Use mitmproxy behind reverse proxy

[DUOLabs333]

Problem Description

I currently have mitmproxy running on port 2010. However, I want to also be able to access under a host name, like mitmproxy.test

Proposal

Access mitmproxy from https://$DOMAIN.$TLD

Alternatives

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context or screenshots about the proposal here.

[CypherpunkSamurai]

Hello Sir, I had a few questions regarding this issue if you don't mind.

• Are you asking if mitmproxy supports capturing traffic pointed to it from a device? or are you asking if the mitmproxy web interface is available from a reverse proxy
• Sir if it's the second case and you're trying to access the mitmproxy web interface, is it that mitmproxy should have a reverse proxy, or are we trying to configure a reverse proxy to use the mitmproxy web interface here?

[DUOLabs333]

So basically I want to be able to have nginx redirect requests for https://mitm.proxy to https://127.0.0.1:$PORT, where mitmproxy is, decrypting traffic

[CypherpunkSamurai]

So basically I want to be able to have Nginx redirect requests for https://mitm.proxy to https://127.0.0.1:$PORT, decrypting traffic

Ok Sir, So the first case. I did a quick lookup in the docs and found #reverse-proxy feature documentation. Does this meet your needs or is it that we are trying to use Nginx specifically?

[DUOLabs333]

Doesn't this mean that mitmproxy acts as a reverse proxy to some already existing site?

[CypherpunkSamurai]

Oh, Yes apparently. My bad.

I think I just understood what you're trying to achieve. You want all requests to mitm.proxy get logged as mitmproxy data, right?

You can achieve so using a simple hostfile addition / iptables rule so that mitm.proxy points to localhost. I don't think this would require a reverse proxy unless you're planning on deploying mitmproxy to a remote server (are we?)

[DUOLabs333]

No, the problem is, that mitmproxy is not running on port 80/443, but on 2222, so basically, I want to use mitmproxy in a virtual hosts, funneling data from port 80 to 2222 if the host name matches mitm.proxy.

[CypherpunkSamurai]

Ok. Please try if the below configuration works for you.

server {
    listen 80 ssl http2;

    server_name mitm.proxy;
    # un-comment if using port 443 / SSL
    # also place certificates in target location
    #ssl_certificate /etc/nginx/mitm/certchain.pem;
    #ssl_certificate_key /etc/nginx/mitm/mycert.private.pem;

    location / {
        # SSL use case
        #proxy_pass https://localhost:2222;
        proxy_pass http://localhost:2222;
    }
}

This configuration runs nginx on port 80 with SSL and HTTP2 support (optional). We then proxy all requests (all locations /), to http(s)://localhost:2222.

[DUOLabs333]

This is exactly what I have, and it doesn't work.

[DUOLabs333]

For example, using https://127.0.0.1.nip.io:2222, fails as well.

[DUOLabs333]

Ah, figured it out: mitmproxy does not allow you to access it from anything other than 127.0.0.1 and localhost. This is the same with mitmweb.

[CypherpunkSamurai]

Ah, figured it out: mitmproxy does not allow you to access it from anything other than 127.0.0.1 and localhost. This is the same with mitmweb.

Oh!, Great to hear that It's solved 😆. I think one of the reasons could be that SSL certs are made for 127.0.0.1 and not localhost.

You may now close the issue when you feel. Happy to help :)

[DUOLabs333]

Of course, this is a problem for me: I guess one way would be to basically move my virtual hosts to nginx away from sniproxy. Just one question, for map $var1 $var2, which var is depending on which var?

[CypherpunkSamurai]

map $var1 $var2

For nginx map documentaion explains this well, its basically map source destination_variable. You may also refer to this Digital Ocean guide or this BlueGrid guide.

Hope this helps 😄

[DUOLabs333]

Perfect, just one last question: if I specify proxy.*, going to proxy.test does not work. It's only when I specify proxy.test does it work.

[CypherpunkSamurai]

Perfect, just one last question: if I specify proxy.*, going to proxy.test does not work. It's only when I specify proxy.test does it work.

Do you intend to use proxy.* regex as a domain match?

[DUOLabs333]

No, just a wildcard, matching proxy.* to proxy.com, proxy.test, etc.

[CypherpunkSamurai]

Ok, this should normally work on nginx. I'd need to have a look. could you please send me your nginx config please?

