TLS passthrough upstream proxying #174
Comments
|
Request rules (including passthrough rules with proxy configuration) are applied only to traffic that's actually intercepted (because rules can match requests by their content, and make modifications to that content etc) and TLS passthrough skips interception entirely, so your rule is being ignored here. Right now, there's no possible way to proxy traffic that's passed through unintercepted. If you want to forward to an upstream proxy, you'll need to intercept the traffic and use a passthrough rule. Although it's not currently supported in Mockttp, it is technically possible to proxy unintercepted traffic like this in most cases, but not all. The issue is that with TLS passthrough, the only info we have on the real destination of the traffic is the server name indication (SNI) in the TLS handshake, which is just a hostname without a port (unlike when we intercept an actual request, which has a If this is something you're interested in, contributions are welcome, it would definitely be possible to add a |
|
The request should be a CONNECT one, because Mockttp is set as a --proxy-server argument for Chrome which creates a tunnel. I assume by "direct requests" you mean directly sending a GET/POST request to Mockttp? If so then that's not the case here. Unfortunatelly I am not familiar with the innerworkings of the library and could not contribute such an update as much as I want to. I am currently using a different library in the exact same setup which works fine (so should be achievable) but lacks functionality. However without the upstream proxy + TLS passthrough both working, switching to Mockttp is impossible. |
Exactly. That is generally the case for lots of other interception scenarios though unfortunately (e.g. VPN-powered interception on Android, or Frida-based traffic redirection) so it does need consideration for Mockttp itself.
Fair enough. Unfortunately though this isn't supported right now, and I'm unlikely to have time to work on that anytime soon, so you'll need to either dig into Mockttp's internals and contribute it yourself, pay somebody else to do so, or use a different library I'm afraid. The feature certainly makes sense though, and I'd be happy to review & merge a PR for this if anybody is interested in contributing. We can keep this open in case anybody else wants this feature and is interested in opening a PR in future. |
|
Got it. It will likely take me ages to implement it on my own, although I will give it a shot. Leaving the issue open. Thank you for your response and work on this amazing library! |
Greetings.
Some context:
In these circumstances one would expect that a request would not be modified by Mockttp, but it will still respect the upstream proxy configuration.
But it appears that when TLS passthrough is enabled then the requests are not being routed through an upstream proxy.
Is there a way I could configure Mockttp to behave in the expected way?
Regards
The text was updated successfully, but these errors were encountered: