Hacker News new | comments | show | ask | jobs | submit login
Show HN: Mitmproxy 3.0 released, an open-source console-based proxy (mitmproxy.org)
242 points by mhils 9 months ago | hide | past | web | favorite | 39 comments

I used mitmproxy a few days ago, trying to compare my implementation of some API client. It feels lightweight, but getting started can be confusing. I used the command line, and I had difficulty finding the shortcuts.

Their homepage shows "brew install mitmproxy" front and center. Ok good. Installed. What's next? A 5-minute tutorial e.g. how to spy Tinder API can go a long way.

Thanks! This is something we're subconsciously aware of, but it's helpful to hear it as explicit feedback. :) The first steps towards that were indeed OS-specific install instructions on our new website. We currently have a user survey (there's no telemetry in mitmproxy) to see what we should focus on for a 5-minute tutorial.

> there's no telemetry in mitmproxy

Thank you kindly!

There are tutorials on the v2 docs, might still be relevant?


You can press '?' to see the help. I didn't have any trouble getting started, Most CLI apps have '?' bound to help section.

There are plenty of tutorials available on this topic online. Is there something specific you are missing?

My ~/bin/mitmproxy.sh:

  interface=$( ifconfig en0 | grep inet | grep -v inet6 | awk '{ print $2 }' )
  mitmproxy --no-mouse -b $interface
Edit: This causes the IP address to show up in the mitmproxy UI. I use mitm for iOS development, and having my IP visible is handy when setting up the phone to use a proxy.

Brilliant, thanks so much!

I'm using mitmproxy as super easy to setup SSL reverse proxy for local html5 development as many API nowadays require ssl to work.

That sounds really useful. Could you share the recipe for getting that running - is it just a one-line console command?

Looks like "mitmdump -p 443 -R http://localhost:80/" should do the trick

yes, that's it

And also install self signed mitmproxy certs to your device.

I'm happy to see this. I switched to MITM from Charles a couple months ago. The documentation for 3.0 is, in my opinion, much clearer.

I think MITM had the limitation that you could proxy only traffic from the different machine. Was/is it the case, or did I just get something wrong? Because if that's true Charles has an advantege there.

It's technically possible, but requires iptables or equivalents. For now, if you want to proxy the whole machine, Charles is your way to go!

Are there any other advantages over the documentation between MITM and Charles?

Yes: scriptability.

I haven't used mitm 3 yet, but had a fantastic experience with mitmproxy about a year and a half ago, incorporating mitmdump into a CLI tool for testing android apps. Discovered 'lnav' on that same project too, and came away feeling empowered and grateful for those 2 phenomenal tools.

Using mitmproxy as a reverse proxy from local development to our development servers. A few lines of code and we have authentication headers attached w/o having to manage them between projects.

Shameless plug: We are building a desktop proxy based on our streaming proxy module for node (node-proxify if you have time to check it out). Funny timing. We are doing a beta release next week (https://secapps.com/appbandit). You might hate the fact that this is yet another electron app but we are adding a tone of useful features which I am sure most people will find very useful in many different tasks. A cli version is also on its way.

This is super cool. I've used mitmproxy 2.0 in my project (http://world-of-bits.com) to create an offline approximation of the website. We were trying to create a digital environment for AI agents to learn to interact with the web. The proxy captures a good amount of HTTP traffic.

Another one that I worked with and quite liked is Anyproxy (https://github.com/alibaba/anyproxy)

Is there an easy way to set latency for chosen responses? I guess it's possible using mitmdump with custom Python script, but maybe there is such a feature built-in?

Not yet, although this would make a great fit for the new addon mechanism. :)

Why would you want to do this?

Neat! But certificate pinning (or rather, CA pinning) inside app binaries is getting more common, is there any way around that with mitmproxy?

Is there a way around that at all without modifying the binaries ?

You can also jump the right if statement during runtime, but yeah, you are still modifying the program's execution rather than something on the outside. That's the whole point of TLS: both parties know their connection is secure. So I'd say "no, there is no other way, other than by finding a vulnerability in TLS".

If the app uses the system TLS libraries for comparing certificates, you could just make the appropriate API always return "true". In-memory patching avoids affecting anything else.

I don't expect so, I guess I'm wondering if the mitmproxy community has any insight into what they'd do to the binaries.

Last time I did this, I had to reverse the binaries and remove the cert pinning code. There are a few examples of this around the place, but it can get fairly complex pretty quickly.

For iOS, there is this tool: https://github.com/nabla-c0d3/ssl-kill-switch2

There are some Frida scripts running around for this purpose. However I don't have any personal experience with them, so I have no idea how reliable they work.

Is there a way to use mitmproxy with secure websockets?

Oh, congrats to the team :) Hope you are doing well max!

Is there any way to use this on .net applications I tried putting this in between a business logic and web tier but I couldn't get it to work. The things were compressed but I couldn't figure out how to enable decompression.

Decompression is usually done automatically, we also try to render some binary application-layer protocols (e.g. protobufs). If you feel that wasn't the case, please lodge an issue on GitHub. :)

Perhaps his Content-Encoding header was bad?

If you're on Windows, try Fiddler for something a little more user friendly.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact