Using Mitmproxy to strip SSL in a proxy chain results in maxRedirects-error

Question

I want to setup the following Infrastructure, however I have issues with MITMProxy.

Client --https--> MITMproxy --http--> squid --https--> Internet

So basically MITMproxy should get rid of the SSL-encryption, then I want to cache stuff and then use again an encrypted connection to the Internet.

However, I can't get MITMproxy to forward the plain http-traffic. According to How to chain mitmproxies with usual proxy in middle, I should set flow.request.scheme to "http" and flow.request.port to 80.

I use that addon, however, there seems to be an issue, because I get an Exceeded maxRedirects. Probably stuck in a redirect loop error when testing HTTPS-sites with Postman.

MITMProxy logs:

192.X.X.X:54321: client connect
192.X.X.X:54321: server connect localhost:3128 (127.0.0.1:3128)
192.X.X.X:54321: server connect localhost:3128 (127.0.0.1:3128)
192.X.X.X:54321: client disconnect

Squid logs:

289 127.0.0.1 TCP_TUNNEL/200 5179 CONNECT xyz.com:443 - HIER_DIRECT/85.214.X.X -
105 127.0.0.1 TCP_TUNNEL/200 576 CONNECT xyz.com:80 - HIER_DIRECT/85.214.X.X -

Both example logs are repeated 10 times, until the maxRedirects error is thrown.

From my point of view MITMproxy tries to establish SSL-connections to port 80. Anyone has a clue how to change that? Any other ideas are appreciated as well.

PS: I am using MITMproxy's upstream mode, could this be a problem?

Answer 1

After some time, I figured out that the transparent mode was the issue. When using mitmproxy in normal mode, everything worked as expected with the following add-on:

class ForwardRequest:

    def request(self, flow):
        flow.request.scheme = 'http'
        flow.request.port = 80

addons = [
    ForwardRequest()
]

Still, I can't forward the unencrypted traffic to squid (as this requires mitmproxy in upstream-mode which again could be an issue).

EDIT: There still seems to be an issue. Check the following log from squid. Mitmproxy was used in upstream mode and said script to strip HTTPS was running.

The first row represents a request to HTTP://facebook.com. Here, no striping is done and the request successfully is transmitted.

In the second & third row, a request to HTTPS://fac.... is performed. As can be seen, squid also sees a request to facebook:443, which should not be there according to my understanding...