Documentation
¶
Overview ¶
Package proxy implements an intercepting HTTP/HTTPS forward proxy that captures every flow. Plain HTTP is forwarded directly; HTTPS is intercepted via CONNECT + a locally-minted leaf certificate (TLS MITM).
Index ¶
- type Events
- type ScopeChecker
- type Server
- func (s *Server) AutoBypassOnPinFailure() bool
- func (s *Server) Serve(ln net.Listener) error
- func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request)
- func (s *Server) SetAutoBypassOnPinFailure(v bool)
- func (s *Server) SetCaptureScopeOnly(v bool)
- func (s *Server) SetInvisibleProxy(v bool)
- func (s *Server) SetSuppressBrowserTelemetry(v bool)
- func (s *Server) SetTLSBypassHosts(hosts []string)
- func (s *Server) SetUpstreamProxy(raw string) error
- func (s *Server) TLSBypassHosts() []string
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Events ¶
type Events interface {
FlowCaptured(*store.Flow) // a new flow (request seen / sent upstream)
FlowUpdated(*store.Flow) // an existing flow filled in (response, error, …)
}
Events is an optional sink notified when a flow is captured (used by the control plane to push live updates to the UI).
type ScopeChecker ¶
ScopeChecker reports whether a flow is in the engagement's target scope. When set, only in-scope requests are held by the intercept gate.
type Server ¶
type Server struct {
Scope ScopeChecker // nil → everything in scope
// OnBypassAdded is fired (outside locks) after autoBypass appends a host, with
// the full updated list, so the control plane can persist it and refresh the UI.
OnBypassAdded func([]string)
// SelfPorts are this tool's own loopback ports (control plane + proxy). Set
// by cmd; traffic to them is forwarded but never recorded, so proxying
// localhost doesn't fill history with — or feedback-loop on — our own UI.
SelfPorts []int
// contains filtered or unexported fields
}
Server is the intercepting forward-proxy HTTP handler.
func New ¶
func New(st *store.Store, cap *capture.Capturer, ca *tlsca.CA, eng *intercept.Engine, events Events) *Server
New builds a proxy Server. ca, eng, and events may each be nil.
func (*Server) AutoBypassOnPinFailure ¶ added in v0.27.0
AutoBypassOnPinFailure reports whether auto-bypass is enabled.
func (*Server) ServeHTTP ¶
func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request)
ServeHTTP dispatches: CONNECT → TLS MITM; absolute-URI → HTTP forward proxy.
func (*Server) SetAutoBypassOnPinFailure ¶ added in v0.27.0
SetAutoBypassOnPinFailure toggles auto-adding a host to the bypass list when its MITM handshake fails (the SSL-pinning signal).
func (*Server) SetCaptureScopeOnly ¶ added in v0.5.0
SetCaptureScopeOnly switches between persisting all traffic (false) and only in-scope traffic (true) — a space optimization for long engagements. With no scope rules defined everything is in scope, so this becomes a no-op until the operator sets a target scope.
func (*Server) SetInvisibleProxy ¶ added in v0.23.0
SetInvisibleProxy toggles transparent/invisible proxy mode (Burp's "Support invisible proxying"). When enabled, origin-form requests from clients that aren't proxy-configured (traffic redirected via iptables/pf/DNS/port forwarding) are forwarded to the host named in their Host header, instead of being rejected as malformed proxy requests. Absolute-URI and CONNECT requests keep working unchanged.
func (*Server) SetSuppressBrowserTelemetry ¶ added in v0.7.0
SetSuppressBrowserTelemetry controls whether known Chrome and Firefox background telemetry, update, and crash-reporting hosts are silently forwarded without being captured or held by the intercept gate. Enabled by default; users may turn it off to inspect browser background traffic.
func (*Server) SetTLSBypassHosts ¶ added in v0.27.0
SetTLSBypassHosts replaces the set of host patterns that are tunneled raw (no MITM). Patterns are exact or "*.wildcard" (see hostpattern). Entries are trimmed, lower-cased, de-duplicated; blanks are dropped.
func (*Server) SetUpstreamProxy ¶
SetUpstreamProxy routes outbound traffic through a chained proxy (e.g. a corporate proxy). An empty string means connect directly.
func (*Server) TLSBypassHosts ¶ added in v0.27.0
TLSBypassHosts returns the current bypass patterns (a copy).