Edit on GitHub

#  Options

The mitmproxy tools share a common YAML configuration file located at ~/.mitmproxy/config.yaml. This file controls options - typed values that determine the behaviour of mitmproxy. The options mechanism is very comprehensive - in fact, options control all of mitmproxy’s runtime behaviour. Most command-line flags are simply aliases for underlying options, and interactive settings changes made in mitmproxy and mitmweb just change values in our runtime options store. This means that almost any facet of mitmproxy’s behaviour can be controlled through options.

The canonical reference for options is the --options flag, which is exposed by each of the mitmproxy tools. Passing this flag will dump an annotated YAML configuration to console, which includes all options and their default values.

The options mechanism is extensible - third-party addons can define options that are treated exactly like mitmproxy’s own. This means that addons can also be configured through the central configuration file, and their options will appear in the options editors in interactive tools.

#  Tools

Both mitmproxy and mitmweb have built-in editors that let you view and manipulate the complete configuration state of mitmproxy. Values you change interactively have immediate effect in the running instance, and can be made persistent by saving the settings out to a YAML configuration file (please see the specific tool’s interactive help for details on how to do this).

For all tools, options can be set directly by name using the --set command-line option. Please see the command-line help (--help) for usage. Example:

mitmproxy --set anticomp=true
mitmweb --set ignore_hosts=example.com --set ignore_hosts=example.org 

#  Available Options

This list might not reflect what is actually available in your current mitmproxy environment. For an up-to-date list please use the --options flag for each of the mitmproxy tools.

