add_upstream_certs_to_client_chain
mitmproxy mitmdump mitmweb |
bool |
Add all certificates of the upstream server to the certificate chain that will be served to the proxy client, as extras.
Default: False
|
allow_hosts
mitmproxy mitmdump mitmweb |
sequence of str |
Opposite of --ignore-hosts.
Default: []
|
anticache
mitmproxy mitmdump mitmweb |
bool |
Strip out request headers that might cause the server to return 304-not-modified.
Default: False
|
anticomp
mitmproxy mitmdump mitmweb |
bool |
Try to convince servers to send us un-compressed data.
Default: False
|
block_global
mitmproxy mitmdump mitmweb |
bool |
Block connections from public IP addresses.
Default: True
|
block_list
mitmproxy mitmdump mitmweb |
sequence of str |
Block matching requests and return an empty response with the specified HTTP status. Option syntax is "/flow-filter/status-code", where flow-filter describes which requests this rule should be applied to and status-code is the HTTP status code to return for blocked requests. The separator ("/" in the example) can be any character. Setting a non-standard status code of 444 will close the connection without sending a response.
Default: []
|
block_private
mitmproxy mitmdump mitmweb |
bool |
Block connections from local (private) IP addresses. This option does not affect loopback addresses (connections from the local machine), which are always permitted.
Default: False
|
body_size_limit
mitmproxy mitmdump mitmweb |
optional str |
Byte size limit of HTTP request and response bodies. Understands k/m/g suffixes, i.e. 3m for 3 megabytes.
Default: None
|
cert_passphrase
mitmproxy mitmdump mitmweb |
optional str |
Passphrase for decrypting the private key provided in the --cert option. Note that passing cert_passphrase on the command line makes your passphrase visible in your system's process list. Specify it in config.yaml to avoid this.
Default: None
|
certs
mitmproxy mitmdump mitmweb |
sequence of str |
SSL certificates of the form "[domain=]path". The domain may include a wildcard, and is equal to "*" if not specified. The file at path is a certificate in PEM format. If a private key is included in the PEM, it is used, else the default key in the conf dir is used. The PEM file should contain the full certificate chain, with the leaf certificate as the first entry.
Default: []
|
ciphers_client
mitmproxy mitmdump mitmweb |
optional str |
Set supported ciphers for client <-> mitmproxy connections using OpenSSL syntax.
Default: None
|
ciphers_server
mitmproxy mitmdump mitmweb |
optional str |
Set supported ciphers for mitmproxy <-> server connections using OpenSSL syntax.
Default: None
|
client_certs
mitmproxy mitmdump mitmweb |
optional str |
Client certificate file or directory.
Default: None
|
client_replay
mitmproxy mitmdump mitmweb |
sequence of str |
Replay client requests from a saved file.
Default: []
|
client_replay_concurrency
mitmproxy mitmdump mitmweb |
int |
Concurrency limit on in-flight client replay requests. Currently the only valid values are 1 and -1 (no limit).
Default: 1
|
command_history
mitmproxy mitmdump mitmweb |
bool |
Persist command history between mitmproxy invocations.
Default: True
|
confdir
mitmproxy mitmdump mitmweb |
str |
Location of the default mitmproxy configuration files.
Default: ~/.mitmproxy
|
connect_addr
mitmproxy mitmdump mitmweb |
optional str |
Set the local IP address that mitmproxy should use when connecting to upstream servers.
Default: None
|
connection_strategy
mitmproxy mitmdump mitmweb |
str |
Determine when server connections should be established. When set to lazy, mitmproxy tries to defer establishing an upstream connection as long as possible. This makes it possible to use server replay while being offline. When set to eager, mitmproxy can detect protocols with server-side greetings, as well as accurately mirror TLS ALPN negotiation.
Default: eager
Choices: eager, lazy
|
console_default_contentview
mitmproxy |
str |
The default content view mode.
Default: auto
Choices: auto, dns, graphql, grpc, hex dump, hex stream, http/3 frames, image, javascript, json, mqtt, msgpack, multipart form, protobuf, query, raw, socket.io, url-encoded, viewcss, wbxml, xml/html
|
console_eventlog_verbosity
mitmproxy |
str |
EventLog verbosity.
