Parameter | Type | Default | Description |
---|---|---|---|
add_upstream_certs_to_client_chain | bool | False | Add all certificates of the upstream server to the certificate chain that will be served to the proxy client, as extras. |
allow_hosts | sequence of str | [] | Opposite of --ignore-hosts. |
anticache | bool | False | Strip out request headers that might cause the server to return 304-not-modified. |
anticomp | bool | False | Try to convince servers to send us un-compressed data. |
block_global | bool | True | Block connections from globally reachable networks, as defined in the IANA special purpose registries. |
block_private | bool | False | Block connections from private networks, as defined in the IANA special purpose registries. This option does not affect loopback addresses. |
body_size_limit | optional str | None | Byte size limit of HTTP request and response bodies. Understands k/m/g suffixes, i.e. 3m for 3 megabytes. |
certs | sequence of str | [] | SSL certificates of the form "[domain=]path". The domain may include a wildcard, and is equal to "*" if not specified. The file at path is a certificate in PEM format. If a private key is included in the PEM, it is used, else the default key in the conf dir is used. The PEM file should contain the full certificate chain, with the leaf certificate as the first entry. |
ciphers_client | optional str | None | Set supported ciphers for client connections using OpenSSL syntax. |
ciphers_server | optional str | None | Set supported ciphers for server connections using OpenSSL syntax. |
client_certs | optional str | None | Client certificate file or directory. |
client_replay | sequence of str | [] | Replay client requests from a saved file. |
command_history | bool | True | Persist command history between mitmproxy invocations. |
confdir | str | ~/.mitmproxy | Location of the default mitmproxy configuration files. |
content_view_lines_cutoff | int | 512 | Flow content view lines limit. Limit is enabled by default to speedup flows browsing. |
dumper_default_contentview | str | auto | The default content view mode. Choices: auto, raw, hex, json, xml/html, wbxml, javascript, css, url-encoded, multipart form, image, query, protocol buffer |
dumper_filter | optional str | None | Limit which flows are dumped. |
flow_detail | int | 1 | The display detail level for flows in mitmdump: 0 (almost quiet) to 3 (very verbose). 0: shortened request URL, response status code, WebSocket and TCP message notifications. 1: full request URL with response status code 2: 1 + HTTP headers 3: 2 + full response content, content of WebSocket and TCP messages. |
http2 | bool | True | Enable/disable HTTP/2 support. HTTP/2 support is enabled by default. |
http2_priority | bool | False | PRIORITY forwarding for HTTP/2 connections. Disabled by default to ensure compatibility with misbehaving servers. |
ignore_hosts | sequence of str | [] | Ignore host and forward all traffic without processing it. In transparent mode, it is recommended to use an IP address (range), not the hostname. In regular mode, only SSL traffic is ignored and the hostname should be used. The supplied value is interpreted as a regular expression and matched on the ip or the hostname. |
keep_host_header | bool | False | Reverse Proxy: Keep the original host header instead of rewriting it to the reverse proxy target. |
keepserving | bool | False | Continue serving after client playback, server playback or file read. This option is ignored by interactive tools, which always keep serving. |
key_size | int | 2048 | TLS key size for certificates and CA. |
listen_host | str | Address to bind proxy to. |
|
listen_port | int | 8080 | Proxy service port. |
map_local | sequence of str | [] | Map remote resources to a local file using a pattern of the form "[/flow-filter]/url-regex/file-or-directory-path", where the separator can be any character. |
map_remote | sequence of str | [] | Map remote resources to another remote URL using a pattern of the form "[/flow-filter]/url-regex/replacement", where the separator can be any character. |
mode | str | regular | Mode can be "regular", "transparent", "socks5", "reverse:SPEC", or "upstream:SPEC". For reverse and upstream proxy modes, SPEC is host specification in the form of "http[s]://host[:port]". |
modify_body | sequence of str | [] | Replacement pattern of the form "[/flow-filter]/regex/[@]replacement", where the separator can be any character. The @ allows to provide a file path that is used to read the replacement string. |
modify_headers | sequence of str | [] | Header modify pattern of the form "[/flow-filter]/header-name/[@]header-value", where the separator can be any character. The @ allows to provide a file path that is used to read the header value string. An empty header-value removes existing header-name headers. |
