxy__ CA out of the box , you will see an SSL certificate warning every time you visit a new SSL domain through __mitmproxy__. When you are testing a single site through a browser, just accepting the bogus SSL cert manually is not too much trouble, but there are a many circumstances where you will want to configure your testing system or browser to trust the __mitmproxy__ CA as a signing root authority.
|
||||
The first time __mitmproxy__ or __mitmdump__ is run, the mitmproxy Certificate
|
||||
Authority(CA) is created in the config directory (~/.mitmproxy by default).
|
||||
This CA is used for on-the-fly generation of dummy certificates for each of the
|
||||
SSL sites that your client visits. Since your browser won't trust the
|
||||
__mitmproxy__ CA out of the box , you will see an SSL certificate warning every
|
||||
time you visit a new SSL domain through __mitmproxy__. When you are testing a
|
||||
single site through a browser, just accepting the bogus SSL cert manually is
|
||||
not too much trouble, but there are a many circumstances where you will want to
|
||||
configure your testing system or browser to trust the __mitmproxy__ CA as a
|
||||
signing root authority.
|
||||
|
||||
|
||||
## <a id="docCertfiles"></a>CA and cert files
|
||||
|
||||
The files created by mitmproxy in the .mitmproxy directory are as follows:
|
||||
The files created by mitmproxy in the .mitmproxy directory are as follows:
|
||||
|
||||
<table class="table">
|
||||
<tr>
|
||||
@ -80,13 +98,17 @@ The files created by mitmproxy in the .mitmproxy directory are as follows:
|
||||
devices.</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
## <a id="docCustom"></a>Using a custom certificate
|
||||
|
||||
You can use your own certificate by passing the <kbd>--cert</kbd> option to mitmproxy. mitmproxy then uses the provided certificate for interception of the specified domains instead of generating a certificate signed by its own CA.
|
||||
You can use your own certificate by passing the <kbd>--cert</kbd> option to
|
||||
mitmproxy. mitmproxy then uses the provided certificate for interception of the
|
||||
specified domains instead of generating a certificate signed by its own CA.
|
||||
|
||||
The certificate file is expected to be in the PEM format. You can include intermediary certificates right below your leaf certificate, so that you PEM file roughly looks like this:
|
||||
The certificate file is expected to be in the PEM format. You can include
|
||||
intermediary certificates right below your leaf certificate, so that you PEM
|
||||
file roughly looks like this:
|
||||
|
||||
<pre>
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
@ -112,10 +134,18 @@ $ mitmproxy --cert=cert.pem
|
||||
|
||||
## <a id="docClient"></a>Using a client side certificate
|
||||
|
||||
You can use a client certificate by passing the <kbd>--client-certs DIRECTORY</kbd> option to mitmproxy. If you visit example.org, mitmproxy looks for a file named example.org.pem in the specified directory and uses this as the client cert. The certificate file needs to be in the PEM format and should contain both the unencrypted private key as well as the certificate.
|
||||
You can use a client certificate by passing the <kbd>--client-certs
|
||||
DIRECTORY</kbd> option to mitmproxy. If you visit example.org, mitmproxy looks
|
||||
for a file named example.org.pem in the specified directory and uses this as
|
||||
the client cert. The certificate file needs to be in the PEM format and should
|
||||
contain both the unencrypted private key and the certificate.
|
||||
|
||||
|
||||
## <a id="docCA"></a>Using a custom certificate authority
|
||||
|
||||
By default, mitmproxy will (generate and) use <samp>~/.mitmproxy/mitmproxy-ca.pem</samp> as the default certificate authority to generate certificates for all domains for which no custom certificate is provided (see above). You can use your own certificate authority by passing the <kbd>--confdir</kbd> option to mitmproxy. mitmproxy will then look for <samp>mitmproxy-ca.pem</samp> in the specified directory. If no such file exists, it will be generated automatically.
