mitmproxy 0.8 docs

Upstream Certs

  • command-line: --upstream-cert
  • mitmproxy shortcut: o, then u

Normally, mitmproxy uses the target domain specified in a client's proxy request to generate an interception certificate. When upstream-cert mode is activated a different procedure is followed: a connection is made to the specified remote server to retrieve its Common Name and Subject Alternative Names. This feature is especially useful when the client specifies an IP address rather than a host name in the proxy request. If this is the case, we can only generate a certificate if we can establish the CN and SANs from the upstream server.

Note that upstream-cert mode does not work when the remote server relies on Server Name Indication. Luckily, SNI is still not very widely used.

© mitmproxy project, 2012