In mitmproxy, protocols are implemented as a set of layers, which are composed on top each other. The first layer is usually the proxy mode, e.g. transparent proxy or normal HTTP proxy. Next, various protocol layers are stacked on top of each other - imagine WebSockets on top of an HTTP Upgrade request. An actual mitmproxy connection may look as follows (outermost layer first):
- Transparent HTTP proxy, no TLS:
- Regular proxy, CONNECT request with WebSockets over SSL:
- WebsocketLayer (or TCPLayer)
Every layer acts as a read-only context for its inner layers (see
Layer). To communicate
with an outer layer, a layer can use functions provided in the context. The next layer is always
determined by a call to
which is provided by the root context.
Another subtle design goal of this architecture is that upstream connections should be established as late as possible; this makes server replay without any outgoing connections possible.
Base class for all layers. All other protocol layers should inherit from this class.
Each layer usually passes itself to its child layers as a context. Properties of the context are transparently mapped to the layer, so that the following works:
root_layer = Layer(None) root_layer.client_conn = 42 sub_layer = Layer(root_layer) print(sub_layer.client_conn) # 42
Parameters: ctx – The (read-only) parent layer / context.
Logic of the layer.
Returns: Once the protocol has finished without exceptions. Raises:
ProtocolException– if an exception occurs. No other exceptions must be raised.
Attributes not present on the current layer are looked up on the context.
List of all layers, including the current layer (
[self, self.ctx, self.ctx.ctx, ...])
Mixin that provides a layer with the capabilities to manage a server connection. The server address can be passed in the constructor or set by calling
set_server(). Subclasses are responsible for calling
class MyLayer(Layer, ServerConnectionMixin): def __call__(self): try: # Do something. finally: if self.server_conn: self.disconnect()
set_server(address, server_tls=None, sni=None)¶
Sets a new server address. If there is an existing connection, it will be closed.
True, but there was no TLS layer on the protocol stack which could have processed this.
Deletes (and closes) an existing server connection. Must not be called if there is no existing connection.
Signal that both client and server connection(s) should be killed immediately.