https.proxy/http.proxy whitelist urls

[pokevas]

I think it would not be bad to do in http.proxy / https.proxy a white list of domains/ips that can only be proxied.

[pokevas]

We can just filter the domains at the JS level (onLoad / onResponse), but ideally it would be at a higher level, so that even the connection will not proxied if the url is not in the whitelist.
I think it is not difficult task.
If HTTP request parse header, if HTTPS - parse SNI. After that check hostname, if dismatch whitelist - don't proxy, reset the request.

[buffermet]

I think we will also need a https.proxy.blacklist variable with default value * so users can choose to proxy (for example) one domain, or all but one domains.

[pokevas]

I think we will also need a https.proxy.blacklist variable with default value * so users can choose to proxy (for example) one domain, or all but one domains.

Yes, ideally, it would be functional to make it possible to proxy both one site and several from the list. Other sites block, for example

[evilsocket]

why not simply filtering it at the javascript level with a proxy plugin?

[pokevas]

filtering at the Go level will load the system less, as well as how to abort the connection/request at the JS module level?

[evilsocket]

abort the connection? you can't, neither at the go level or js ... once it reached the proxy, you can only forward it (via the proxy) without modifying it ... the overhead in doing that from a plugin is minimal, i'm not very inclined to implement new features that can be more easily (and elegantly) implemented at the module level ...

[pokevas]

then how can you reduce the load on bettercap? because a bunch of domains are proxied, but only a few are needed. Since we can only forward requests, how to remove unnecessary domains and reduce the load in this way?

[evilsocket]

actually i now think you do have a point ... and yeah, there's a place where i can put this in the code ... working on it! 👍

[pokevas]

Thanks you. Wait for this.
It would not hurt not only to filter unnecessary domains, but also thus reduce the load on the entire bettercap.

[evilsocket]

yes, i'm adding both a blacklist and whitelist new parameters

[evilsocket]

done! now, say you only want to intercept cnn.com, you can:

set http.proxy.blacklist *
set http.proxy.whitelist *cnn.com
http.proxy on

[pokevas]

Looked at the implementation. Did I understand correctly: because we cannot break the connection, but we can only redirect it, then in the current implementation of the white and black lists you did not block the domains, but simply decide whether to skip the request through js proxy module or not. I understood correctly?
Thanks.

[evilsocket]

Not just the js proxy module but the proxy all together, the request is only going to be "piped" from the proxy ... if you instead need a more selective approach, at the iptables level, you can use the any.proxy module to perform per-ip redirection to the http.proxy.