|
||||
|
||||
By default, mitmproxy will use <samp>~/.mitmproxy/mitmproxy-ca.pem</samp> as
|
||||
the certificate authority to generate certificates for all domains for which no
|
||||
custom certificate is provided (see above). You can use your own certificate
|
||||
authority by passing the <kbd>--confdir</kbd> option to mitmproxy. Mitmproxy
|
||||
will then look for <samp>mitmproxy-ca.pem</samp> in the specified directory. If
|
||||
no such file exists, it will be generated automatically.
|
@ -1,6 +0,0 @@
|
||||
from countershape import Page
|
||||
|
||||
pages = [
|
||||
Page("ssl.html", "SSL Options"),
|
||||
Page("mitm.it-error.html", "Error: No proxy configured"),
|
||||
]
|
@ -1,5 +0,0 @@
|
||||
**Looks like you wanted to install the mitmproxy CA using the web app?**
|
||||
|
||||
Unfortunately, there's been no mitmproxy instance on the wire that could have intercepted your request.
|
||||
Please configure your client to use mitmproxy and try again.<br>
|
||||
The request to <a href="http://mitm.it/">http://mitm.it/</a> must go through your mitmproxy instance.
|
@ -84,7 +84,7 @@ attempts to MITM an SSL connection for analysis. Our answer to this conundrum
|
||||
is to become a trusted Certificate Authority ourselves. Mitmproxy includes a
|
||||
full CA implementation that generates interception certificates on the fly. To
|
||||
get the client to trust these certificates, we [register mitmproxy as a trusted
|
||||
CA with the device manually](@!urlTo("ssl.html")!@).
|
||||
CA with the device manually](@!urlTo("certinstall.html")!@).
|
||||
|
||||
## Complication 1: What's the remote hostname?
|
||||
|
||||
|
@ -60,6 +60,7 @@ ns.navbar = countershape.template.File(None, "_nav.html")
|
||||
pages = [
|
||||
Page("index.html", "Introduction"),
|
||||
Page("install.html", "Installation"),
|
||||
Page("certinstall.html", "About Certificates"),
|
||||
Page("howmitmproxy.html", "How mitmproxy works"),
|
||||
Page("modes.html", "Modes of Operation"),
|
||||
|
||||
@ -67,7 +68,6 @@ pages = [
|
||||
Page("mitmdump.html", "mitmdump"),
|
||||
Page("config.html", "configuration"),
|
||||
|
||||
Directory("certinstall"),
|
||||
Directory("scripting"),
|
||||
Directory("tutorials"),
|
||||
Page("transparent.html", "Overview"),
|
||||
|
@ -3,7 +3,7 @@ achieve transparent mode.
|
||||
|
||||
<ol class="tlist">
|
||||
|
||||
<li> <a href="@!urlTo('ssl.html')!@">Install the mitmproxy
|
||||
<li> <a href="@!urlTo('certinstall.html')!@">Install the mitmproxy
|
||||
certificates on the test device</a>. </li>
|
||||
|
||||
<li> Enable IP forwarding:
|
||||
@ -31,7 +31,7 @@ achieve transparent mode.
|
||||
|
||||
<pre class="terminal">iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
|
||||
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080</pre>
|
||||
|
||||
|
||||
</li>
|
||||
|
||||
<li> Fire up mitmproxy. You probably want a command like this:
|
||||
|
@ -7,7 +7,7 @@ OSX.
|
||||
|
||||
<ol class="tlist">
|
||||
|
||||
<li> <a href="@!urlTo('ssl.html')!@">Install the mitmproxy
|
||||
<li> <a href="@!urlTo('certinstall.html')!@">Install the mitmproxy
|
||||
certificates on the test device</a>. </li>
|
||||
|
||||
<li> Enable IP forwarding:
|
||||
@ -76,6 +76,3 @@ want to intercept your OSX traffic, you should use an external host to run
|
||||
mitmproxy. None the less, pf is flexible to cater for a range of creative
|
||||
possibilities, like intercepting traffic emanating from VMs. See the
|
||||
**pf.conf** man page for more.
|
||||
|
||||
|
||||
|
||||
|
@ -2,10 +2,9 @@
|
||||
## The setup
|
||||
|
||||
In this tutorial, I'm going to show you how simple it is to creatively
|
||||
interfere with Apple Game Center traffic using mitmproxy. To set things up,
|
||||
you must install the [mitmproxy root certificate](@!urlTo("certinstall/ssl.html")!@). I then
|
||||
started mitmproxy on my desktop, and configured the iPhone to use it as a
|
||||
proxy.
