# Intercepting HTTPS traffic between servers

It is a common need to intercept traffic between servers. For example, last time I need this to verify keycloak logout request correctness (sent by my application).

[Mitmproxy](https://mitmproxy.org/) is ideal for such things. It's a small and handy reverse proxy, but with ability to **modify** requests and responses and supporting https.

## Usage

`mitmproxy --mode reverse:https://some.url`

This would start proxy UI on port 8080. So `https://localhost:8080/` calls would be redirected into `https://some.url` (and so in application configuration proxy url must be used instead of direct url)

To use custom port:

`mitmproxy --mode reverse:https://some.url -p 4000`

Now `https://localhost:4000/` would lead to `https://some.url`

## UI

Root screen shows all intercepted requests:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697798117891/5c38ef9b-bc68-42f9-91f4-5180bd2d4af1.png align="center")

You'll need to use keyboard:

* Arrows (up/down) - select request
    
* Enter - open request info
    
* q - back (from request info or any other screen; remember!)
    
* Shift+O - options (useful to modify options on started instance instead of changing parameters)
    

All other keys could be seen in the bottom bar.

GET request details example (after enter hit on any request line) :

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697798378549/4380f536-43f6-4da6-8228-68ec8247b6e1.png align="center")

## Response modification

In my (keycloak) case it was important to rewrite original url in configuration response into proxy url.

You can do it with [modify\_body](https://docs.mitmproxy.org/dev/overview-features/#modify-body) option:

`mitmproxy --mode reverse:https://some.url -p 4000 --modify-body "#https://keycloak-url#https://localhost:4000"`

Important moment: first symbol of `--modify-body` value declares parts separator! In this example `#` used as separation symbol. `https://keycloak-url` would be replaced with `https://localhost:4000` in all responses (first part is a regexp, but in simple cases, just strings would work).

Note that you can always modify this value through options (`shift+O`): just find `modify_body` option and hit `enter` 2 times to get into edit mode. After edition `esc` to exit editor and 2 times `q` to get back to the main screen

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697798996591/42dd6a9c-5510-46b7-a086-dbe3c2209ae4.png align="center")

## Proxying kecloak

It would not be helpful for anyone, but just to remember for me. Proxied keycloak would not produce valid tokens, becuase they would be issued with a "wrong" host. In order to overcome this, keycloak must be configured with proxy url as frontend:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697799871722/23c2580a-4a85-40dd-95aa-3e69fcc4c4ea.png align="center")

**WARNIG**: After that **your main keycloak url would stop working** (for the same reason)! So don't forget to clear this value after using proxy (to clear value use proxy url to access keycloak).

And, if you, by mistake, put an http url and your keycloak is under https, then to access keycloak you'll have to allow mixed content in chrome:

1. Click the lock (caution) icon, then click Site settings.
    
2. Scroll to Insecure content, then use the drop-down list to change “Block (default)” to “Allow.”
    
3. Reload the VEC page.