- Features
- Install
- Start proxy.py
- Plugin Examples
- End-to-End Encryption
- TLS Encryption
- Plugin Developer and Contributor Guide
- Flags
- Lightweight
- Distributed as a single file module
~50KB - Uses only
~5-20MBRAM - No external dependency other than standard Python library
- Distributed as a single file module
- Programmable
- Optionally enable builtin Web Server
- Customize proxy and http routing via plugins
- Enable plugin using command line option e.g.
--plugins plugin_examples.CacheResponsesPlugin - Plugin API is currently in development state, expect breaking changes.
- Secure
- Enable end-to-end encryption between clients and
proxy.pyusing TLS - See End-to-End Encryption
- Enable end-to-end encryption between clients and
- Man-In-The-Middle
- Can decrypt TLS traffic between clients and upstream servers
- See TLS Encryption
- Supported proxy protocols
httphttpshttp2websockets
- Optimized for large file uploads and downloads
- IPv4 and IPv6 support
- Basic authentication support
- Can serve a PAC (Proxy Auto-configuration) file
- See
--pac-fileand--pac-file-url-pathflags
- See
$ pip install --upgrade proxy.py
$ pip install git+https://github.com/abhinavsingh/proxy.py.git@develop
For Docker usage see Docker Image.
Simply type proxy.py on command line to start it with default configuration.
$ proxy.py
...[redacted]... - Loaded plugin <class 'proxy.HttpProxyPlugin'>
...[redacted]... - Starting 8 workers
...[redacted]... - Started server on ::1:8899
Things to notice from above logs:
-
Loaded plugin-proxy.pywill loadHttpProxyPluginby default. It addshttp(s)proxy server capabilities toproxy.py -
Started N workers- Use--num-workersflag to customize number ofWorkerprocesses. By default,proxy.pywill start as many workers as there are CPU cores on the machine. -
Started server on ::1:8899- By default,proxy.pylistens on IPv6::1, which is equivalent of IPv4127.0.0.1. If you want to accessproxy.pyexternally, use--hostname ::or--hostname 0.0.0.0or bind to any other interface available on your machine. -
Port 8899- Use--portflag to customize default TCP port.
All the logs above are INFO level logs, default --log-level for proxy.py.
Lets start proxy.py with DEBUG level logging:
$ proxy.py --log-level d
...[redacted]... - Open file descriptor soft limit set to 1024
...[redacted]... - Loaded plugin <class 'proxy.HttpProxyPlugin'>
...[redacted]... - Started 8 workers
...[redacted]... - Started server on ::1:8899
As we can see, before starting up:
proxy.pyalso tried to set open file limitulimiton the system.- Default value for
--open-file-limitused is1024. --open-file-limitflag is a no-op onWindowsoperating systems.
See flags for full list of available configuration options.
$ docker run -it -p 8899:8899 --rm abhinavsingh/proxy.py:v1.0.0
By default docker binary is started with IPv4 networking flags:
--hostname 0.0.0.0 --port 8899
To override input flags, start docker image as follows.
For example, to check proxy.py --version:
$ docker run -it \
-p 8899:8899 \
--rm abhinavsingh/proxy.py:v1.0.0 \
--version
docker image is currently broken on macOS due to incompatibility with vpnkit.
See plugin_examples.py for full code.
All the examples below also works with https traffic but require additional flags and certificate generation.
See TLS Interception.
Redirects all incoming http requests to custom web server.
By default, it redirects client requests to inbuilt web server,
also running on 8899 port.
Start proxy.py and enable inbuilt web server:
$ proxy.py \
--enable-web-server \
--plugins plugin_examples.RedirectToCustomServerPlugin
Verify using curl -v -x localhost:8899 http://google.com
... [redacted] ...
< HTTP/1.1 404 NOT FOUND
< Server: proxy.py v1.0.0
< Connection: Close
<
* Closing connection 0
Above 404 response was returned from proxy.py web server.
Verify the same by inspecting the logs for proxy.py.
Along with the proxy request log, you must also see a http web server request log.