Default: info
Choices: error, warn, info, alert, debug
|
console_flowlist_layout
mitmproxy |
str |
Set the flowlist layout
Default: default
Choices: default, list, table
|
console_focus_follow
mitmproxy mitmweb |
bool |
Focus follows new flows.
Default: False
|
console_layout
mitmproxy |
str |
Console layout.
Default: single
Choices: horizontal, single, vertical
|
console_mouse
mitmproxy |
bool |
Console mouse interaction.
Default: True
|
console_palette
mitmproxy |
str |
Color palette.
Default: solarized_dark
Choices: dark, light, lowdark, lowlight, solarized_dark, solarized_light
|
console_palette_transparent
mitmproxy |
bool |
Set transparent background for palette.
Default: True
|
console_strip_trailing_newlines
mitmproxy |
bool |
Strip trailing newlines from edited request/response bodies.
Default: False
|
content_view_lines_cutoff
mitmproxy mitmdump mitmweb |
int |
Flow content view lines limit. Limit is enabled by default to speedup flows browsing.
Default: 512
|
dns_name_servers
mitmproxy mitmdump mitmweb |
sequence of str |
Name servers to use for lookups. Default: operating system's name servers
Default: []
|
dns_use_hosts_file
mitmproxy mitmdump mitmweb |
bool |
Use the hosts file for DNS lookups in regular DNS mode/wireguard mode.
Default: True
|
dumper_default_contentview
mitmdump |
str |
The default content view mode.
Default: auto
Choices: auto, dns, graphql, grpc, hex dump, hex stream, http/3 frames, image, javascript, json, mqtt, msgpack, multipart form, protobuf, query, raw, socket.io, url-encoded, viewcss, wbxml, xml/html
|
dumper_filter
mitmdump |
optional str |
Limit which flows are dumped.
Default: None
|
export_preserve_original_ip
mitmproxy mitmdump mitmweb |
bool |
When exporting a request as an external command, make an effort to connect to the same IP as in the original request. This helps with reproducibility in cases where the behaviour depends on the particular host we are connecting to. Currently this only affects curl exports.
Default: False
|
flow_detail
mitmdump |
int |
The display detail level for flows in mitmdump: 0 (quiet) to 4 (very verbose). 0: no output 1: shortened request URL with response status code 2: full request URL with response status code and HTTP headers 3: 2 + truncated response content, content of WebSocket and TCP messages (content_view_lines_cutoff: 512) 4: 3 + nothing is truncated
Default: 1
|
hardump
mitmproxy mitmdump mitmweb |
str |
Save a HAR file with all flows on exit. You may select particular flows by setting save_stream_filter. For mitmdump, enabling this option will mean that flows are kept in memory.
Default:
|
http2
mitmproxy mitmdump mitmweb |
bool |
Enable/disable HTTP/2 support. HTTP/2 support is enabled by default.
Default: True
|
http2_ping_keepalive
mitmproxy mitmdump mitmweb |
int |
Send a PING frame if an HTTP/2 connection is idle for more than the specified number of seconds to prevent the remote site from closing it. Set to 0 to disable this feature.
Default: 58
|
http3
mitmproxy mitmdump mitmweb |
bool |
Enable/disable support for QUIC and HTTP/3. Enabled by default.
Default: True
|
ignore_hosts
mitmproxy mitmdump mitmweb |
sequence of str |
Ignore host and forward all traffic without processing it. In transparent mode, it is recommended to use an IP address (range), not the hostname. In regular mode, only SSL traffic is ignored and the hostname should be used. The supplied value is interpreted as a regular expression and matched on the ip or the hostname.
Default: []
|
intercept
mitmproxy mitmweb |
optional str |
Intercept filter expression.
Default: None
|
intercept_active
mitmproxy mitmweb |
bool |
Intercept toggle
Default: False
|
keepserving
mitmdump |
bool |
Continue serving after client playback, server playback or file read. This option is ignored by interactive tools, which always keep serving.