onboarding | bool | True | Toggle the mitmproxy onboarding app. |
onboarding_host | str | mitm.it | Onboarding app domain. For transparent mode, use an IP when a DNS entry for the app domain is not present. |
onboarding_port | int | 80 | Port to serve the onboarding app from. |
proxyauth | optional str | None | Require proxy authentication. Format: "username:pass", "any" to accept any user/pass combination, "@path" to use an Apache htpasswd file, or "ldap[s]:url_server_ldap:dn_auth:password:dn_subtree" for LDAP authentication. |
rawtcp | bool | False | Enable/disable experimental raw TCP support. TCP connections starting with non-ascii bytes are treated as if they would match tcp_hosts. The heuristic is very rough, use with caution. Disabled by default. |
readfile_filter | optional str | None | Read only matching flows. |
rfile | optional str | None | Read flows from file. |
save_stream_file | optional str | None | Stream flows to file as they arrive. Prefix path with + to append. |
save_stream_filter | optional str | None | Filter which flows are written to file. |
scripts | sequence of str | [] | Execute a script. |
server | bool | True | Start a proxy server. Enabled by default. |
server_replay | sequence of str | [] | Replay server responses from a saved file. |
server_replay_ignore_content | bool | False | Ignore request's content while searching for a saved flow to replay. |
server_replay_ignore_host | bool | False | Ignore request's destination host while searching for a saved flow to replay. |
server_replay_ignore_params | sequence of str | [] | Request's parameters to be ignored while searching for a saved flow to replay. |
server_replay_ignore_payload_params | sequence of str | [] | Request's payload parameters (application/x-www-form-urlencoded or multipart/form-data) to be ignored while searching for a saved flow to replay. |
server_replay_ignore_port | bool | False | Ignore request's destination port while searching for a saved flow to replay. |
server_replay_kill_extra | bool | False | Kill extra requests during replay. |
server_replay_nopop | bool | False | Don't remove flows from server replay state after use. This makes it possible to replay same response multiple times. |
server_replay_refresh | bool | True | Refresh server replay responses by adjusting date, expires and last-modified headers, as well as adjusting cookie expiration. |
server_replay_use_headers | sequence of str | [] | Request headers to be considered during replay. |
showhost | bool | False | Use the Host header to construct URLs for display. |
spoof_source_address | bool | False | Use the client's IP for server-side connections. Combine with --upstream-bind-address to spoof a fixed source address. |
ssl_insecure | bool | False | Do not verify upstream server SSL/TLS certificates. |
ssl_verify_upstream_trusted_ca | optional str | None | Path to a PEM formatted trusted CA certificate. |
ssl_verify_upstream_trusted_confdir | optional str | None | Path to a directory of trusted CA certificates for upstream server verification prepared using the c_rehash tool. |
ssl_version_client | str | secure | Set supported SSL/TLS versions for client connections. SSLv2, SSLv3 and 'all' are INSECURE. Defaults to secure, which is TLS1.0+. Choices: all, secure, SSLv2, SSLv3, TLSv1, TLSv1_1, TLSv1_2 |
ssl_version_server | str | secure | Set supported SSL/TLS versions for server connections. SSLv2, SSLv3 and 'all' are INSECURE. Defaults to secure, which is TLS1.0+. Choices: all, secure, SSLv2, SSLv3, TLSv1, TLSv1_1, TLSv1_2 |
stickyauth | optional str | None | Set sticky auth filter. Matched against requests. |
stickycookie | optional str | None | Set sticky cookie filter. Matched against requests. |
stream_large_bodies | optional str | None | Stream data to the client if response body exceeds the given threshold. If streamed, the body will not be stored in any way. Understands k/m/g suffixes, i.e. 3m for 3 megabytes. |
stream_websockets | bool | False | Stream WebSocket messages between client and server. Messages are captured and cannot be modified. |
tcp_hosts | sequence of str | [] | Generic TCP SSL proxy mode for all hosts that match the pattern. Similar to --ignore, but SSL connections are intercepted. The communication contents are printed to the log in verbose mode. |
termlog_verbosity | str | info | Log verbosity. Choices: error, warn, info, alert, debug |
upstream_auth | optional str | None | Add HTTP Basic authentication to upstream proxy and reverse proxy requests. Format: username:password. |
upstream_bind_address | str | Address to bind upstream requests to. |
|
upstream_cert | bool | True | Connect to upstream server to look up certificate details. |
websocket | bool | True | Enable/disable WebSocket support. WebSocket support is enabled by default. |