安装并运行 mitmproxy
brew install mitmproxy
# listen on 127.0.0.1:8080 to proxy HTTP/HTTPS traffic
sudo -u nobody mitmproxy --mode transparent --showhost
使用 pf 转发全局流量到 mitmproxy
$ sudo pfctl -f pf.conf
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.
No ALTQ support in kernel
ALTQ related functions disabled
$ sudo pfctl -e
pf.conf 内容如下,mitmproxy 运行在同一台机器上,
#The ports to redirect to proxy
redir_ports = "{http, https}"
#The address the transparent proxy is listening on
tproxy = "127.0.0.1 port 8080"
#The user the transparent proxy is running as
tproxy_user = "nobody"
#The users whose connection must be redirected.
#
#This cannot involve the user which runs the
#transparent proxy as that would cause an infinite loop.
#
rdr pass proto tcp from any to any port $redir_ports -> $tproxy
pass out route-to (lo0 127.0.0.1) proto tcp from any to any port $redir_ports user { != $tproxy_user }
# rdr pass on en0 inet proto tcp to any port {80, 443} -> 127.0.0.1 port 8080
串联使用各种代理
假想一条代理链如下
- TUN device globally
- -> break here, socks over HTTP is impossible
- mitmproxy in
upstreammode, expose as HTTP proxy - HTTP proxy exposed by SS-NG
那么只能牺牲第1条特性,剩下的特性就是梯子+HTTP抓包。
参考链接
- http://docs.mitmproxy.org/stable/concepts-modes/
- https://docs.mitmproxy.org/stable/howto-transparent/#macos
- https://docs.mitmproxy.org/stable/concepts-options/
- https://www.openbsd.org/faq/pf/config.html
- https://blog.neilsabol.site/post/quickly-easily-adding-pf-packet-filter-firewall-rules-macos-osx/