Name Type Description
#   add_upstream_certs_to_client_chain
mitmproxy mitmdump mitmweb
bool Add all certificates of the upstream server to the certificate chain that will be served to the proxy client, as extras.
Default: False
#   allow_hosts
mitmproxy mitmdump mitmweb
sequence of str Opposite of --ignore-hosts.
Default: []
#   anticache
mitmproxy mitmdump mitmweb
bool Strip out request headers that might cause the server to return 304-not-modified.
Default: False
#   anticomp
mitmproxy mitmdump mitmweb
bool Try to convince servers to send us un-compressed data.
Default: False
#   block_global
mitmproxy mitmdump mitmweb
bool Block connections from public IP addresses.
Default: True
#   block_list
mitmproxy mitmdump mitmweb
sequence of str Block matching requests and return an empty response with the specified HTTP status. Option syntax is "/flow-filter/status-code", where flow-filter describes which requests this rule should be applied to and status-code is the HTTP status code to return for blocked requests. The separator ("/" in the example) can be any character. Setting a non-standard status code of 444 will close the connection without sending a response.
Default: []
#   block_private
mitmproxy mitmdump mitmweb
bool Block connections from local (private) IP addresses. This option does not affect loopback addresses (connections from the local machine), which are always permitted.
Default: False
#   body_size_limit
mitmproxy mitmdump mitmweb
optional str Byte size limit of HTTP request and response bodies. Understands k/m/g suffixes, i.e. 3m for 3 megabytes.
Default: None
#   cert_passphrase
mitmproxy mitmdump mitmweb
optional str Passphrase for decrypting the private key provided in the --cert option. Note that passing cert_passphrase on the command line makes your passphrase visible in your system's process list. Specify it in config.yaml to avoid this.
Default: None
#   certs
mitmproxy mitmdump mitmweb
sequence of str SSL certificates of the form "[domain=]path". The domain may include a wildcard, and is equal to "*" if not specified. The file at path is a certificate in PEM format. If a private key is included in the PEM, it is used, else the default key in the conf dir is used. The PEM file should contain the full certificate chain, with the leaf certificate as the first entry.
Default: []
#   ciphers_client
mitmproxy mitmdump mitmweb
optional str Set supported ciphers for client <-> mitmproxy connections using OpenSSL syntax.
Default: None
#   ciphers_server
mitmproxy mitmdump mitmweb
optional str Set supported ciphers for mitmproxy <-> server connections using OpenSSL syntax.
Default: None
#   client_certs
mitmproxy mitmdump mitmweb
optional str Client certificate file or directory.
Default: None
#   client_replay
mitmproxy mitmdump mitmweb
sequence of str Replay client requests from a saved file.
Default: []
#   client_replay_concurrency
mitmproxy mitmdump mitmweb
int Concurrency limit on in-flight client replay requests. Currently the only valid values are 1 and -1 (no limit).
Default: 1
#   command_history
mitmproxy mitmdump mitmweb
bool Persist command history between mitmproxy invocations.
Default: True
#   confdir
mitmproxy mitmdump mitmweb
str Location of the default mitmproxy configuration files.
Default: ~/.mitmproxy
#   connect_addr
mitmproxy mitmdump mitmweb
optional str Set the local IP address that mitmproxy should use when connecting to upstream servers.
Default: None
#   connection_strategy
mitmproxy mitmdump mitmweb
str Determine when server connections should be established. When set to lazy, mitmproxy tries to defer establishing an upstream connection as long as possible. This makes it possible to use server replay while being offline. When set to eager, mitmproxy can detect protocols with server-side greetings, as well as accurately mirror TLS ALPN negotiation.
Default: eager
Choices: eager, lazy
#   console_default_contentview
mitmproxy
str The default content view mode.
Default: auto
Choices: auto, raw, raw hex stream, hex dump, graphql, json, xml/html, wbxml, javascript, css, url-encoded, multipart form, image, query, protocol buffer, msgpack, grpc/protocol buffer, mqtt, http/3 frames, dns-over-https
#   console_eventlog_verbosity
mitmproxy
str EventLog verbosity.
Default: info
Choices: error, warn, info, alert, debug
#   console_flowlist_layout
mitmproxy
str Set the flowlist layout
Default: default
Choices: default, list, table
#   console_focus_follow
mitmproxy mitmweb
bool Focus follows new flows.
Default: False
#   console_layout
mitmproxy
str Console layout.
Default: single
Choices: horizontal, single, vertical
#   console_layout_headers
mitmproxy
bool Show layout component headers
Default: True
#   console_mouse
mitmproxy
bool Console mouse interaction.
Default: True
#   console_palette
mitmproxy
str Color palette.
Default: solarized_dark
Choices: dark, light, lowdark, lowlight, solarized_dark, solarized_light
#   console_palette_transparent
mitmproxy
bool Set transparent background for palette.
Default: True
#   console_strip_trailing_newlines
mitmproxy
