# Options
The mitmproxy tools share a common YAML configuration file
located at ~/.mitmproxy/config.yaml
. This file controls options - typed
values that determine the behaviour of mitmproxy. The options mechanism is very
comprehensive - in fact, options control all of mitmproxy’s runtime behaviour.
Most command-line flags are simply aliases for underlying options, and
interactive settings changes made in mitmproxy and mitmweb just change
values in our runtime options store. This means that almost any facet of
mitmproxy’s behaviour can be controlled through options.
The canonical reference for options is the --options
flag, which is exposed by
each of the mitmproxy tools. Passing this flag will dump an annotated YAML
configuration to console, which includes all options and their default values.
The options mechanism is extensible - third-party addons can define options that are treated exactly like mitmproxy’s own. This means that addons can also be configured through the central configuration file, and their options will appear in the options editors in interactive tools.
# Tools
Both mitmproxy and mitmweb have built-in editors that let you view and manipulate the complete configuration state of mitmproxy. Values you change interactively have immediate effect in the running instance, and can be made persistent by saving the settings out to a YAML configuration file (please see the specific tool’s interactive help for details on how to do this).
For all tools, options can be set directly by name using the --set
command-line option. Please see the command-line help (--help
) for usage. Example:
mitmproxy --set anticomp=true
mitmweb --set ignore_hosts=example.com --set ignore_hosts=example.org
# Available Options
This list might not reflect what is actually available in your current mitmproxy
environment. For an up-to-date list please use the --options
flag for each of
the mitmproxy tools.
Name | Type | Description |
---|---|---|
#
add_upstream_certs_to_client_chain mitmproxy mitmdump mitmweb |
bool | Add all certificates of the upstream server to the certificate chain that will be served to the proxy client, as extras. Default: False |
#
allow_hosts mitmproxy mitmdump mitmweb |
sequence of str | Opposite of --ignore-hosts. Default: [] |
#
anticache mitmproxy mitmdump mitmweb |
bool | Strip out request headers that might cause the server to return 304-not-modified. Default: False |
#
anticomp mitmproxy mitmdump mitmweb |
bool | Try to convince servers to send us un-compressed data. Default: False |
#
block_global mitmproxy mitmdump mitmweb |
bool | Block connections from public IP addresses. Default: True |
#
block_list mitmproxy mitmdump mitmweb |
sequence of str | Block matching requests and return an empty response with the specified HTTP status. Option syntax is "/flow-filter/status-code", where flow-filter describes which requests this rule should be applied to and status-code is the HTTP status code to return for blocked requests. The separator ("/" in the example) can be any character. Setting a non-standard status code of 444 will close the connection without sending a response. Default: [] |
#
block_private mitmproxy mitmdump mitmweb |
bool | Block connections from local (private) IP addresses. This option does not affect loopback addresses (connections from the local machine), which are always permitted. Default: False |
#
body_size_limit mitmproxy mitmdump mitmweb |
optional str | Byte size limit of HTTP request and response bodies. Understands k/m/g suffixes, i.e. 3m for 3 megabytes. Default: None |
#
cert_passphrase mitmproxy mitmdump mitmweb |
optional str | Passphrase for decrypting the private key provided in the --cert option. Note that passing cert_passphrase on the command line makes your passphrase visible in your system's process list. Specify it in config.yaml to avoid this. Default: None |
#
certs mitmproxy mitmdump mitmweb |
sequence of str | SSL certificates of the form "[domain=]path". The domain may include a wildcard, and is equal to "*" if not specified. The file at path is a certificate in PEM format. If a private key is included in the PEM, it is used, else the default key in the conf dir is used. The PEM file should contain the full certificate chain, with the leaf certificate as the first entry. Default: [] |
#
ciphers_client mitmproxy mitmdump mitmweb |
optional str | Set supported ciphers for client <-> mitmproxy connections using OpenSSL syntax. Default: None |
#
ciphers_server mitmproxy mitmdump mitmweb |
