README
¶
mitmproxy-go
An easy-use and flexible Man-In-The-Middle (MITM) proxy library for Go that enables transparent interception and inspection of HTTP, HTTPS, HTTP/2, and WebSocket traffic.
Features
-
Multiple Protocol Support
- HTTP/1.1 and HTTP/2 (including h2c - HTTP/2 over cleartext)
- HTTPS with transparent TLS interception
- WebSocket and secure WebSocket (WSS)
-
Dual Proxy Modes
- HTTP/HTTPS proxy mode
- SOCKS5 proxy mode
-
Flexible Configuration
- Upstream proxy support
- Custom CA certificates
- Configurable TLS verification
- HTTP/2 can be disabled if needed
Installation
go get github.com/josexy/mitmproxy-go
Quick Start
Basic HTTP Proxy
package main
import (
"context"
"fmt"
"log"
"net/http"
"github.com/josexy/mitmproxy-go"
)
func main() {
// Create MITM proxy handler
handler, err := mitmproxy.NewMitmProxyHandler(
mitmproxy.WithCACertPath("certs/ca.crt"),
mitmproxy.WithCAKeyPath("certs/ca.key"),
)
if err != nil {
log.Fatal(err)
}
// Start HTTP proxy server
fmt.Println("Starting proxy on :8080")
http.ListenAndServe(":8080", handler)
}
With HTTP Interceptor
httpInterceptor := func(ctx context.Context, req *http.Request, invoker mitmproxy.HTTPDelegatedInvoker) (*http.Response, error) {
// Log request details
fmt.Printf("→ %s %s\n", req.Method, req.URL)
fmt.Printf(" Host: %s\n", req.Host)
fmt.Printf(" Proto: %s\n", req.Proto)
// Forward the request
resp, err := invoker.Invoke(req)
if err != nil {
return nil, err
}
// Log response details
fmt.Printf("← %s\n", resp.Status)
return resp, nil
}
handler, err := mitmproxy.NewMitmProxyHandler(
mitmproxy.WithCACertPath("certs/ca.crt"),
mitmproxy.WithCAKeyPath("certs/ca.key"),
mitmproxy.WithHTTPInterceptor(httpInterceptor),
)
With WebSocket Interceptor
websocketInterceptor := func(ctx context.Context, req *http.Request, rsp *http.Response, fw mitmproxy.WebsocketFramesWatcher) {
// Log WebSocket messages
log.Printf("WS url: %s", req.URL.String())
for frame := range fw.GetFrame() {
dir := frame.Direction()
msgType := frame.MessageType()
dataBuf := frame.DataBuffer()
log.Printf("---> %s %d %s", dir, msgType, dataBuf.String())
if err := frame.Invoke(); err != nil {
log.Printf("frame invoke error: %v", err)
}
frame.Release()
}
}
handler, err := mitmproxy.NewMitmProxyHandler(
mitmproxy.WithCACertPath("certs/ca.crt"),
mitmproxy.WithCAKeyPath("certs/ca.key"),
mitmproxy.WithWebsocketInterceptor(websocketInterceptor),
)
SOCKS5 Proxy Mode
func main() {
handler, err := mitmproxy.NewMitmProxyHandler(
mitmproxy.WithCACertPath("certs/ca.crt"),
mitmproxy.WithCAKeyPath("certs/ca.key"),
)
if err != nil {
log.Fatal(err)
}
// Listen on TCP port
ln, err := net.Listen("tcp", ":1080")
if err != nil {
log.Fatal(err)
}
defer ln.Close()
fmt.Println("SOCKS5 proxy listening on :1080")
for {
conn, err := ln.Accept()
if err != nil {
continue
}
go func(c net.Conn) {
defer c.Close()
handler.ServeSOCKS5(context.Background(), c)
}(conn)
}
}
Configuration Options
Basic Options
// Specify CA certificate and key for TLS interception
mitmproxy.WithCACertPath("path/to/ca.crt")
mitmproxy.WithCAKeyPath("path/to/ca.key")
// Use an upstream proxy
mitmproxy.WithProxy("http://127.0.0.1:8080")
// Disable upstream proxy
mitmproxy.WithDisableProxy()
// Add custom root CA certificates