|
||||
interfere with Apple Game Center traffic using mitmproxy. To set things up,
|
||||
install the [mitmproxy root certificate](@!urlTo("certinstall.html")!@). Then
|
||||
start mitmproxy on your desktop, and confige the iPhone to use it as a proxy.
|
||||
|
||||
|
||||
## Taking a look at the Game Center traffic
|
||||
@ -13,7 +12,7 @@ proxy.
|
||||
Lets take a first look at the Game Center traffic. The game I'll use in this
|
||||
tutorial is [Super Mega
|
||||
Worm](http://itunes.apple.com/us/app/super-mega-worm/id388541990?mt=8) - a
|
||||
great little retro-apocalyptic sidescroller for the iPhone:
|
||||
great little retro-apocalyptic sidescroller for the iPhone:
|
||||
|
||||
<center>
|
||||
<img src="@!urlTo('tutorials/supermega.png')!@"/>
|
||||
@ -90,7 +89,7 @@ now fire up. Lets bump the score up to something a bit more ambitious:
|
||||
</plist>
|
||||
<!--(end)-->
|
||||
|
||||
Save the file and exit your editor.
|
||||
Save the file and exit your editor.
|
||||
|
||||
The final step is to replay this modified request. Simply press __r__ for
|
||||
replay.
|
||||
@ -102,7 +101,7 @@ replay.
|
||||
</center>
|
||||
|
||||
And that's it - according to the records, I am the greatest Super Mega Worm
|
||||
player of all time.
|
||||
player of all time.
|
||||
|
||||
There's a curious addendum to this tale. When I first wrote this tutorial, all
|
||||
the top competitors' scores were the same: 2,147,483,647 (this is no longer the
|
||||
@ -118,4 +117,3 @@ phone, then 2^31-1 might well be the maximum score you could get. Then again,
|
||||
if the game itself stores its score in a signed 32-bit int, you could get the
|
||||
same score through perfect play, effectively beating the game. So, which is it
|
||||
in this case? I'll leave that for you to decide.
|
||||
|
||||
|
@ -1,27 +1,27 @@
|
||||
This walkthrough illustrates how to set up transparent proxying with mitmproxy. We use VirtualBox VMs with an Ubuntu proxy machine in this example, but the general principle can be applied to other setups.
|
||||
|
||||
1. **Configure VirtualBox Network Adapters for the proxy machine**
|
||||
The network setup is simple: `internet <--> proxy vm <--> (virtual) internal network`.
|
||||
For the proxy machine, *eth0* represents the outgoing network. *eth1* is connected to the internal network that will be proxified, using a static ip (192.168.3.1).
|
||||
1. **Configure VirtualBox Network Adapters for the proxy machine**
|
||||
The network setup is simple: `internet <--> proxy vm <--> (virtual) internal network`.
|
||||
For the proxy machine, *eth0* represents the outgoing network. *eth1* is connected to the internal network that will be proxified, using a static ip (192.168.3.1).
|
||||
<hr>VirtualBox configuration:
|
||||
<img src="@!urlTo('tutorials/transparent-dhcp/step1_vbox_eth0.png')!@"/><br><br>
|
||||
<img src="@!urlTo('tutorials/transparent-dhcp/step1_vbox_eth1.png')!@"/>
|
||||
<img src="@!urlTo('tutorials/transparent-dhcp/step1_vbox_eth1.png')!@"/>
|
||||
<br>Proxy VM:
|
||||
<img src="@!urlTo('tutorials/transparent-dhcp/step1_proxy.png')!@"/>
|
||||
<img src="@!urlTo('tutorials/transparent-dhcp/step1_proxy.png')!@"/>
|
||||
<hr>
|
||||
2. **Configure DHCP and DNS**
|
||||
We use dnsmasq to provide DHCP and DNS in our internal network.