optional str | Set supported ciphers for mitmproxy <-> server connections using OpenSSL syntax. Default: None |
#
client_certs mitmproxy mitmdump mitmweb |
optional str | Client certificate file or directory. Default: None |
#
client_replay mitmproxy mitmdump mitmweb |
sequence of str | Replay client requests from a saved file. Default: [] |
#
client_replay_concurrency mitmproxy mitmdump mitmweb |
int | Concurrency limit on in-flight client replay requests. Currently the only valid values are 1 and -1 (no limit). Default: 1 |
#
command_history mitmproxy mitmdump mitmweb |
bool | Persist command history between mitmproxy invocations. Default: True |
#
confdir mitmproxy mitmdump mitmweb |
str | Location of the default mitmproxy configuration files. Default: ~/.mitmproxy |
#
connect_addr mitmproxy mitmdump mitmweb |
optional str | Set the local IP address that mitmproxy should use when connecting to upstream servers. Default: None |
#
connection_strategy mitmproxy mitmdump mitmweb |
str | Determine when server connections should be established. When set to lazy, mitmproxy tries to defer establishing an upstream connection as long as possible. This makes it possible to use server replay while being offline. When set to eager, mitmproxy can detect protocols with server-side greetings, as well as accurately mirror TLS ALPN negotiation. Default: eager Choices: eager, lazy |
#
console_default_contentview mitmproxy |
str | The default content view mode. Default: auto Choices: auto, raw, raw hex stream, hex dump, graphql, json, xml/html, wbxml, javascript, css, url-encoded, multipart form, image, query, protocol buffer, msgpack, grpc/protocol buffer, mqtt, http/3 frames, dns-over-https |
#
console_eventlog_verbosity mitmproxy |
str | EventLog verbosity. Default: info Choices: error, warn, info, alert, debug |
#
console_flowlist_layout mitmproxy |
str | Set the flowlist layout Default: default Choices: default, list, table |
#
console_focus_follow mitmproxy mitmweb |
bool | Focus follows new flows. Default: False |
#
console_layout mitmproxy |
str | Console layout. Default: single Choices: horizontal, single, vertical |
#
console_layout_headers mitmproxy |
bool | Show layout component headers Default: True |
#
console_mouse mitmproxy |
bool | Console mouse interaction. Default: True |
#
console_palette mitmproxy |
str | Color palette. Default: solarized_dark Choices: dark, light, lowdark, lowlight, solarized_dark, solarized_light |
#
console_palette_transparent mitmproxy |
bool | Set transparent background for palette. Default: True |
#
console_strip_trailing_newlines mitmproxy |
bool | Strip trailing newlines from edited request/response bodies. Default: False |
#
content_view_lines_cutoff mitmproxy mitmdump mitmweb |
int | Flow content view lines limit. Limit is enabled by default to speedup flows browsing. Default: 512 |
#
dns_name_servers mitmproxy mitmdump mitmweb |
sequence of str | Name servers to use for lookups. Default: operating system's name servers Default: [] |
#
dns_use_hosts_file mitmproxy mitmdump mitmweb |
bool | Use the hosts file for DNS lookups in regular DNS mode/wireguard mode. Default: True |
#
dumper_default_contentview mitmdump |
str | The default content view mode. Default: auto Choices: auto, raw, raw hex stream, hex dump, graphql, json, xml/html, wbxml, javascript, css, url-encoded, multipart form, image, query, protocol buffer, msgpack, grpc/protocol buffer, mqtt, http/3 frames, dns-over-https |
#
dumper_filter mitmdump |
optional str | Limit which flows are dumped. Default: None |
#
export_preserve_original_ip mitmproxy mitmdump mitmweb |
bool | When exporting a request as an external command, make an effort to connect to the same IP as in the original request. This helps with reproducibility in cases where the behaviour depends on the particular host we are connecting to. Currently this only affects curl exports. Default: False |
#
flow_detail mitmdump |
int | The display detail level for flows in mitmdump: 0 (quiet) to 4 (very verbose). 0: no output 1: shortened request URL with response status code 2: full request URL with response status code and HTTP headers 3: 2 + truncated response content, content of WebSocket and TCP messages (content_view_lines_cutoff: 512) 4: 3 + nothing is truncated Default: 1 |
#
hardump mitmproxy mitmdump mitmweb |
str | Save a HAR file with all flows on exit. You may select particular flows by setting save_stream_filter. For mitmdump, enabling this option will mean that flows are kept in memory. Default: |
