diff --git a/docs/features/passthrough.rst b/docs/features/passthrough.rst index 805213933..b7b5df84a 100644 --- a/docs/features/passthrough.rst +++ b/docs/features/passthrough.rst @@ -31,9 +31,9 @@ mitmproxy allows you to specify a regex which is matched against a ``host:port`` There are two important quirks to consider: -- **In transparent mode, the ignore pattern is matched against the IP.** While we usually infer the +- **In transparent mode, the ignore pattern is matched against the IP and ClientHello SNI host.** While we usually infer the hostname from the Host header if the :option:`--host` argument is passed to mitmproxy, we do not - have access to this information before the SSL handshake. + have access to this information before the SSL handshake. If the client uses SNI however, then we treat the SNI host as an ignore target. - In regular mode, explicit HTTP requests are never ignored. [#explicithttp]_ The ignore pattern is applied on CONNECT requests, which initiate HTTPS or clear-text WebSocket connections. diff --git a/libmproxy/proxy/root_context.py b/libmproxy/proxy/root_context.py index 8a3372e0e..d70fc2993 100644 --- a/libmproxy/proxy/root_context.py +++ b/libmproxy/proxy/root_context.py @@ -55,15 +55,15 @@ class RootContext(object): # 1. check for --ignore if self.config.check_ignore: - address = top_layer.server_conn.address - if client_tls: - try: - client_hello = TlsClientHello.from_client_conn(self.client_conn) - except TlsProtocolException as e: - self.log("Cannot parse Client Hello: %s" % repr(e), "error") - else: - address = (client_hello.client_sni, 443) - if self.config.check_ignore(address): + ignore = self.config.check_ignore(top_layer.server_conn.address) + if not ignore and client_tls: + try: + client_hello = TlsClientHello.from_client_conn(self.client_conn) + except TlsProtocolException as e: + self.log("Cannot parse Client Hello: %s" % repr(e), "error") + else: + ignore = self.config.check_ignore((client_hello.client_sni, 443)) + if ignore: return RawTCPLayer(top_layer, logging=False) # 2. Always insert a TLS layer, even if there's neither client nor server tls.