Load balancing multiple mitmproxy virtual machines

Hi all,

I’m working on a project that will involve a large number of users connecting to a proxy. I’m worried that a single instance of mitmproxy will struggle under the load and so I would like to investigate running a cluster of virtual machines, each with an instance of mitmproxy, load balanced with something like nginx or apache. Before I venture too far up the garden path, I was wondering if anyone has experience of this? And if so, any helpful tips, pointers or things to watch out for?

Thanks in advance,

Martyn.

Hi Martyn,

I have a similar requirement. Have you had any success getting this work through a load balancer?

Thanks,
Sathish

Hi Santish,

Yes, I was able to get load balancing to work using Nginx streams. There are a couple of things to watch out for:

You need to compile Nginx from source in order to support Streams, because the standard versions do not support them. I compile Nginx in Ubuntu 14.04 with:

`sudo apt-get update
sudo apt-get -y libpcre3 libpcre3-dev
# compile nginx from source in order to support streams
cd ~
wget http://nginx.org/download/nginx-1.10.2.tar.gz
tar zxf nginx-1.10.2.tar.gz
cd nginx-1.10.2
./configure --user=nginx --group=nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --with-http_ssl_module --with-threads --with-stream
make
sudo make install`

Once you have Nginx installed, you’ll need a configuration file for your proxy gateway. The configuration file needs to be included inside of /etc/nginx/nginx.conf but outside of the usual http{} section where you would normally include configurations. So add a line like this to the bottom of /etc/nginx/nginx.conf

include /path/to/configurations/proxy-gateway;

Then create a new configuration file for your proxy gateway and store it at /path/to/configurations/proxy-gateway. Our configuration file is along the lines of:

stream {
    server {
        listen 8080;

        #TCP traffic will be proxied to the "proxy_backend" upstream group
        proxy_pass proxy_backend;

        proxy_buffer_size 16k;
    }

    upstream proxy_backend {
        # ip_hash does not work here; using round robin for now
        server proxy-1.example.com:8080;
        server proxy-2.example.com:8080;
        server proxy-3.example.com:8080;
    }
}

Hope that helps!

Best,

Martyn.

Hi! I’ve done the same configuration for the same situation. Though I’m facing problem identifying each client on the proxy server. The nginx tcp proxy include its own IP address while forwarding the traffic to the mitmproxy servers. Which is an issue for me because I’m using client IP address to identify clients over the mitmproxy server. Do you know how can I solve this issue?

Are you looking at this?

Linux fully transparent mode
By default mitmproxy will use its own local IP address for its server-side connections. In case this isn’t desired, the –spoof-source-address argument can be used to use the client’s IP address for server-side connections. The following config is required for this mode to work: […]

Docs

HI!

What I need is a bit different! One instance of Mitmproxy cannot handle large number of clients, that is why I used Nginx as a reverse proxy and load balancer while running multiple instances of mitmproxy on different ports. Now the problem is Nginx reverse proxy forward all traffic to the mitmproxy using it’s own IP address which is a problem as I’m differentiating clients at mitmproxy using the IP address but it will have the same ip address for all the packets due to Nginx reverse proxy!!!
Please help me if you know how to solve this issue? Thanks.

Sorry, I don’t know Nginx.

Hi!
Can I make mitmproxy to support HAPROXY’s proxy protocol to get the source ip address?
The proxy protocol will send following string while connecting to the mitmproxy. In example, the proxy protocol applied to an HTTP request:
PROXY TCP4 192.168.0.1 192.168.0.11 56324 80rn
GET / HTTP/1.1rn
Host: 192.168.0.11rn
here’s the link for reference: https://www.haproxy.com/blog/preserve-source-ip-address-despite-reverse-proxies/
Thanks!

Hi,

HAPROXY’s proxy protocol is not supported at the moment, but you should be able to store the original source address in a HTTP header and use that in your mitmproxy script.

1 Like

Hi! Thank you for the reply, I did that and it worked. :slight_smile:

As I see you decided to solve the performance issue with the workaround.
Does anybody know how big is the throughput that single instance of mitmproxy can handle at a time? I would like to identify what thresholds should be applied in order to get it working smoothly.

We’re unfortunately really lacking reliable stats on performance at the moment. This is one of our potential GSoC tasks for this year (http://honeynet.org/gsoc2018/ideas#mitmproxy-core) - it someone wants to tackle it outside of that, we’d of course be more than grateful. :slight_smile:

1 Like