#
http2 mitmproxy mitmdump mitmweb |
bool | Enable/disable HTTP/2 support. HTTP/2 support is enabled by default. Default: True |
#
http2_ping_keepalive mitmproxy mitmdump mitmweb |
int | Send a PING frame if an HTTP/2 connection is idle for more than the specified number of seconds to prevent the remote site from closing it. Set to 0 to disable this feature. Default: 58 |
#
http3 mitmproxy mitmdump mitmweb |
bool | Enable/disable support for QUIC and HTTP/3. Enabled by default. Default: True |
#
http_connect_send_host_header mitmproxy mitmdump mitmweb |
bool | Include host header with CONNECT requests. Enabled by default. Default: True |
#
ignore_hosts mitmproxy mitmdump mitmweb |
sequence of str | Ignore host and forward all traffic without processing it. In transparent mode, it is recommended to use an IP address (range), not the hostname. In regular mode, only SSL traffic is ignored and the hostname should be used. The supplied value is interpreted as a regular expression and matched on the ip or the hostname. Default: [] |
#
intercept mitmproxy mitmweb |
optional str | Intercept filter expression. Default: None |
#
intercept_active mitmproxy mitmweb |
bool | Intercept toggle Default: False |
#
keep_alt_svc_header mitmproxy mitmdump mitmweb |
bool | Reverse Proxy: Keep Alt-Svc headers as-is, even if they do not point to mitmproxy. Enabling this option may cause clients to bypass the proxy. Default: False |
#
keep_host_header mitmproxy mitmdump mitmweb |
bool | Reverse Proxy: Keep the original host header instead of rewriting it to the reverse proxy target. Default: False |
#
keepserving mitmdump |
bool | Continue serving after client playback, server playback or file read. This option is ignored by interactive tools, which always keep serving. Default: False |
#
key_size mitmproxy mitmdump mitmweb |
int | TLS key size for certificates and CA. Default: 2048 |
#
listen_host mitmproxy mitmdump mitmweb |
str | Address to bind proxy server(s) to (may be overridden for individual modes, see `mode`). Default: |
#
listen_port mitmproxy mitmdump mitmweb |
optional int | Port to bind proxy server(s) to (may be overridden for individual modes, see `mode`). By default, the port is mode-specific. The default regular HTTP proxy spawns on port 8080. Default: None |
#
map_local mitmproxy mitmdump mitmweb |
sequence of str | Map remote resources to a local file using a pattern of the form "[/flow-filter]/url-regex/file-or-directory-path", where the separator can be any character. Default: [] |
#
map_remote mitmproxy mitmdump mitmweb |
sequence of str | Map remote resources to another remote URL using a pattern of the form "[/flow-filter]/url-regex/replacement", where the separator can be any character. Default: [] |
#
mode mitmproxy mitmdump mitmweb |
sequence of str | The proxy server type(s) to spawn. Can be passed multiple times. Mitmproxy supports "regular" (HTTP), "transparent", "socks5", "reverse:SPEC", "upstream:SPEC", and "wireguard[:PATH]" proxy servers. For reverse and upstream proxy modes, SPEC is host specification in the form of "http[s]://host[:port]". For WireGuard mode, PATH may point to a file containing key material. If no such file exists, it will be created on startup. You may append `@listen_port` or `@listen_host:listen_port` to override `listen_host` or `listen_port` for a specific proxy mode. Features such as client playback will use the first mode to determine which upstream server to use. Default: ['regular'] |
#
modify_body mitmproxy mitmdump mitmweb |
sequence of str | Replacement pattern of the form "[/flow-filter]/regex/[@]replacement", where the separator can be any character. The @ allows to provide a file path that is used to read the replacement string. Default: [] |
#
modify_headers mitmproxy mitmdump mitmweb |
sequence of str | Header modify pattern of the form "[/flow-filter]/header-name/[@]header-value", where the separator can be any character. The @ allows to provide a file path that is used to read the header value string. An empty header-value removes existing header-name headers. Default: [] |
#
normalize_outbound_headers mitmproxy mitmdump mitmweb |
bool | Normalize outgoing HTTP/2 header names, but emit a warning when doing so. HTTP/2 does not allow uppercase header names. This option makes sure that HTTP/2 headers set in custom scripts are lowercased before they are sent. Default: True |
#
onboarding mitmproxy mitmdump mitmweb |
bool | Toggle the mitmproxy onboarding app. Default: True |
#
onboarding_host mitmproxy mitmdump mitmweb |
