-
Notifications
You must be signed in to change notification settings - Fork 778
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add back Man in the Middle Support #79
Comments
What was the main reason for it being removed? Did it not work appropriately? |
This would be tremendously useful to me. I have a library called Betamax that is for unit testing components that make HTTP connections. I'm in the process of porting it from running on Jetty to Netty. LittleProxy looks like it could save me an awful lot of effort as I wouldn't have to implement my own proxy just my own implementation of My existing Jetty-based implementation can do MITM on HTTPS connections (via self-signed cert so doesn't work with clients that validate the cert chain). I think this issue would be the only blocker to me achieving feature parity using LittleProxy. |
@codersbrew The internals of LittleProxy have changed a fair amount and we decided to stabilize and release without MITM in the interest of time. Getting back at least the rudimentary MITM should in theory not be too hard, as the proxy server already has TLS support for proxy chaining purposes. @robfletcher Betamax looks really cool! |
I've added back MITM and it's available on the mitm branch. I anticipate that it'll be included in the next release There's a new interface, I've structured |
Thanks @oxtoacart . I may have a need for dynamically generated client certs, so if I get something working I'll push it back to the branch. |
That's awesome. I'll try to give it a try over the next couple of days. I have Betamax running using LittleProxy for HTTP traffic already. |
@robfletcher Glad to hear you've got it running already |
@oxtoacart the callbacks in HttpFilters give me exactly what I need. I don't have everything perfect but it's a good enough proof-of-concept that if HTTPS works too I'll definitely port everything over to LittleProxy |
@codersbrew I'm looking forward to your pull request :) Here's a project that does impersonation but with blocking sockets: http://crypto.stanford.edu/ssl-mitm/ That may give you some good ideas. For unit testing, I highly recommend extending |
Hmm am I doing something wrong.. I started up a basic MITM proxy server and then proceeded to use Firefox or what have you to browse https websites and get the following error:
|
@codersbrew Sorry about that. It looked good in unit test land but not the real world. Problem was that it didn't trust the server. If you pull the latest from that branch, it should work for you now. |
A few things I've found whilst trying to use this for Betamax:
Is this behavior what you'd expect? P.S. I don't mean to hijack this issue – happy to move this discussion elsewhere if it would be more appropriate. |
@robfletcher thanks for taking a look and for the detailed feedback.
|
If I'm reading your test right there it looks like you're just testing if the request goes via
Each of these steps is happening multiple times as the chunked content goes through (which I'm handling). But the tunnelled response never goes through Maybe that's correct. If so I will need to come up with a way to reconcile the tunnelled request against the CONNECT response which may be tricky as it's not the same filter instance. |
Ahh, I see the problem. There is no CONNECT response from the server. The CONNECT terminates at the proxy, which responds to the client with a 200. The HttpResponse that we see in responsePre and responsePost is in fact to the GET request. Unfortunately, the filters instance is still the one from the original CONNECT. I'll take a look. |
Yes, that makes sense. For my purposes I really need to be able to tie the request to the response. I want to just ignore the CONNECT and deal with the tunneled request. On Tue, Sep 24, 2013 at 5:19 PM, oxtoacart notifications@github.com
|
@robfletcher Okay, fixed under #93. Thanks for finding this! |
@oxtoacart This is working really well for me now. Thanks for all your hard work getting this all working. |
@robfletcher Really glad to hear that it's working for you now! Let us know when you've completed the switch to LittleProxy and we'll happily announce it. I need to get some sort of list of "projects that use LittleProxy" going. |
Support for man in the middle (MITM) on https connections was lost as part of the 1.0 refactor. We should add this back in.
There are two levels to which we can take it:
The text was updated successfully, but these errors were encountered: