Intercepting HTTPS traffic between servers

It is a common need to intercept traffic between servers. For example, last time I need this to verify keycloak logout request correctness (sent by my application).

Mitmproxy is ideal for such things. It's a small and handy reverse proxy, but with ability to modify requests and responses and supporting https.

Usage

mitmproxy --mode reverse:https://some.url

This would start proxy UI on port 8080. So https://localhost:8080/ calls would be redirected into https://some.url (and so in application configuration proxy url must be used instead of direct url)

To use custom port:

mitmproxy --mode reverse:https://some.url -p 4000

Now https://localhost:4000/ would lead to https://some.url

UI

Root screen shows all intercepted requests:

You'll need to use keyboard:

  • Arrows (up/down) - select request

  • Enter - open request info

  • q - back (from request info or any other screen; remember!)

  • Shift+O - options (useful to modify options on started instance instead of changing parameters)

All other keys could be seen in the bottom bar.

GET request details example (after enter hit on any request line) :

Response modification

In my (keycloak) case it was important to rewrite original url in configuration response into proxy url.

You can do it with modify_body option:

mitmproxy --mode reverse:https://some.url -p 4000 --modify-body "#https://keycloak-url#https://localhost:4000"

Important moment: first symbol of --modify-body value declares parts separator! In this example # used as separation symbol. https://keycloak-url would be replaced with https://localhost:4000 in all responses (first part is a regexp, but in simple cases, just strings would work).

Note that you can always modify this value through options (shift+O): just find modify_body option and hit enter 2 times to get into edit mode. After edition esc to exit editor and 2 times q to get back to the main screen

Proxying kecloak

It would not be helpful for anyone, but just to remember for me. Proxied keycloak would not produce valid tokens, becuase they would be issued with a "wrong" host. In order to overcome this, keycloak must be configured with proxy url as frontend:

WARNIG: After that your main keycloak url would stop working (for the same reason)! So don't forget to clear this value after using proxy (to clear value use proxy url to access keycloak).

And, if you, by mistake, put an http url and your keycloak is under https, then to access keycloak you'll have to allow mixed content in chrome:

  1. Click the lock (caution) icon, then click Site settings.

  2. Scroll to Insecure content, then use the drop-down list to change “Block (default)” to “Allow.”

  3. Reload the VEC page.