Transparent MITM Proxy Question

Hello,

I am trying to configure caddy to act as a transparent proxy with a small twist. I want it to also act as a transparent mitm proxy (assume I somehow able to put caddy in the middle of the web request through some clever networking tricks).

IOW, the forward “to” IP address is really the site address in the original URL. However, when I read the document for “proxy” plugin, there seems to be no way to do variable substituation in the place of “to” - somewhat like how nginx can do proxy_pass like so,

proxy_pass $scheme://$http_host$uri$is_args$args;

Is this possible in Caddy? If not, what changes need be made to make this possible?

Thanks in advance.

I don’t totally understand your question, and I have minimal experience with Caddy, but when you say “transparent man in the middle proxy” I think maybe that’s outside the intended use for Caddy. You may be better served by something like this, which is still lightweight and easy to deal with, but is purpose-built for interception: https://mitmproxy.org/

Thanks for the reply Hampton.

When you say “outside the scope” - In general, I am having a hard time understanding what is within and outside the scope for Caddy. It all seems pretty arbitrary to me since Caddy has all sorts of plugins to do all sorts of things and to a certain extent depends on whether someone has written a plugin to provide the function in question - IOW, Caddy being a plugin based system - one cannot really tell what is in scope or outside the scope. Its all seems like a moving target.

Coming to the topic of transparent proxies. In a lot of real life enterprise deployments a “transparent” forward proxy is really defined as a “bump in the wire” or MITM proxy (so that security functions can be implemented in the proxy without the need for explicit proxy configuration in the browser). So when Caddy supports a “transparent” proxy mode, I was led to believe that this is what it means. And in fact, it comes close to what I want but for the proxy “to” address being different than the host what was contained in the original request. All I want is that original URL “host” be used in forwarding the request along.

Yes, you are correct - “mitmproxy.org” provides this function. However, I like Caddy in all the other aspects (written in golang, single static binary, is plugin based for easy extensibility, etc) and I do want to use a few other plugins that it offers that mitmproxy does not.

So the question to you and anyone who can help me is, can Caddy’s transparent proxy plugin be enhanced to do mitmproxy like function - if so, any pointers to how best do that would be greatly appreciated.

Thanks in advance.

Well, to be fair, I think what you’re asking is somewhat ambiguous.

Are you looking for an HTTP proxy or a TLS proxy? Do you want a forward proxy or reverse proxy?

Caddy’s HTTP proxy can act “transparently” as far as most backends are concerned (see the transparent subdirective): https://caddyserver.com/docs/proxy

That’s a reverse proxy. Caddy has a secure forward proxy as well: GitHub - caddyserver/forwardproxy: Forward proxy plugin for the Caddy web server

Somewhat ambiguous as to the intended use case, perhaps. But they’re asking for dynamic proxy upstreams.

Broadly this would be solved by allowing placeholders in the proxy upstream, but we’re tracking an issue currently requesting proxying upstream based on hostname: https://github.com/mholt/caddy/issues/990

At a guess, I’d say the intent is to control local DNS, point all users at Caddy, and have Caddy control/log HTTP egress to the rest of the internet?

Thanks Matt and Whitestrake for your responses.

That’s exactly correct Whitestrake. This is how “interception” / “transparent” MITM proxies work in the enterprise networks today. Yes, we are either doing DNS magic or iptables magic to achieve redirection. Also, yes, we are asking for dynamic proxy upstreams.

Thanks for the pointer to the previous thread Whitestrake. I’ll look to see if it satisfies my requirement.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.