str | Onboarding app domain. For transparent mode, use an IP when a DNS entry for the app domain is not present. Default: mitm.it |
#
proxy_debug mitmproxy mitmdump mitmweb |
bool | Enable debug logs in the proxy core. Default: False |
#
proxyauth mitmproxy mitmdump mitmweb |
optional str | Require proxy authentication. Format: "username:pass", "any" to accept any user/pass combination, "@path" to use an Apache htpasswd file, or "ldap[s]:url_server_ldap[:port]:dn_auth:password:dn_subtree[?search_filter_key=...]" for LDAP authentication. Default: None |
#
rawtcp mitmproxy mitmdump mitmweb |
bool | Enable/disable raw TCP connections. TCP connections are enabled by default. Default: True |
#
readfile_filter mitmproxy mitmdump mitmweb |
optional str | Read only matching flows. Default: None |
#
request_client_cert mitmproxy mitmdump mitmweb |
bool | Requests a client certificate (TLS message 'CertificateRequest') to establish a mutual TLS connection between client and mitmproxy (combined with 'client_certs' option for mitmproxy and upstream). Default: False |
#
rfile mitmproxy mitmdump mitmweb |
optional str | Read flows from file. Default: None |
#
save_stream_file mitmproxy mitmdump mitmweb |
optional str | Stream flows to file as they arrive. Prefix path with + to append. The full path can use python strftime() formating, missing directories are created as needed. A new file is opened every time the formatted string changes. Default: None |
#
save_stream_filter mitmproxy mitmdump mitmweb |
optional str | Filter which flows are written to file. Default: None |
#
scripts mitmproxy mitmdump mitmweb |
sequence of str | Execute a script. Default: [] |
#
server mitmproxy mitmdump mitmweb |
bool | Start a proxy server. Enabled by default. Default: True |
#
server_replay mitmproxy mitmdump mitmweb |
sequence of str | Replay server responses from a saved file. Default: [] |
#
server_replay_extra mitmproxy mitmdump mitmweb |
str | Behaviour for extra requests during replay for which no replayable response was found. Setting a numeric string value will return an empty HTTP response with the respective status code. Default: forward Choices: forward, kill, 204, 400, 404, 500 |
#
server_replay_ignore_content mitmproxy mitmdump mitmweb |
bool | Ignore request content while searching for a saved flow to replay. Default: False |
#
server_replay_ignore_host mitmproxy mitmdump mitmweb |
bool | Ignore request destination host while searching for a saved flow to replay. Default: False |
#
server_replay_ignore_params mitmproxy mitmdump mitmweb |
sequence of str | Request parameters to be ignored while searching for a saved flow to replay. Default: [] |
#
server_replay_ignore_payload_params mitmproxy mitmdump mitmweb |
sequence of str | Request payload parameters (application/x-www-form-urlencoded or multipart/form-data) to be ignored while searching for a saved flow to replay. Default: [] |
#
server_replay_ignore_port mitmproxy mitmdump mitmweb |
bool | Ignore request destination port while searching for a saved flow to replay. Default: False |
#
server_replay_kill_extra mitmproxy mitmdump mitmweb |
bool | Kill extra requests during replay (for which no replayable response was found).[Deprecated, prefer to use server_replay_extra='kill'] Default: False |
#
server_replay_nopop mitmproxy mitmdump mitmweb |
bool | Deprecated alias for `server_replay_reuse`. Default: False |
#
server_replay_refresh mitmproxy mitmdump mitmweb |
bool | Refresh server replay responses by adjusting date, expires and last-modified headers, as well as adjusting cookie expiration. Default: True |
#
server_replay_reuse mitmproxy mitmdump mitmweb |
bool | Don't remove flows from server replay state after use. This makes it possible to replay same response multiple times. Default: False |
#
server_replay_use_headers mitmproxy mitmdump mitmweb |
sequence of str | Request headers that need to match while searching for a saved flow to replay. Default: [] |
#
show_ignored_hosts mitmproxy mitmdump mitmweb |
bool | Record ignored flows in the UI even if we do not perform TLS interception. This option will keep ignored flows' contents in memory, which can greatly increase memory usage. A future release will fix this issue, record ignored flows by default, and remove this option. Default: False |
#
showhost mitmproxy mitmdump mitmweb |
bool | Use the Host header to construct URLs for display. Default: False |
#
ssl_insecure mitmproxy mitmdump mitmweb |
bool | Do not verify upstream server SSL/TLS certificates. Default: False |