bool Strip trailing newlines from edited request/response bodies.
Default: False
#   content_view_lines_cutoff
mitmproxy mitmdump mitmweb
int Flow content view lines limit. Limit is enabled by default to speedup flows browsing.
Default: 512
#   dns_name_servers
mitmproxy mitmdump mitmweb
sequence of str Name servers to use for lookups. Default: operating system's name servers
Default: []
#   dns_use_hosts_file
mitmproxy mitmdump mitmweb
bool Use the hosts file for DNS lookups in regular DNS mode/wireguard mode.
Default: True
#   dumper_default_contentview
mitmdump
str The default content view mode.
Default: auto
Choices: auto, raw, raw hex stream, hex dump, graphql, json, xml/html, wbxml, javascript, css, url-encoded, multipart form, image, query, protocol buffer, msgpack, grpc/protocol buffer, mqtt, http/3 frames, dns-over-https
#   dumper_filter
mitmdump
optional str Limit which flows are dumped.
Default: None
#   export_preserve_original_ip
mitmproxy mitmdump mitmweb
bool When exporting a request as an external command, make an effort to connect to the same IP as in the original request. This helps with reproducibility in cases where the behaviour depends on the particular host we are connecting to. Currently this only affects curl exports.
Default: False
#   flow_detail
mitmdump
int The display detail level for flows in mitmdump: 0 (quiet) to 4 (very verbose). 0: no output 1: shortened request URL with response status code 2: full request URL with response status code and HTTP headers 3: 2 + truncated response content, content of WebSocket and TCP messages (content_view_lines_cutoff: 512) 4: 3 + nothing is truncated
Default: 1
#   hardump
mitmproxy mitmdump mitmweb
str Save a HAR file with all flows on exit. You may select particular flows by setting save_stream_filter. For mitmdump, enabling this option will mean that flows are kept in memory.
Default:
#   http2
mitmproxy mitmdump mitmweb
bool Enable/disable HTTP/2 support. HTTP/2 support is enabled by default.
Default: True
#   http2_ping_keepalive
mitmproxy mitmdump mitmweb
int Send a PING frame if an HTTP/2 connection is idle for more than the specified number of seconds to prevent the remote site from closing it. Set to 0 to disable this feature.
Default: 58
#   http3
mitmproxy mitmdump mitmweb
bool Enable/disable support for QUIC and HTTP/3. Enabled by default.
Default: True
#   http_connect_send_host_header
mitmproxy mitmdump mitmweb
bool Include host header with CONNECT requests. Enabled by default.
Default: True
#   ignore_hosts
mitmproxy mitmdump mitmweb
sequence of str Ignore host and forward all traffic without processing it. In transparent mode, it is recommended to use an IP address (range), not the hostname. In regular mode, only SSL traffic is ignored and the hostname should be used. The supplied value is interpreted as a regular expression and matched on the ip or the hostname.
Default: []
#   intercept
mitmproxy mitmweb
optional str Intercept filter expression.
Default: None
#   intercept_active
mitmproxy mitmweb
bool Intercept toggle
Default: False
#   keep_alt_svc_header
mitmproxy mitmdump mitmweb
bool Reverse Proxy: Keep Alt-Svc headers as-is, even if they do not point to mitmproxy. Enabling this option may cause clients to bypass the proxy.
Default: False
#   keep_host_header
mitmproxy mitmdump mitmweb
bool Reverse Proxy: Keep the original host header instead of rewriting it to the reverse proxy target.
Default: False
#   keepserving
mitmdump
bool Continue serving after client playback, server playback or file read. This option is ignored by interactive tools, which always keep serving.
Default: False
#   key_size
mitmproxy mitmdump mitmweb
int TLS key size for certificates and CA.
Default: 2048
#   listen_host
mitmproxy mitmdump mitmweb
str Address to bind proxy server(s) to (may be overridden for individual modes, see `mode`).
Default:
#   listen_port
mitmproxy mitmdump mitmweb
optional int Port to bind proxy server(s) to (may be overridden for individual modes, see `mode`). By default, the port is mode-specific. The default regular HTTP proxy spawns on port 8080.
Default: None
#   map_local
mitmproxy mitmdump mitmweb
sequence of str Map remote resources to a local file using a pattern of the form "[/flow-filter]/url-regex/file-or-directory-path", where the separator can be any character.
Default: []
#   map_remote
mitmproxy mitmdump mitmweb
sequence of str Map remote resources to another remote URL using a pattern of the form "[/flow-filter]/url-regex/replacement", where the separator can be any character.
Default: []
#   mode
mitmproxy mitmdump mitmweb
sequence of str The proxy server type(s) to spawn. Can be passed multiple times. Mitmproxy supports "regular" (HTTP), "transparent", "socks5", "reverse:SPEC", "upstream:SPEC", and "wireguard[:PATH]" proxy servers. For reverse and upstream proxy modes, SPEC is host specification in the form of "http[s]://host[:port]". For WireGuard mode, PATH may point to a file containing key material. If no such file exists, it will be created on startup. You may append `@listen_port` or `@listen_host:listen_port` to override `listen_host` or `listen_port` for a specific proxy mode. Features such as client playback will use the first mode to determine which upstream server to use.