mitmproxy.WithRootCAs("path/to/root-ca1.crt", "path/to/root-ca2.crt")
// Configure certificate cache pool
mitmproxy.WithCertCachePool(2048, 30, 15)
// Custom dialer with timeout
mitmproxy.WithDialer(&net.Dialer{
Timeout: 30 * time.Second,
})
// Maximum channel size of WebSocket frames
mitmproxy.WithMaxWebsocketFramesPerForward(4096)
Interceptor Options
// Set HTTP interceptor
mitmproxy.WithHTTPInterceptor(httpInterceptor)
// Set WebSocket interceptor
mitmproxy.WithWebsocketInterceptor(websocketInterceptor)
// Chain multiple HTTP interceptors (executed in order)
mitmproxy.WithChainHTTPInterceptor(interceptor1, interceptor2, interceptor3)
// Set error handler
mitmproxy.WithErrorHandler(func(ec mitmproxy.ErrorContext) {
log.Printf("Error: %v", ec.Error)
})
Security Options
// Skip SSL verification when connecting to servers (not recommended for production)
mitmproxy.WithSkipVerifySSLFromServer()
// mTLS client-authentication
mitmproxy.WithClientCert("example.com", mitmproxy.ClientCert{CertPath: "certs/client.crt", KeyPath: "certs/client.key" })
Protocol Options
// Disable HTTP/2 support (use HTTP/1.1 only)
mitmproxy.WithDisableHTTP2()
Domain Filtering
// Only intercept specific hosts (supports wildcards)
mitmproxy.WithIncludeHosts("api.example.com", "*.example.org", "example.net")
// Exclude specific hosts from interception (supports wildcards)
mitmproxy.WithExcludeHosts("*.cdn.com", "static.example.com")
Metadata Access
Interceptors can access metadata from the context:
httpInterceptor := func(ctx context.Context, req *http.Request, invoker mitmproxy.HTTPDelegatedInvoker) (*http.Response, error) {
// Extract metadata from context
mdCtx, _ := metadata.FromContext(ctx)
md := mdCtx.MD()
// Timing information
fmt.Printf("Connection established at: %v\n", md.ConnectionEstablishedTs)
fmt.Printf("SSL handshake duration: %v\n",
md.SSLHandshakeCompletedTs.Sub(md.ConnectionEstablishedTs))
// Connection details
fmt.Printf("Source: %s\n", md.SourceAddr)
fmt.Printf("Destination: %s\n", md.DestinationAddr)
// TLS information (if HTTPS)
if md.TLSState != nil {
fmt.Printf("ALPN: %s\n", md.TLSState.SelectedALPN)
fmt.Printf("TLS Version: %s\n", tls.VersionName(md.TLSState.SelectedTLSVersion))
fmt.Printf("Cipher Suite: %s\n", tls.CipherSuiteName(md.TLSState.SelectedCipherSuite))
}
// Server certificate (if HTTPS)
if md.ServerCertificate != nil {
fmt.Printf("Certificate Subject: %v\n", md.ServerCertificate.Subject)
fmt.Printf("Certificate Issuer: %v\n", md.ServerCertificate.Issuer)
fmt.Printf("DNS Names: %v\n", md.ServerCertificate.DNSNames)
fmt.Printf("SHA256 Fingerprint: %s\n", md.ServerCertificate.Sha256FingerprintHex())
}
return invoker.Invoke(req)
}
Examples
A complete working example is available in examples/dumper/main.go. Run it with:
# HTTP proxy mode
go run examples/dumper/main.go -cacert certs/ca.crt -cakey certs/ca.key -mode http -port 10086
# SOCKS5 proxy mode
go run examples/dumper/main.go -cacert certs/ca.crt -cakey certs/ca.key -mode socks5 -port 10086
Generating CA Certificates
For TLS interception to work, you need a CA certificate. Generate one with OpenSSL:
chmod +x ./tools/gen_cert.sh
OUTDIR=certs ./tools/gen_cert.sh
License
This project is available under the terms specified in the repository.