#
ssl_verify_upstream_trusted_ca mitmproxy mitmdump mitmweb |
optional str | Path to a PEM formatted trusted CA certificate. Default: None |
#
ssl_verify_upstream_trusted_confdir mitmproxy mitmdump mitmweb |
optional str | Path to a directory of trusted CA certificates for upstream server verification prepared using the c_rehash tool. Default: None |
#
stickyauth mitmproxy mitmdump mitmweb |
optional str | Set sticky auth filter. Matched against requests. Default: None |
#
stickycookie mitmproxy mitmdump mitmweb |
optional str | Set sticky cookie filter. Matched against requests. Default: None |
#
stream_large_bodies mitmproxy mitmdump mitmweb |
optional str | Stream data to the client if response body exceeds the given threshold. If streamed, the body will not be stored in any way, and such responses cannot be modified. Understands k/m/g suffixes, i.e. 3m for 3 megabytes. Default: None |
#
strip_ech mitmproxy mitmdump mitmweb |
bool | Strip Encrypted ClientHello (ECH) data from DNS HTTPS records so that mitmproxy can generate matching certificates. Default: True |
#
tcp_hosts mitmproxy mitmdump mitmweb |
sequence of str | Generic TCP SSL proxy mode for all hosts that match the pattern. Similar to --ignore-hosts, but SSL connections are intercepted. The communication contents are printed to the log in verbose mode. Default: [] |
#
termlog_verbosity mitmdump mitmweb |
str | Log verbosity. Default: info Choices: error, warn, info, alert, debug |
#
tls_ecdh_curve_client mitmproxy mitmdump mitmweb |
optional str | Use a specific elliptic curve for ECDHE key exchange on client connections. OpenSSL syntax, for example "prime256v1" (see `openssl ecparam -list_curves`). Default: None |
#
tls_ecdh_curve_server mitmproxy mitmdump mitmweb |
optional str | Use a specific elliptic curve for ECDHE key exchange on server connections. OpenSSL syntax, for example "prime256v1" (see `openssl ecparam -list_curves`). Default: None |
#
tls_version_client_max mitmproxy mitmdump mitmweb |
str | Set the maximum TLS version for client connections. Default: UNBOUNDED Choices: UNBOUNDED, SSL3, TLS1, TLS1_1, TLS1_2, TLS1_3 |
#
tls_version_client_min mitmproxy mitmdump mitmweb |
str | Set the minimum TLS version for client connections. Default: TLS1_2 Choices: UNBOUNDED, SSL3, TLS1, TLS1_1, TLS1_2, TLS1_3 |
#
tls_version_server_max mitmproxy mitmdump mitmweb |
str | Set the maximum TLS version for server connections. Default: UNBOUNDED Choices: UNBOUNDED, SSL3, TLS1, TLS1_1, TLS1_2, TLS1_3 |
#
tls_version_server_min mitmproxy mitmdump mitmweb |
str | Set the minimum TLS version for server connections. Default: TLS1_2 Choices: UNBOUNDED, SSL3, TLS1, TLS1_1, TLS1_2, TLS1_3 |
#
udp_hosts mitmproxy mitmdump mitmweb |
sequence of str | Generic UDP SSL proxy mode for all hosts that match the pattern. Similar to --ignore-hosts, but SSL connections are intercepted. The communication contents are printed to the log in verbose mode. Default: [] |
#
upstream_auth mitmproxy mitmdump mitmweb |
optional str | Add HTTP Basic authentication to upstream proxy and reverse proxy requests. Format: username:password. Default: None |
#
upstream_cert mitmproxy mitmdump mitmweb |
bool | Connect to upstream server to look up certificate details. Default: True |
#
validate_inbound_headers mitmproxy mitmdump mitmweb |
bool | Make sure that incoming HTTP requests are not malformed. Disabling this option makes mitmproxy vulnerable to HTTP smuggling attacks. Default: True |
#
view_filter mitmproxy mitmweb |
optional str | Limit the view to matching flows. Default: None |
#
view_order mitmproxy mitmweb |
str | Flow sort order. Default: time Choices: time, method, url, size |
#
view_order_reversed mitmproxy mitmweb |
bool | Reverse the sorting order. Default: False |
#
web_columns mitmweb |
sequence of str | Columns to show in the flow list. Can be one of the following: icon, index, method, version, path, quickactions, size, status, time, timestamp, tls, comment Default: ['tls', 'icon', 'path', 'method', 'status', 'size', 'time'] |
#
web_debug mitmweb |
bool | Enable mitmweb debugging. Default: False |
#
web_host mitmweb |
str | Web UI host. Default: 127.0.0.1 |
#
web_open_browser mitmweb |
bool | Start a browser. Default: True |
#
web_port mitmweb |
int | Web UI port. Default: 8081 |
#
web_static_viewer mitmweb |
optional str | The path to output a static viewer. Default: |
#
websocket mitmproxy mitmdump mitmweb |
bool | Enable/disable WebSocket support. WebSocket support is enabled by default. Default: True |