Default: ['regular']
#   modify_body
mitmproxy mitmdump mitmweb
sequence of str Replacement pattern of the form "[/flow-filter]/regex/[@]replacement", where the separator can be any character. The @ allows to provide a file path that is used to read the replacement string.
Default: []
#   modify_headers
mitmproxy mitmdump mitmweb
sequence of str Header modify pattern of the form "[/flow-filter]/header-name/[@]header-value", where the separator can be any character. The @ allows to provide a file path that is used to read the header value string. An empty header-value removes existing header-name headers.
Default: []
#   normalize_outbound_headers
mitmproxy mitmdump mitmweb
bool Normalize outgoing HTTP/2 header names, but emit a warning when doing so. HTTP/2 does not allow uppercase header names. This option makes sure that HTTP/2 headers set in custom scripts are lowercased before they are sent.
Default: True
#   onboarding
mitmproxy mitmdump mitmweb
bool Toggle the mitmproxy onboarding app.
Default: True
#   onboarding_host
mitmproxy mitmdump mitmweb
str Onboarding app domain. For transparent mode, use an IP when a DNS entry for the app domain is not present.
Default: mitm.it
#   proxy_debug
mitmproxy mitmdump mitmweb
bool Enable debug logs in the proxy core.
Default: False
#   proxyauth
mitmproxy mitmdump mitmweb
optional str Require proxy authentication. Format: "username:pass", "any" to accept any user/pass combination, "@path" to use an Apache htpasswd file, or "ldap[s]:url_server_ldap[:port]:dn_auth:password:dn_subtree[?search_filter_key=...]" for LDAP authentication.
Default: None
#   rawtcp
mitmproxy mitmdump mitmweb
bool Enable/disable raw TCP connections. TCP connections are enabled by default.
Default: True
#   readfile_filter
mitmproxy mitmdump mitmweb
optional str Read only matching flows.
Default: None
#   request_client_cert
mitmproxy mitmdump mitmweb
bool Requests a client certificate (TLS message 'CertificateRequest') to establish a mutual TLS connection between client and mitmproxy (combined with 'client_certs' option for mitmproxy and upstream).
Default: False
#   rfile
mitmproxy mitmdump mitmweb
optional str Read flows from file.
Default: None
#   save_stream_file
mitmproxy mitmdump mitmweb
optional str Stream flows to file as they arrive. Prefix path with + to append. The full path can use python strftime() formating, missing directories are created as needed. A new file is opened every time the formatted string changes.
Default: None
#   save_stream_filter
mitmproxy mitmdump mitmweb
optional str Filter which flows are written to file.
Default: None
#   scripts
mitmproxy mitmdump mitmweb
sequence of str Execute a script.
Default: []
#   server
mitmproxy mitmdump mitmweb
bool Start a proxy server. Enabled by default.
Default: True
#   server_replay
mitmproxy mitmdump mitmweb
sequence of str Replay server responses from a saved file.
Default: []
#   server_replay_extra
mitmproxy mitmdump mitmweb
str Behaviour for extra requests during replay for which no replayable response was found. Setting a numeric string value will return an empty HTTP response with the respective status code.
Default: forward
Choices: forward, kill, 204, 400, 404, 500
#   server_replay_ignore_content
mitmproxy mitmdump mitmweb
bool Ignore request content while searching for a saved flow to replay.
Default: False
#   server_replay_ignore_host
mitmproxy mitmdump mitmweb
bool Ignore request destination host while searching for a saved flow to replay.
Default: False
#   server_replay_ignore_params
mitmproxy mitmdump mitmweb
sequence of str Request parameters to be ignored while searching for a saved flow to replay.
Default: []
#   server_replay_ignore_payload_params
mitmproxy mitmdump mitmweb
sequence of str Request payload parameters (application/x-www-form-urlencoded or multipart/form-data) to be ignored while searching for a saved flow to replay.
Default: []
#   server_replay_ignore_port
mitmproxy mitmdump mitmweb
bool Ignore request destination port while searching for a saved flow to replay.
Default: False
#   server_replay_kill_extra
mitmproxy mitmdump mitmweb
bool Kill extra requests during replay (for which no replayable response was found).[Deprecated, prefer to use server_replay_extra='kill']
Default: False
#   server_replay_nopop
mitmproxy mitmdump mitmweb
bool Deprecated alias for `server_replay_reuse`.
Default: False
#   server_replay_refresh
mitmproxy mitmdump mitmweb
bool Refresh server replay responses by adjusting date, expires and last-modified headers, as well as adjusting cookie expiration.
Default: True
#   server_replay_reuse
mitmproxy mitmdump mitmweb
bool Don't remove flows from server replay state after use. This makes it possible to replay same response multiple times.
Default: False
#   server_replay_use_headers
mitmproxy mitmdump mitmweb