Contributing
Contributions are welcome! Please feel free to submit issues or pull requests.
Documentation
¶
Index ¶
- Constants
- Variables
- func AppendToRequestContext(ctx context.Context, reqCtx ReqContext) context.Context
- func NewProxyDialer(proxyURL *url.URL, dialer *net.Dialer) *proxyDialer
- func ParseHostPort(req *http.Request) (string, error)
- type ClientCert
- type ErrorContext
- type ErrorHandler
- type HTTPDelegatedInvoker
- type HTTPDelegatedInvokerFunc
- type HTTPInterceptor
- type MitmProxyHandler
- type Option
- func WithCACertPath(caCertPath string) Option
- func WithCAKeyPath(caKeyPath string) Option
- func WithCertCachePool(capacity, intervalSecond, expireSecond int) Option
- func WithChainHTTPInterceptor(interceptors ...HTTPInterceptor) Option
- func WithClientCert(hostname string, clientCert ClientCert) Option
- func WithDialer(dialer *net.Dialer) Option
- func WithDisableHTTP2() Option
- func WithDisableProxy() Option
- func WithErrorHandler(handler ErrorHandler) Option
- func WithExcludeHosts(hosts ...string) Option
- func WithHTTPInterceptor(interceptor HTTPInterceptor) Option
- func WithIncludeHosts(hosts ...string) Option
- func WithMaxWebsocketFramesPerForward(maxFrames int) Option
- func WithProxy(proxy string) Option
- func WithRootCAs(rootCAPaths ...string) Option
- func WithSkipVerifySSLFromServer() Option
- func WithStreamBaseContext(baseCtx context.Context) Option
- func WithWebsocketInterceptor(interceptor WebsocketInterceptor) Option
- type OptionFunc
- type ReqContext
- type UnifiedTransport
- type WSDirection
- type WebsocketDelegatedInvoker
- type WebsocketDelegatedInvokerFunc
- type WebsocketFramesWatcher
- type WebsocketInterceptor
- type WsFrame
Constants ¶
const ( HttpHeaderContentType = "Content-Type" HttpHeaderConnection = "Connection" HttpHeaderKeepAlive = "Keep-Alive" HttpHeaderProxyAuthenticate = "Proxy-Authenticate" HttpHeaderProxyAuthorization = "Proxy-Authorization" HttpHeaderProxyConnection = "Proxy-Connection" HttpHeaderProxyAgent = "Proxy-Agent" HttpHeaderTe = "Te" HttpHeaderTrailers = "Trailers" HttpHeaderTransferEncoding = "Transfer-Encoding" HttpHeaderUpgrade = "Upgrade" HttpHeaderSecWebsocketKey = "Sec-Websocket-Key" HttpHeaderSecWebsocketVersion = "Sec-Websocket-Version" HttpHeaderSecWebsocketExtensions = "Sec-Websocket-Extensions" HttpHeaderAcceptEncoding = "Accept-Encoding" HttpHeaderContentEncoding = "Content-Encoding" HttpHeaderContentLength = "Content-Length" HttpHeaderHttp2Settings = "HTTP2-Settings" )
Variables ¶
var ( HttpResponseConnectionEstablished = []byte("HTTP/1.1 200 Connection Established\r\n\r\n") H2CUpgradeResponseSwitchingProtocols = []byte("HTTP/1.1 101 Switching Protocols\r\nConnection: Upgrade\r\nUpgrade: h2c\r\n\r\n") )
Functions ¶
func AppendToRequestContext ¶
func AppendToRequestContext(ctx context.Context, reqCtx ReqContext) context.Context
Types ¶
type ClientCert ¶
type ErrorContext ¶
type ErrorHandler ¶
type ErrorHandler func(ErrorContext)
type HTTPDelegatedInvoker ¶
type HTTPInterceptor ¶
type MitmProxyHandler ¶
type MitmProxyHandler interface {
CACertPath() string
// low-level api, Serve will take over net.Conn and call the Close function.
