Skip to content

Add CONNECT support in transparent mode #7985

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
vitaly-ps wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Add CONNECT support in transparent mode #7985

vitaly-ps wants to merge 9 commits into from
+367 −21

Conversation

@vitaly-ps
Copy link

@vitaly-ps vitaly-ps commented Nov 20, 2025
edited
Loading

Description

Enable handling of CONNECT requests in transparent mode for upstream proxy scenarios. Removes artificial validation blocking CONNECT and adds proper tunnel establishment.

Adds a new (optional) boolean cmdline option allow_transparent_tunnel_inspection to choose between passthrough (default) and full MitM/TLS decryption/interception modes.

Fixes: #3845
Potentially fixes: #6309
Addresses: #2813
Addresses: #6786

The new (PROXY CONNECT in transparent mode) sequence diagram

sequenceDiagram
    participant Client
    participant HttpStream
    participant UpstreamProxy
    participant ChildLayer

    Note over HttpStream: handle_connect_transparent()
    Client->>HttpStream: CONNECT
    Note over HttpStream: HttpConnectHook (addon event)
    HttpStream->>UpstreamProxy: RequestHeaders(end_stream=True)
    HttpStream->>UpstreamProxy: RequestEndOfMessage
    HttpStream->>ChildLayer: Create child_layer (not started)<br/>(NextLayer if inspection, TCPLayer if passthrough)
    Note over HttpStream: server_state = state_wait_for_tunnel_connect_response_headers

    Note over HttpStream: state_wait_for_tunnel_connect_response_headers()
    UpstreamProxy->>HttpStream: ResponseHeaders
    HttpStream->>Client: ResponseHeaders (forwarded)
    alt end_stream=True
        Note over HttpStream: → handle_tunnel_response_complete()
    else end_stream=False
        Note over HttpStream: → state_consume_tunnel_connect_response_body
    end

    Note over HttpStream: state_consume_tunnel_connect_response_body()
    UpstreamProxy->>HttpStream: ResponseData
    HttpStream->>Client: ResponseData (forwarded)
    Note right of HttpStream: (captured in response_body_buf)
    UpstreamProxy->>HttpStream: ResponseEndOfMessage
    Note right of HttpStream: (captures full body to flow.response.data.content)
    Note over HttpStream: → handle_tunnel_response_complete()

    Note over HttpStream: handle_tunnel_response_complete()
    alt SUCCESS (200-299)
        Note over HttpStream: HttpConnectedHook (addon event)
        Note over HttpStream: Activate passthrough mode (_handle_event = passthrough)
        Note over HttpStream: client_state = state_done
        Note over HttpStream: server_state = state_done
        HttpStream->>ChildLayer: Start child_layer (tunnel active)<br/>(TCPLayer for passthrough OR NextLayer for TLS inspection)
        HttpStream->>Client: ResponseEndOfMessage
        Note over Client,ChildLayer: TUNNEL ESTABLISHED - Traffic flows through child layer
    else ERROR (4xx/5xx)
        Note over HttpStream: HttpConnectErrorHook (addon event)
        Note over HttpStream: client_state = state_errored
        Note over HttpStream: server_state = state_errored
        Note over HttpStream: flow.live = False
        HttpStream->>Client: ResponseEndOfMessage
        Note over Client,ChildLayer: TUNNEL FAILED - child_layer created but never started
    end
Loading

Checklist

  • Tested with direct connections (no proxy)

  • Tested with proxy, proxy+basic Auth, proxy+Kerberos

  • I have updated tests where applicable.

  • I have added an entry to the CHANGELOG.

@vitaly-ps
Add CONNECT support in transparent mode
b365be2 
Enable handling of CONNECT requests in transparent mode for upstream proxy scenarios.
Removes artificial validation blocking CONNECT and adds proper tunnel establishment.

Includes optional allow_transparent_tunnel_inspection setting to choose between
passthrough (default) and full TLS interception modes.

Addresses: mitmproxy#6786
@autofix-ci
Copy link
Contributor

autofix-ci bot commented Nov 20, 2025

Hi! I'm autofix logoautofix.ci, a bot that automatically fixes trivial issues such as code formatting in pull requests.

I would like to apply some automated changes to this pull request, but it looks like I don't have the necessary permissions to do so. To get this pull request into a mergeable state, please do one of the following two things:

  1. Allow edits by maintainers for your pull request, and then re-trigger CI (for example by pushing a new commit).
  2. Manually fix the issues identified for your pull request (see the GitHub Actions output for details on what I would like to change).

@vitaly-ps vitaly-ps force-pushed the ps_fix_connect_transparent_tunnel branch from 9781e3f to 99e5033 Compare November 26, 2025 12:32
@vitaly-ps
Copy link
Author

vitaly-ps commented Dec 1, 2025

Hi, just checking whether this needs anything else from my side. Happy to adjust if required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Transparent mode not working at all Allow Simultaneous Transparent and Upstream Proxy Mode

1 participant

@vitaly-ps