Default: False
|
key_size
mitmproxy mitmdump mitmweb |
int |
TLS key size for certificates and CA.
Default: 2048
|
listen_host
mitmproxy mitmdump mitmweb |
str |
Address to bind proxy server(s) to (may be overridden for individual modes, see `mode`).
Default:
|
listen_port
mitmproxy mitmdump mitmweb |
optional int |
Port to bind proxy server(s) to (may be overridden for individual modes, see `mode`). By default, the port is mode-specific. The default regular HTTP proxy spawns on port 8080.
Default: None
|
map_local
mitmproxy mitmdump mitmweb |
sequence of str |
Map remote resources to a local file using a pattern of the form "[/flow-filter]/url-regex/file-or-directory-path", where the separator can be any character.
Default: []
|
map_remote
mitmproxy mitmdump mitmweb |
sequence of str |
Map remote resources to another remote URL using a pattern of the form "[/flow-filter]/url-regex/replacement", where the separator can be any character.
Default: []
|
mode
mitmproxy mitmdump mitmweb |
sequence of str |
The proxy server type(s) to spawn. Can be passed multiple times. Mitmproxy supports "regular" (HTTP), "transparent", "socks5", "reverse:SPEC", "upstream:SPEC", and "wireguard[:PATH]" proxy servers. For reverse and upstream proxy modes, SPEC is host specification in the form of "http[s]://host[:port]". For WireGuard mode, PATH may point to a file containing key material. If no such file exists, it will be created on startup. You may append `@listen_port` or `@listen_host:listen_port` to override `listen_host` or `listen_port` for a specific proxy mode. Features such as client playback will use the first mode to determine which upstream server to use.
Default: ['regular']
|
modify_body
mitmproxy mitmdump mitmweb |
sequence of str |
Replacement pattern of the form "[/flow-filter]/regex/[@]replacement", where the separator can be any character. The @ allows to provide a file path that is used to read the replacement string.
Default: []
|
onboarding
mitmproxy mitmdump mitmweb |
bool |
Toggle the mitmproxy onboarding app.
Default: True
|
onboarding_host
mitmproxy mitmdump mitmweb |
str |
Onboarding app domain. For transparent mode, use an IP when a DNS entry for the app domain is not present.
Default: mitm.it
|
protobuf_definitions
mitmproxy mitmdump mitmweb |
optional str |
Path to a .proto file that's used to resolve Protobuf field names when pretty-printing.
Default: None
|
proxy_debug
mitmproxy mitmdump mitmweb |
bool |
Enable debug logs in the proxy core.
Default: False
|
proxyauth
mitmproxy mitmdump mitmweb |
optional str |
Require proxy authentication. Format: "username:pass", "any" to accept any user/pass combination, "@path" to use an Apache htpasswd file, or "ldap[s]:url_server_ldap[:port]:dn_auth:password:dn_subtree[?search_filter_key=...]" for LDAP authentication.
Default: None
|
rawtcp
mitmproxy mitmdump mitmweb |
bool |
Enable/disable raw TCP connections. TCP connections are enabled by default.
Default: True
|
readfile_filter
mitmproxy mitmdump mitmweb |
optional str |
Read only matching flows.
Default: None
|
request_client_cert
mitmproxy mitmdump mitmweb |
bool |
Requests a client certificate (TLS message 'CertificateRequest') to establish a mutual TLS connection between client and mitmproxy (combined with 'client_certs' option for mitmproxy and upstream).
Default: False
|
rfile
mitmproxy mitmdump mitmweb |
optional str |
Read flows from file.
Default: None
|
save_stream_file
mitmproxy mitmdump mitmweb |
optional str |
Stream flows to file as they arrive. Prefix path with + to append. The full path can use python strftime() formating, missing directories are created as needed. A new file is opened every time the formatted string changes.
Default: None
|
save_stream_filter
mitmproxy mitmdump mitmweb |
optional str |
Filter which flows are written to file.
Default: None
|
scripts
mitmproxy mitmdump mitmweb |
sequence of str |
Execute a script.