Serve(context.Context, net.Conn) error
// high-level application api
// ServeSOCKS5 will take over net.Conn and call the Close function
ServeSOCKS5(context.Context, net.Conn) error
ServeHTTP(http.ResponseWriter, *http.Request)
Cleanup()
}
func NewMitmProxyHandler ¶
func NewMitmProxyHandler(opt ...Option) (MitmProxyHandler, error)
type Option ¶
type Option interface {
// contains filtered or unexported methods
}
func WithCACertPath ¶
WithCACertPath specifies the path to the CA certificate file. This certificate is used to sign dynamically generated certificates for TLS interception.
Required for TLS interception to work properly.
Example:
handler, err := NewMitmProxyHandler(
WithCACertPath("certs/ca.crt"),
WithCAKeyPath("certs/ca.key"),
)
func WithCAKeyPath ¶
WithCAKeyPath specifies the path to the CA private key file. This private key is used together with the CA certificate to sign dynamically generated certificates for intercepted HTTPS connections.
Required for TLS interception to work properly. The key file must match the CA certificate specified with WithCACertPath.
Example:
handler, err := NewMitmProxyHandler(
WithCACertPath("certs/ca.crt"),
WithCAKeyPath("certs/ca.key"),
)
func WithCertCachePool ¶
WithCertCachePool configures the certificate cache pool parameters. The cache stores dynamically generated certificates to avoid regenerating them for frequently accessed domains, which improves performance.
Parameters:
- capacity: Maximum number of certificates to cache (e.g., 2048). capacity must be a multiple of 256
- interval: How often to run cache cleanup in milliseconds (e.g., 60 for 1 minute)
- expireSecond: How long certificates stay in cache in milliseconds (e.g., 15 for 15 seconds)
If not specified, default values are used.
Example:
handler, err := NewMitmProxyHandler(
WithCertCachePool(
2048, // Cache up to 2048 certificates
30, // Background Check for expired entries every 30 seconds
15, // Expire cached certificates after 15 seconds
),
)
func WithChainHTTPInterceptor ¶
func WithChainHTTPInterceptor(interceptors ...HTTPInterceptor) Option
WithChainHTTPInterceptor chains multiple HTTP interceptors together. Interceptors are executed in the order they are provided, forming a middleware chain. Each interceptor can modify the request, call the next interceptor in the chain, and modify the response. And The final interceptor will forwards the request to the server.
Example:
loggingInterceptor := func(ctx context.Context, req *http.Request, invoker HTTPDelegatedInvoker) (*http.Response, error) {
log.Printf("→ %s %s", req.Method, req.URL)
resp, err := invoker.Invoke(req)
if resp != nil {
log.Printf("← %d", resp.StatusCode)
}
return resp, err
}
modifyInterceptor := func(ctx context.Context, req *http.Request, invoker HTTPDelegatedInvoker) (*http.Response, error) {
req.Header.Set("X-Custom-Header", "value")
return invoker.Invoke(req)
}
handler, err := NewMitmProxyHandler(
WithChainHTTPInterceptor(loggingInterceptor, modifyInterceptor),
)
func WithClientCert ¶
func WithClientCert(hostname string, clientCert ClientCert) Option
WithClientCert configures a client certificate for a specific hostname. This certificate will be used for mTLS connections to the specified hostname. See https://docs.mitmproxy.org/stable/concepts/certificates/#mutual-tls-mtls-and-client-certificates
Example:
handler, err := NewMitmProxyHandler(
WithClientCert("example.com", ClientCert{
CertPath: "certs/client.crt",
KeyPath: "certs/client.key",
}),
WithClientCert("api.example.com", ClientCert{
CertPath: "certs/api.crt",
KeyPath: "certs/api.key",
}),
)
func WithDialer ¶
WithDialer sets a custom dialer for establishing outbound connections. This allows fine-grained control over connection behavior such as timeouts, keep-alive settings, and local address binding.
If not specified, a default dialer with a 10-second timeout is used.