|
||||
Dnsmasq is a lightweight server designed to provide DNS (and optionally DHCP and TFTP) services to a small-scale
|
||||
network.
|
||||
2. **Configure DHCP and DNS**
|
||||
We use dnsmasq to provide DHCP and DNS in our internal network.
|
||||
Dnsmasq is a lightweight server designed to provide DNS (and optionally DHCP and TFTP) services to a small-scale
|
||||
network.
|
||||
|
||||
- Before we get to that, we need to fix some Ubuntu quirks:
|
||||
**Ubuntu >12.04** runs an internal dnsmasq instance (listening on loopback only) by default
|
||||
- Before we get to that, we need to fix some Ubuntu quirks:
|
||||
**Ubuntu >12.04** runs an internal dnsmasq instance (listening on loopback only) by default
|
||||
<a href="https://www.stgraber.org/2012/02/24/dns-in-ubuntu-12-04/">[1]</a>. For our use case, this needs to be
|
||||
disabled by changing <br>`dns=dnsmasq` to `#dns=dnsmasq` in */etc/NetworkManager/NetworkManager.conf*
|
||||
disabled by changing <br>`dns=dnsmasq` to `#dns=dnsmasq` in */etc/NetworkManager/NetworkManager.conf*
|
||||
and running `sudo restart network-manager` afterwards.
|
||||
- Now, dnsmasq can be be installed and configured:
|
||||
`sudo apt-get install dnsmasq`
|
||||
Replace */etc/dnsmasq.conf* with the following configuration:
|
||||
- Now, dnsmasq can be be installed and configured:
|
||||
`sudo apt-get install dnsmasq`
|
||||
Replace */etc/dnsmasq.conf* with the following configuration:
|
||||
<pre>\# Listen for DNS requests on the internal network
|
||||
interface=eth1
|
||||
\# Act as a DHCP server, assign IP addresses to clients
|
||||
@ -30,15 +30,15 @@ This walkthrough illustrates how to set up transparent proxying with mitmproxy.
|
||||
dhcp-option=option:router,192.168.3.1
|
||||
dhcp-option=option:dns-server,192.168.3.1
|
||||
</pre>
|
||||
Apply changes:
|
||||
Apply changes:
|
||||
`sudo service dnsmasq restart`
|
||||
<hr>
|
||||
Your proxied machine's network settings should now look similar to this:
|
||||
<img src="@!urlTo('tutorials/transparent-dhcp/step2_proxied_vm.png')!@"/>
|
||||
<hr>
|
||||
|
||||
3. **Set up traffic redirection to mitmproxy**
|
||||
To redirect traffic to mitmproxy, we need to add two iptables rules:
|
||||
3. **Set up traffic redirection to mitmproxy**
|
||||
To redirect traffic to mitmproxy, we need to add two iptables rules:
|
||||
<pre class="terminal">
|
||||
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
|
||||
-j REDIRECT --to-port 8080
|
||||
@ -46,9 +46,8 @@ This walkthrough illustrates how to set up transparent proxying with mitmproxy.
|
||||
-j REDIRECT --to-port 8080
|
||||
</pre>
|
||||
|
||||
4. If required, <a href="@!urlTo('ssl.html')!@">install the mitmproxy
|
||||
4. If required, <a href="@!urlTo('certinstall.html')!@">install the mitmproxy
|
||||
certificates on the test device</a>.
|
||||
|
||||
5. Finally, we can run <code>mitmproxy -T</code>.
|
||||
5. Finally, we can run <code>mitmproxy -T</code>.
|
||||
The proxied machine cannot to leak any data outside of HTTP or DNS requests.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user