Terminate SSL and forward to a different server?


#1

Can someone tell me if the following scenario is possible using mitmproxy?

I have a LAN with a few devices on it and a dnsmasq running on the gateway to provide DHCP and DNS services. This dnsmasq is configured with a large domains list to perform ad blocking (by returning NXDOMAIN or an invalid ip address).

I want to take things a step further and instead of blocking the traffic, I want to redirect it to a small web server running on the same gateway, which will log the requests and return dummy data, like 1x1 px gif/png for images, empty html/js, etc. For this, I’ll configure dnsmasq to return a specific IP address for all blocked domains (e.g. 1.2.3.4) and use iptables to redirect the traffic received from the LAN to 1.2.3.4, to my web server.

The problem will be the HTTPS traffic, as my web server isn’t capable of spoofing SSL certificates for the requested hosts.

So, would it be possible to redirect traffic to mitmproxy, spoof the certificate from the real host and then forward the connection to my web server (via HTTP) instead ?


#2

From what I understand, mitmproxy already spoofs the certificates for the real host using a self-signed certificate.

As long as your client has the mitmproxy cert in the trust chain, it should just work.


#3

Yes, it spoofs the certificates for the real host, but it also forwards the connection to that host. I need it forwarded to a different server (other than the client requested).

For example, the regular usage scenario is:

  1. client makes a request to https://example.com
  2. mitmproxy intercepts the request and fetches certificate from example.com
  3. mitmproxy creates a fake cert for “example.com” and gives it to the client
  4. mitmproxy connects to https://example.com and sends requests on behalf of the client

For my use case, I need step 4 to be:

  1. mitmproxy connects to a local server (e.g. localhost:10000) and sends requests on behalf of the client

#4

On the front page of mitmproxy’s site:

from mitmproxy import http

def request(flow: http.HTTPFlow):
    # redirect to different host
    if flow.request.pretty_host == "example.com":
        flow.request.host = "mitmproxy.org"

#5

Uh, can’t believe I missed that. :frowning: I’ll give it a try.