Example:
handler, err := NewMitmProxyHandler(
WithDialer(&net.Dialer{
Timeout: 30 * time.Second,
}),
)
func WithDisableHTTP2 ¶
func WithDisableHTTP2() Option
WithDisableHTTP2 disables HTTP/2 support in the proxy. When enabled, all connections will use HTTP/1.1 even if both client and server support HTTP/2. This also disables h2c (HTTP/2 over cleartext) support.
This can be useful for debugging or when working with applications that have issues with HTTP/2 implementations.
Example:
handler, err := NewMitmProxyHandler(
WithDisableHTTP2(),
)
func WithDisableProxy ¶
func WithDisableProxy() Option
WithDisableProxy disables the use of any upstream proxy server. All connections will be made directly to the destination server. This option takes precedence over WithProxy if both are specified.
Example:
handler, err := NewMitmProxyHandler(
WithDisableProxy(),
)
func WithErrorHandler ¶
func WithErrorHandler(handler ErrorHandler) Option
WithErrorHandler sets a custom error handler for the proxy. The error handler is called when errors occur during proxy operations.
The ErrorHandler receives an ErrorContext containing:
- RemoteAddr: The client's remote address
- Hostport: The target host:port being accessed
- Error: The error that occurred
If not specified, errors are silently ignored (no default handler).
Example:
handler, err := NewMitmProxyHandler(
WithErrorHandler(func(ec ErrorContext) {
log.Printf("[%s -> %s] Error: %v", ec.RemoteAddr, ec.Hostport, ec.Error)
}),
)
func WithExcludeHosts ¶
WithExcludeHosts specifies a blacklist of hosts that should NOT be intercepted. Traffic to these hosts will pass through without interception (passthrough mode).
Supports wildcard patterns:
- "cdn.example.com" - exact match
- "*.cdn.com" - matches any subdomain of cdn.com
- "static.*.example.com" - matches static.prod.example.com, static.dev.example.com, etc.
This is useful for excluding CDN domains, static content servers, or domains that don't need inspection to improve performance.
If both WithIncludeHosts and WithExcludeHosts are used:
- WithExcludeHosts takes precedence
- A host matching the exclude list will never be intercepted
- A host not in the include list will be passed through
Example:
handler, err := NewMitmProxyHandler(
WithExcludeHosts(
"*.cdn.com",
"static.example.com",
"*.cloudfront.net",
),
)
func WithHTTPInterceptor ¶
func WithHTTPInterceptor(interceptor HTTPInterceptor) Option
WithHTTPInterceptor sets a custom HTTP interceptor for the proxy. The interceptor allows you to inspect and modify HTTP requests and responses as they pass through the proxy.
The HTTPInterceptor is called for each HTTP request with:
- context.Context: Request context containing metadata (TLS state, timing, etc.)
- *http.Request: The HTTP request to be sent to the server
- HTTPDelegatedInvoker: Delegate to invoke the actual request (call to continue the chain)
The interceptor can:
- Inspect/modify the request before forwarding
- Call the invoker to forward the request to the server
- Inspect/modify the response before returning to the client
- Short-circuit the request and return a custom response
Example:
handler, err := NewMitmProxyHandler(
WithHTTPInterceptor(func(ctx context.Context, req *http.Request, invoker HTTPDelegatedInvoker) (*http.Response, error) {
log.Printf("Request: %s %s", req.Method, req.URL)
// Forward request to server
resp, err := invoker.Invoke(req)
if err != nil {
return nil, err
}
log.Printf("Response: %d", resp.StatusCode)
return resp, nil
}),
)
func WithIncludeHosts ¶
WithIncludeHosts specifies a whitelist of hosts that should be intercepted. Only traffic to these hosts will be intercepted; all other traffic will pass through without interception (passthrough mode).
Supports wildcard patterns:
- "example.com" - exact match
- "*.example.com" - matches any subdomain of example.com
- "api.*.example.com" - matches api.staging.example.com, api.prod.example.com, etc.
If this option is not used, all hosts are intercepted by default (unless excluded with WithExcludeHosts).