Default: []
|
server
mitmproxy mitmdump mitmweb |
bool |
Start a proxy server. Enabled by default.
Default: True
|
server_replay
mitmproxy mitmdump mitmweb |
sequence of str |
Replay server responses from a saved file.
Default: []
|
server_replay_ignore_content
mitmproxy mitmdump mitmweb |
bool |
Ignore request content while searching for a saved flow to replay.
Default: False
|
server_replay_ignore_host
mitmproxy mitmdump mitmweb |
bool |
Ignore request destination host while searching for a saved flow to replay.
Default: False
|
server_replay_ignore_params
mitmproxy mitmdump mitmweb |
sequence of str |
Request parameters to be ignored while searching for a saved flow to replay.
Default: []
|
server_replay_ignore_payload_params
mitmproxy mitmdump mitmweb |
sequence of str |
Request payload parameters (application/x-www-form-urlencoded or multipart/form-data) to be ignored while searching for a saved flow to replay.
Default: []
|
server_replay_ignore_port
mitmproxy mitmdump mitmweb |
bool |
Ignore request destination port while searching for a saved flow to replay.
Default: False
|
server_replay_nopop
mitmproxy mitmdump mitmweb |
bool |
Deprecated alias for `server_replay_reuse`.
Default: False
|
server_replay_refresh
mitmproxy mitmdump mitmweb |
bool |
Refresh server replay responses by adjusting date, expires and last-modified headers, as well as adjusting cookie expiration.
Default: True
|
server_replay_reuse
mitmproxy mitmdump mitmweb |
bool |
Don't remove flows from server replay state after use. This makes it possible to replay same response multiple times.
Default: False
|
show_ignored_hosts
mitmproxy mitmdump mitmweb |
bool |
Record ignored flows in the UI even if we do not perform TLS interception. This option will keep ignored flows' contents in memory, which can greatly increase memory usage. A future release will fix this issue, record ignored flows by default, and remove this option.
Default: False
|
showhost
mitmproxy mitmdump mitmweb |
bool |
Use the Host header to construct URLs for display. This option is disabled by default because malicious apps may send misleading host headers to evade your analysis. If this is not a concern, enable this options for better flow display.
Default: False
|
ssl_insecure
mitmproxy mitmdump mitmweb |
bool |
Do not verify upstream server SSL/TLS certificates. If this option is enabled, certificate validation is skipped and mitmproxy itself will be vulnerable to TLS interception.
Default: False
|
ssl_verify_upstream_trusted_ca
mitmproxy mitmdump mitmweb |
optional str |
Path to a PEM formatted trusted CA certificate.
Default: None
|
ssl_verify_upstream_trusted_confdir
mitmproxy mitmdump mitmweb |
optional str |
Path to a directory of trusted CA certificates for upstream server verification prepared using the c_rehash tool.
Default: None
|
stickyauth
mitmproxy mitmdump mitmweb |
optional str |
Set sticky auth filter. Matched against requests.
Default: None
|
stickycookie
mitmproxy mitmdump mitmweb |
optional str |
Set sticky cookie filter. Matched against requests.
Default: None
|
store_streamed_bodies
mitmproxy mitmdump mitmweb |
bool |
Store HTTP request and response bodies when streamed (see `stream_large_bodies`). This increases memory consumption, but makes it possible to inspect streamed bodies.
Default: False
|
stream_large_bodies
mitmproxy mitmdump mitmweb |
optional str |
Stream data to the client if request or response body exceeds the given threshold. If streamed, the body will not be stored in any way, and such responses cannot be modified. Understands k/m/g suffixes, i.e. 3m for 3 megabytes. To store streamed bodies, see `store_streamed_bodies`.
Default: None
|
strip_ech
mitmproxy mitmdump mitmweb |
bool |
Strip Encrypted ClientHello (ECH) data from DNS HTTPS records so that mitmproxy can generate matching certificates.
Default: True
|
tcp_hosts
mitmproxy mitmdump mitmweb |
sequence of str |
Generic TCP SSL proxy mode for all hosts that match the pattern. Similar to --ignore-hosts, but SSL connections are intercepted. The communication contents are printed to the log in verbose mode.
