def test_upstream_https(tctx): """ Test mitmproxy in HTTPS upstream mode with another mitmproxy instance upstream. In other words: mitmdump --mode upstream:https://localhost:8081 --ssl-insecure mitmdump -p 8081 curl -x localhost:8080 -k http://example.com """ tctx1 = Context(Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), copy.deepcopy(tctx.options)) tctx1.options.mode = "upstream:https://example.mitmproxy.org:8081" tctx2 = Context(Client(("client", 4321), ("127.0.0.1", 8080), 1605699329), copy.deepcopy(tctx.options)) assert tctx2.options.mode == "regular" del tctx proxy1 = Playbook(modes.HttpProxy(tctx1), hooks=False) proxy2 = Playbook(modes.HttpProxy(tctx2), hooks=False) upstream = Placeholder(Server) server = Placeholder(Server) clienthello = Placeholder(bytes) serverhello = Placeholder(bytes) request = Placeholder(bytes) tls_finished = Placeholder(bytes) response = Placeholder(bytes) assert ( proxy1 >> DataReceived( tctx1.client, b"GET http://example.com/ HTTP/1.1\r\nHost: example.com\r\n\r\n") << NextLayerHook(Placeholder(NextLayer)) >> reply_next_layer(lambda ctx: http.HttpLayer(ctx, HTTPMode.upstream)) << OpenConnection(upstream) >> reply(None) << TlsStartServerHook( Placeholder()) >> reply_tls_start_server(alpn=b"http/1.1") << SendData(upstream, clienthello)) assert upstream().address == ("example.mitmproxy.org", 8081) assert upstream().sni == "example.mitmproxy.org" assert (proxy2 >> DataReceived( tctx2.client, clienthello()) << NextLayerHook(Placeholder(NextLayer)) >> reply_next_layer(ClientTLSLayer) << TlsStartClientHook( Placeholder()) >> reply_tls_start_client(alpn=b"http/1.1") << SendData(tctx2.client, serverhello)) assert (proxy1 >> DataReceived(upstream, serverhello()) << SendData( upstream, request)) assert (proxy2 >> DataReceived(tctx2.client, request()) << SendData( tctx2.client, tls_finished) << NextLayerHook(Placeholder(NextLayer)) >> reply_next_layer(lambda ctx: http.HttpLayer(ctx, HTTPMode.regular)) << OpenConnection(server) >> reply(None) << SendData( server, b'GET / HTTP/1.1\r\nHost: example.com\r\n\r\n') >> DataReceived(server, b"HTTP/1.1 200 OK\r\nContent-Length: 0\r\n\r\n") << SendData(tctx2.client, response)) assert server().address == ("example.com", 80) assert (proxy1 >> DataReceived( upstream, tls_finished() + response()) << SendData( tctx1.client, b"HTTP/1.1 200 OK\r\nContent-Length: 0\r\n\r\n"))
def test_no_h2_proxy(self, tdata): """Do not negotiate h2 on the client<->proxy connection in secure web proxy mode, https://github.com/mitmproxy/mitmproxy/issues/4689""" ta = tlsconfig.TlsConfig() with taddons.context(ta) as tctx: tctx.configure(ta, certs=[tdata.path("mitmproxy/net/data/verificationcerts/trusted-leaf.pem")]) ctx = context.Context(connection.Client(("client", 1234), ("127.0.0.1", 8080), 1605699329), tctx.options) # mock up something that looks like a secure web proxy. ctx.layers = [ modes.HttpProxy(ctx), 123 ] tls_start = tls.TlsData(ctx.client, context=ctx) ta.tls_start_client(tls_start) assert tls_start.ssl_conn.get_app_data()["client_alpn"] == b"http/1.1"