sequence of str Request headers that need to match while searching for a saved flow to replay.
Default: []
#   show_ignored_hosts
mitmproxy mitmdump mitmweb
bool Record ignored flows in the UI even if we do not perform TLS interception. This option will keep ignored flows' contents in memory, which can greatly increase memory usage. A future release will fix this issue, record ignored flows by default, and remove this option.
Default: False
#   showhost
mitmproxy mitmdump mitmweb
bool Use the Host header to construct URLs for display.
Default: False
#   ssl_insecure
mitmproxy mitmdump mitmweb
bool Do not verify upstream server SSL/TLS certificates.
Default: False
#   ssl_verify_upstream_trusted_ca
mitmproxy mitmdump mitmweb
optional str Path to a PEM formatted trusted CA certificate.
Default: None
#   ssl_verify_upstream_trusted_confdir
mitmproxy mitmdump mitmweb
optional str Path to a directory of trusted CA certificates for upstream server verification prepared using the c_rehash tool.
Default: None
#   stickyauth
mitmproxy mitmdump mitmweb
optional str Set sticky auth filter. Matched against requests.
Default: None
#   stickycookie
mitmproxy mitmdump mitmweb
optional str Set sticky cookie filter. Matched against requests.
Default: None
#   stream_large_bodies
mitmproxy mitmdump mitmweb
optional str Stream data to the client if response body exceeds the given threshold. If streamed, the body will not be stored in any way, and such responses cannot be modified. Understands k/m/g suffixes, i.e. 3m for 3 megabytes.
Default: None
#   strip_ech
mitmproxy mitmdump mitmweb
bool Strip Encrypted ClientHello (ECH) data from DNS HTTPS records so that mitmproxy can generate matching certificates.
Default: True
#   tcp_hosts
mitmproxy mitmdump mitmweb
sequence of str Generic TCP SSL proxy mode for all hosts that match the pattern. Similar to --ignore-hosts, but SSL connections are intercepted. The communication contents are printed to the log in verbose mode.
Default: []
#   termlog_verbosity
mitmdump mitmweb
str Log verbosity.
Default: info
Choices: error, warn, info, alert, debug
#   tls_ecdh_curve_client
mitmproxy mitmdump mitmweb
optional str Use a specific elliptic curve for ECDHE key exchange on client connections. OpenSSL syntax, for example "prime256v1" (see `openssl ecparam -list_curves`).
Default: None
#   tls_ecdh_curve_server
mitmproxy mitmdump mitmweb
optional str Use a specific elliptic curve for ECDHE key exchange on server connections. OpenSSL syntax, for example "prime256v1" (see `openssl ecparam -list_curves`).
Default: None
#   tls_version_client_max
mitmproxy mitmdump mitmweb
str Set the maximum TLS version for client connections.
Default: UNBOUNDED
Choices: UNBOUNDED, SSL3, TLS1, TLS1_1, TLS1_2, TLS1_3
#   tls_version_client_min
mitmproxy mitmdump mitmweb
str Set the minimum TLS version for client connections.
Default: TLS1_2
Choices: UNBOUNDED, SSL3, TLS1, TLS1_1, TLS1_2, TLS1_3
#   tls_version_server_max
mitmproxy mitmdump mitmweb
str Set the maximum TLS version for server connections.
Default: UNBOUNDED
Choices: UNBOUNDED, SSL3, TLS1, TLS1_1, TLS1_2, TLS1_3
#   tls_version_server_min
mitmproxy mitmdump mitmweb
str Set the minimum TLS version for server connections.
Default: TLS1_2
Choices: UNBOUNDED, SSL3, TLS1, TLS1_1, TLS1_2, TLS1_3
#   udp_hosts
mitmproxy mitmdump mitmweb
sequence of str Generic UDP SSL proxy mode for all hosts that match the pattern. Similar to --ignore-hosts, but SSL connections are intercepted. The communication contents are printed to the log in verbose mode.
Default: []
#   upstream_auth
mitmproxy mitmdump mitmweb
optional str Add HTTP Basic authentication to upstream proxy and reverse proxy requests. Format: username:password.
Default: None
#   upstream_cert
mitmproxy mitmdump mitmweb
bool Connect to upstream server to look up certificate details.
Default: True
#   validate_inbound_headers
mitmproxy mitmdump mitmweb
bool Make sure that incoming HTTP requests are not malformed. Disabling this option makes mitmproxy vulnerable to HTTP smuggling attacks.
Default: True
#   view_filter
mitmproxy mitmweb
optional str Limit the view to matching flows.
Default: None
#   view_order
mitmproxy mitmweb
str Flow sort order.
Default: time
Choices: time, method, url, size
#   view_order_reversed
mitmproxy mitmweb
bool Reverse the sorting order.
Default: False
#   web_columns
mitmweb
sequence of str Columns to show in the flow list. Can be one of the following: icon, index, method, version, path, quickactions, size, status, time, timestamp, tls, comment
Default: ['tls', 'icon', 'path', 'method', 'status', 'size', 'time']
#   web_debug
mitmweb
bool Enable mitmweb debugging.
Default: False
#   web_host
mitmweb
str Web UI host.
Default: 127.0.0.1
#   web_open_browser
mitmweb
bool Start a browser.
Default: True
#   web_port
mitmweb
int Web UI port.
Default: 8081
#   web_static_viewer
mitmweb
optional str The path to output a static viewer.
Default:
#   websocket
mitmproxy mitmdump mitmweb
bool Enable/disable WebSocket support. WebSocket support is enabled by default.
Default: True