[DUOLabs333]

worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

pid        /dev/null;

daemon off;

events {
    worker_connections  1024;
}


http {

    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }

    map $http_host $service_port {
        default localhost;

        whoogle.* 2001;
        
        adguard.* 2002;

        bitwarden.* 2003;
        
        thea.* 2004;

        files.* 2005;

        photopea.* 2006;

        desmos.* 2007;

        youtube.* 2008;

        bookmarks.* 2009;

        shell.* 2010;

        proxy.history.* 2011;

        history.* 2012;

        dashboard.* 2013;

        server.shadowsocks.* 2014;

        client.shadowsocks.* 2015;

        omgur.* 2016;

        nitter.* 2017;

        libreddit.* 2018;

        gitea.* 2019;
        }

    proxy_temp_path ./tmp;
    access_log /dev/null;
	ssl_certificate ./cert.pem;
	ssl_certificate_key ./key.pem;
	#proxy_set_header Host $host;
    client_body_temp_path ./tmp;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    server {
            listen       127.0.0.1:443 ssl;
    
            server_name  *.test;
    
            location / {
                proxy_pass http://127.0.0.1:$service_port;

            }
        }



        server {
                    listen       127.0.0.1:80;
                    
                    server_name  *.test;

                    return 302 https://$host$request_uri;
                }
}

[CypherpunkSamurai]

Ok. I can't seem to find anything wrong with the Nginx config on a quick look. According to the nginx domain matching documentation, Nginx supports wildcard domain matches.

I would suggest trying proxy. instead of proxy.* for the moment and see if it works.

[DUOLabs333]

That also did not work -- I just gave up and put .test for each of them. However, I put in https://proxy.history.test:443 into Firefox's proxy settings, and it failed.

[CypherpunkSamurai]

Ok. Do the other proxies except for that work?

[DUOLabs333]

If I use localhost:2011 it works fine, so it's probably something in the redirection. Using curl works fine for *.test, but fails for google.com. Looking through the logs, for some reason, nginx is trying to act on google.com.

[CypherpunkSamurai]

have you configured Nginx to use SSL and SSL certs properly? cause it might be trying to reach HTTPS.

[DUOLabs333]

Yes, removing the proxy causes https to work perfectly fine.

[DUOLabs333]

It seems that because mitmproxy is behind nginx, all requests are going through nginx. For some reason, nginx isn't just ignoring the requests though and let them go through.

[CypherpunkSamurai]

It seems that because mitmproxy is behind nginx, all requests are going through nginx. For some reason, nginx isn't just ignoring the requests though and let them go through.

Firstly make sure Nginx is running. To run any server on port 80 / 443 you need to run with admin permissions. Turn on Nginx logging to stdout.

[DUOLabs333]

I already have NGINX running, that's why I'm able to see in the error messages that the proxy requests are going through NGINX.

…

On Thu, Dec 9, 2021, 12:13 AM Cypherpunk Samurai ***@***.***> wrote: It seems that because mitmproxy is behind nginx, all requests are going through nginx. For some reason, nginx isn't just ignoring the requests though and let them go through. Firstly make sure Nginx is running. To run any server on port 80 / 443 you need to run with admin permissions. Turn on Nginx logging to stdout. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#4963 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALXWUYF3ZQ4TPDKWEGTJOPLUQA3GBANCNFSM5I2YWFQA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[DUOLabs333]

I recently changed my nginx.conf to set the Host header to the server name, rather than localhost. Maybe the mitmproxy developers can rethink allowing mitmproxy to only be accessed on localhost?

[tobtesting]

I recently changed my nginx.conf to set the Host header to the server name, rather than localhost. Maybe the mitmproxy developers can rethink allowing mitmproxy to only be accessed on localhost?

Can you send an example of this 'Host' configuration inside the nginx.conf ? we encounter Error: tunneling socket could not be established, statusCode=400 when going via nginx( dns entry reverse proxy ) to mitm ( dump ) to requested backend.

When using it mitm :8443 there isnt any problem

[DUOLabs333]

Yeah, I realized that it's because nginx doesn't support forward proxing.

[tobtesting]

Yeah, I realized that it's because nginx doesn't support forward proxing.

So it didn't works at all m or can you clarify more ?

[DUOLabs333]

It doesn't work at all -- I just gave up on it.

[DUOLabs333]

I have come back to this issue, because trying with Caddy's forwardproxy plugin also fails, so it could be because of mitmproxy limitation of only working on localhost. Where is it so I can test removing it?

[DUOLabs333]

I got it to work by first compiling https://github.com/chobits/ngx_http_proxy_connect_module. Then, I added

server {
                    listen       127.0.0.1:80;
                    resolver 127.0.0.1;
                    server_name  *.test;
                    proxy_connect;
					proxy_connect_allow 80 443;
					if ($http_host ~ "(.*)\.test$"){
                    	return 302 https://$http_host$request_uri;
     				}
                    location / {
		
						proxy_set_header Host $host;
						proxy_pass http://$host;
		
					}


                }