Intercepting HTTPS traffic between servers
It is a common need to intercept traffic between servers. For example, last time I need this to verify keycloak logout request correctness (sent by my application).
Mitmproxy is ideal for such things. It's a small and handy reverse proxy, but with ability to modify requests and responses and supporting https.
Usage
mitmproxy --mode reverse:https://some.url
This would start proxy UI on port 8080. So https://localhost:8080/
calls would be redirected into https://some.url
(and so in application configuration proxy url must be used instead of direct url)
To use custom port:
mitmproxy --mode reverse:https://some.url -p 4000
Now https://localhost:4000/
would lead to https://some.url
UI
Root screen shows all intercepted requests:
You'll need to use keyboard:
Arrows (up/down) - select request
Enter - open request info
q - back (from request info or any other screen; remember!)
Shift+O - options (useful to modify options on started instance instead of changing parameters)
All other keys could be seen in the bottom bar.
GET request details example (after enter hit on any request line) :
Response modification
In my (keycloak) case it was important to rewrite original url in configuration response into proxy url.
You can do it with modify_body option:
mitmproxy --mode reverse:https://some.url -p 4000 --modify-body "#https://keycloak-url#https://localhost:4000"
Important moment: first symbol of --modify-body
value declares parts separator! In this example #
used as separation symbol. https://keycloak-url
would be replaced with https://localhost:4000
in all responses (first part is a regexp, but in simple cases, just strings would work).
Note that you can always modify this value through options (shift+O
): just find modify_body
option and hit enter
2 times to get into edit mode. After edition esc
to exit editor and 2 times q
to get back to the main screen
Proxying kecloak
It would not be helpful for anyone, but just to remember for me. Proxied keycloak would not produce valid tokens, becuase they would be issued with a "wrong" host. In order to overcome this, keycloak must be configured with proxy url as frontend:
WARNIG: After that your main keycloak url would stop working (for the same reason)! So don't forget to clear this value after using proxy (to clear value use proxy url to access keycloak).
And, if you, by mistake, put an http url and your keycloak is under https, then to access keycloak you'll have to allow mixed content in chrome:
Click the lock (caution) icon, then click Site settings.
Scroll to Insecure content, then use the drop-down list to change “Block (default)” to “Allow.”
Reload the VEC page.