1

Is there easy way chain couple of mitmproxies and usual HTTP proxy in such a way that first mitmproxy converts HTTPS traffic to HTTP, passes it to usual HTTP proxy which in turn passes it to second mitmproxy which converts it back to HTTPS and sends it to server? I tried to use --mode upstream option, but it doesn't convert HTTPS requests to HTTP.

I have scripts for second part, like tls_passthrough.py, but not sure how to do first part.

Or maybe I'm doing something stupid and I just can somehow "chain" HTTP proxy from script in transparent mode, i.e. using something like CGI interface?

What I want to do is some processing on HTTPS traffic which is not possible* to do directly in python scripts.

*Of course it is possible to do anything, but rewriting existing app to python doesn't seem as easy way...

sklott
  • 2,634
  • 6
  • 17
  • Removing SSL/TLS from a connection is often called "sslstrip". If you search for that term in combination with mitmproxy you will find some sample scripts. You can try it and set your HTTP-only proxy as an upstream proxy https://stackoverflow.com/a/56570514/150978 – Robert Nov 02 '21 at 11:07
  • @Robert "sslstrip" is when user communicates through HTTP to mitmproxy and mitmproxy communicates through HTTPS with server. This is I know how to do. But I need basically "inverse sslstrip", i.e. user should communicate through HTTPS with mitmproxy and mitmproxy should forward plain HTTP to next proxy in chain. There is similar mode in mitmproxy "reverse proxy", but it seems I'm unable to configure it properly or it would not work in this setup.. – sklott Nov 03 '21 at 00:35
  • In my understanding the process is sslstrip (first part) -> HTTP proxy -> rewrite URL and change http to https (second part). You wrote that you have a script for the "second part" thus you are searching a script for sslstrip. If you define the process different you should make it clear in your question what is "first part" and what is "second part". – Robert Nov 03 '21 at 08:07

1 Answers1

0

In your first proxy, you need to write a small addon that sets flow.request.scheme to "http" so that mitmproxy talks HTTP (not HTTPS) upstream. In the final mitmproxy instance, you want to undo this - ideally you keep track of which requests you downgraded by storing the original scheme in a temporary header.

Maximilian Hils
  • 6,309
  • 3
  • 27
  • 46