Edit on GitHub

#  Ignoring Domains

There are two main reasons why you may want to exempt some traffic from mitmproxy’s interception mechanism:

If you want to peek into (SSL-protected) non-HTTP connections, check out the tcp_proxy feature. If you want to ignore traffic from mitmproxy’s processing because of large response bodies, take a look at the streaming feature.

#  ignore_hosts

The ignore_hosts option allows you to specify a regex which is matched against a host:port string (e.g. “example.com:443”) of a connection. Matching hosts are excluded from interception, and passed on unmodified.

command-line alias --ignore-hosts regex
mitmproxy option ignore_hosts

#  Limitations

There are two important quirks to consider:

#  Tutorial

If you just want to ignore one specific domain, there’s usually a bulletproof method to do so:

  1. Run mitmproxy or mitmdump in verbose mode (-v) and observe the host:port information in the serverconnect messages. mitmproxy will filter on these.
  2. Take the host:port string, surround it with ^ and $, escape all dots (. becomes \.) and use this as your ignore pattern:
>>> mitmdump -v clientconnect request
  -> CONNECT example.com:443 HTTP/1.1 Set new server address: example.com:443 serverconnect
  -> example.com:443
>>> mitmproxy --ignore-hosts ^example\.com:443$

Here are some other examples for ignore patterns:

# Exempt traffic from the iOS App Store (the regex is lax, but usually just works):
--ignore-hosts apple.com:443
# "Correct" version without false-positives:
--ignore-hosts '^(.+\.)?apple\.com:443$'

# Ignore example.com, but not its subdomains:
--ignore-hosts '^example.com:'

# Ignore everything but example.com and mitmproxy.org:
--ignore-hosts '^(?!example\.com)(?!mitmproxy\.org)'

# Transparent mode:
--ignore-hosts 17\.178\.96\.59:443
# IP address range:
--ignore-hosts 17\.178\.\d+\.\d+:443


  1. This stems from an limitation of explicit HTTP proxying: A single connection can be re-used for multiple target domains - a GET http://example.com/ request may be followed by a GET http://evil.com/ request on the same connection. If we start to ignore the connection after the first request, we would miss the relevant second one.