Example:
handler, err := NewMitmProxyHandler(
WithIncludeHosts(
"api.example.com",
"*.internal.example.com",
"test.example.org",
),
)
func WithMaxWebsocketFramesPerForward ¶
WithMaxWebsocketFramesPerForward specifies the maximum channel size of frames that can be buffered per single websocket forward.
If not specified, default value(2048) is used.
Example:
handler, err := NewMitmProxyHandler(
WithMaxWebsocketFramesPerForward(2048),
)
func WithProxy ¶
WithProxy configures an upstream proxy server for outbound connections.
The proxy parameter should be a URL in one of these formats:
- HTTP proxy: "http://proxy.example.com:8080"
- HTTPS proxy: "https://proxy.example.com:8080"
- SOCKS5 proxy: "socks5://proxy.example.com:1080"
Example:
handler, err := NewMitmProxyHandler(
WithProxy("http://127.0.0.1:8080"),
)
func WithRootCAs ¶
WithRootCAs adds additional trusted root CA certificates for verifying server certificates. This is useful when connecting to servers that use certificates signed by custom or internal CAs.
The system's default root CA pool is used as the base, and these certificates are added to it. Multiple certificate file paths can be provided.
Example:
handler, err := NewMitmProxyHandler(
WithRootCAs("certs/internal-ca.crt", "certs/partner-ca.crt"),
)
func WithSkipVerifySSLFromServer ¶
func WithSkipVerifySSLFromServer() Option
WithSkipVerifySSLFromServer disables SSL certificate verification when the proxy connects to upstream servers. This allows connecting to servers with self-signed certificates or invalid certificate chains.
WARNING: This option should only be used for testing or development purposes.
Example:
handler, err := NewMitmProxyHandler(
WithSkipVerifySSLFromServer(),
)
func WithStreamBaseContext ¶
WithStreamBaseContext configures h2 connection stream base context.
Example:
handler, err := NewMitmProxyHandler(
WithStreamBaseContext(context.Background()),
)
func WithWebsocketInterceptor ¶
func WithWebsocketInterceptor(interceptor WebsocketInterceptor) Option
WithWebsocketInterceptor sets a custom WebSocket interceptor for the proxy. The interceptor allows you to inspect and modify WebSocket messages in both directions (client-to-server and server-to-client) as they pass through the proxy.
The WebsocketInterceptor is called for each WebSocket message with:
- context.Context: Request context containing metadata
- metadata.WSDirection: Message direction
- int: WebSocket message type
- *buf.Buffer: Message data buffer (can be read and modified)
- *http.Request: The original HTTP upgrade request
- WebsocketDelegatedInvoker: Delegate to invoke message forwarding (call to continue)
The interceptor can:
- Inspect/modify message data before forwarding
- Call the invoker to forward the message
- Drop messages by not calling the invoker
- Inject custom messages by calling the invoker multiple times
Example:
handler, err := NewMitmProxyHandler(
WithWebsocketInterceptor(func(ctx context.Context, dir metadata.WSDirection, msgType int, data *buf.Buffer, req *http.Request, invoker WebsocketDelegatedInvoker) error {
log.Printf("[%s] WebSocket message: type=%d, size=%d", dir, msgType, data.Len())
// Forward message
return invoker.Invoke(msgType, data)
}),
)
type OptionFunc ¶
type OptionFunc func(*options)
type ReqContext ¶
func FromRequestContext ¶
func FromRequestContext(ctx context.Context) (ReqContext, bool)
type UnifiedTransport ¶
type UnifiedTransport struct {
// contains filtered or unexported fields
}
func NewTransport ¶
type WSDirection ¶
type WSDirection byte
WSDirection indicates the direction of a WebSocket message
const ( // Send indicates a message sent from client to server Send WSDirection = iota // Receive indicates a message received from server to client Receive )
func (WSDirection) String ¶
func (d WSDirection) String() string
type WebsocketFramesWatcher ¶
type WebsocketFramesWatcher interface {
Receive() <-chan WsFrame
}
type WebsocketInterceptor ¶
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
examples
|
|
|
chain-interceptors
command
|
|
|
dumper
command
|
|
|
helloworld
command
|
|
|
modify-content
command
|
|
|
internal
|
|