Default: []
|
termlog_verbosity
mitmdump mitmweb |
str |
Log verbosity.
Default: info
Choices: error, warn, info, alert, debug
|
tls_ecdh_curve_client
mitmproxy mitmdump mitmweb |
optional str |
Use a specific elliptic curve for ECDHE key exchange on client connections. OpenSSL syntax, for example "prime256v1" (see `openssl ecparam -list_curves`).
Default: None
|
tls_ecdh_curve_server
mitmproxy mitmdump mitmweb |
optional str |
Use a specific elliptic curve for ECDHE key exchange on server connections. OpenSSL syntax, for example "prime256v1" (see `openssl ecparam -list_curves`).
Default: None
|
tls_version_client_max
mitmproxy mitmdump mitmweb |
str |
Set the maximum TLS version for client connections.
Default: UNBOUNDED
Choices: UNBOUNDED, SSL3, TLS1, TLS1_1, TLS1_2, TLS1_3
|
tls_version_client_min
mitmproxy mitmdump mitmweb |
str |
Set the minimum TLS version for client connections. UNBOUNDED, SSL3, TLS1 and TLS1_1 are insecure.
Default: TLS1_2
Choices: UNBOUNDED, SSL3, TLS1, TLS1_1, TLS1_2, TLS1_3
|
tls_version_server_max
mitmproxy mitmdump mitmweb |
str |
Set the maximum TLS version for server connections.
Default: UNBOUNDED
Choices: UNBOUNDED, SSL3, TLS1, TLS1_1, TLS1_2, TLS1_3
|
tls_version_server_min
mitmproxy mitmdump mitmweb |
str |
Set the minimum TLS version for server connections. UNBOUNDED, SSL3, TLS1 and TLS1_1 are insecure.
Default: TLS1_2
Choices: UNBOUNDED, SSL3, TLS1, TLS1_1, TLS1_2, TLS1_3
|
udp_hosts
mitmproxy mitmdump mitmweb |
sequence of str |
Generic UDP SSL proxy mode for all hosts that match the pattern. Similar to --ignore-hosts, but SSL connections are intercepted. The communication contents are printed to the log in verbose mode.
Default: []
|
upstream_auth
mitmproxy mitmdump mitmweb |
optional str |
Add HTTP Basic authentication to upstream proxy and reverse proxy requests. Format: username:password.
Default: None
|
upstream_cert
mitmproxy mitmdump mitmweb |
bool |
Connect to upstream server to look up certificate details.
Default: True
|
view_filter
mitmproxy mitmweb |
optional str |
Limit the view to matching flows.
Default: None
|
view_order
mitmproxy mitmweb |
str |
Flow sort order.
Default: time
Choices: time, method, url, size
|
view_order_reversed
mitmproxy mitmweb |
bool |
Reverse the sorting order.
Default: False
|
web_columns
mitmweb |
sequence of str |
Columns to show in the flow list. Can be one of the following: icon, index, method, version, path, quickactions, size, status, time, timestamp, tls, comment
Default: ['tls', 'icon', 'path', 'method', 'status', 'size', 'time']
|
web_debug
mitmweb |
bool |
Enable mitmweb debugging.
Default: False
|
web_host
mitmweb |
str |
Web UI host.
Default: 127.0.0.1
|
web_open_browser
mitmweb |
bool |
Start a browser.
Default: True
|
web_password
mitmweb |
str |
Password to protect the mitmweb user interface. Values starting with `$` are interpreted as an argon2 hash, everything else is considered a plaintext password. If no password is provided, a random token is generated on startup.For automated calls, you can pass the password as token query parameteror as `Authentication: Bearer ...` header.
Default:
|
web_port
mitmweb |
int |
Web UI port.
Default: 8081
|
web_static_viewer
mitmweb |
optional str |
The path to output a static viewer.
Default:
|
websocket
mitmproxy mitmdump mitmweb |
bool |
Enable/disable WebSocket support. WebSocket support is enabled by default.
Default: True
|