2019-09-24 19:09:33,602 - INFO - pid:49996 - access_log:1241 - ::1:49525 - GET /
2019-09-24 19:09:33,603 - INFO - pid:49995 - access_log:1157 - ::1:49524 - GET localhost:8899/ - 404 NOT FOUND - 70 bytes
Drops traffic by inspecting upstream host.
By default, plugin drops traffic for google.com and www.google.com.
Start proxy.py as:
$ proxy.py \
--plugins plugin_examples.FilterByUpstreamHostPlugin
Verify using curl -v -x localhost:8899 http://google.com:
... [redacted] ...
< HTTP/1.1 418 I'm a tea pot
< Proxy-agent: proxy.py v1.0.0
* no chunk, no close, no size. Assume close to signal end
<
* Closing connection 0
Above 418 I'm a tea pot is sent by our plugin.
Verify the same by inspecting logs for proxy.py:
2019-09-24 19:21:37,893 - ERROR - pid:50074 - handle_readables:1347 - HttpProtocolException type raised
Traceback (most recent call last):
... [redacted] ...
2019-09-24 19:21:37,897 - INFO - pid:50074 - access_log:1157 - ::1:49911 - GET None:None/ - None None - 0 bytes
Caches Upstream Server Responses.
Start proxy.py as:
$ proxy.py \
--plugins plugin_examples.CacheResponsesPlugin
Verify using curl -v -x localhost:8899 http://httpbin.org/get:
... [redacted] ...
< HTTP/1.1 200 OK
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Origin: *
< Content-Type: application/json
< Date: Wed, 25 Sep 2019 02:24:25 GMT
< Referrer-Policy: no-referrer-when-downgrade
< Server: nginx
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
< Content-Length: 202
< Connection: keep-alive
<
{
"args": {},
"headers": {
"Accept": "*/*",
"Host": "httpbin.org",
"User-Agent": "curl/7.54.0"
},
"origin": "1.2.3.4, 5.6.7.8",
"url": "https://httpbin.org/get"
}
* Connection #0 to host localhost left intact
Get path to the cache file from proxy.py logs:
... [redacted] ... - GET httpbin.org:80/get - 200 OK - 556 bytes
... [redacted] ... - Cached response at /var/folders/k9/x93q0_xn1ls9zy76m2mf2k_00000gn/T/httpbin.org-1569378301.407512.txt
Verify contents of the cache file cat /path/to/your/cache/httpbin.org.txt
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Content-Type: application/json
Date: Wed, 25 Sep 2019 02:24:25 GMT
Referrer-Policy: no-referrer-when-downgrade
Server: nginx
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Length: 202
Connection: keep-alive
{
"args": {},
"headers": {
"Accept": "*/*",
"Host": "httpbin.org",
"User-Agent": "curl/7.54.0"
},
"origin": "1.2.3.4, 5.6.7.8",
"url": "https://httpbin.org/get"
}
Modifies upstream server responses.
Start proxy.py as:
$ proxy.py \
--plugins plugin_examples.ManInTheMiddlePlugin
Verify using curl -v -x localhost:8899 http://google.com:
... [redacted] ...
< HTTP/1.1 200 OK
< Content-Length: 28
<
* Connection #0 to host localhost left intact
Hello from man in the middle
Response body Hello from man in the middle is sent by our plugin.
When using multiple plugins, depending upon plugin functionality, it might be worth considering the order in which plugins are passed on the command line.
Plugins are called in the same order as they are passed. Example,
say we are using both FilterByUpstreamHostPlugin and
RedirectToCustomServerPlugin. Idea is to drop all incoming http
requests for google.com and www.google.com and redirect other
http requests to our inbuilt web server.
Hence, in this scenario it is important to use
FilterByUpstreamHostPlugin before RedirectToCustomServerPlugin.
If we enable RedirectToCustomServerPlugin before FilterByUpstreamHostPlugin,
google requests will also get redirected to inbuilt web server,
instead of being dropped.
By default, proxy.py uses http protocol for communication with clients e.g. curl, browser.
For enabling end-to-end encrypting using tls / https first generate certificates:
make https-certificates
Start proxy.py as:
$ proxy.py \
--cert-file https-cert.pem \
--key-file https-key.pem
Verify using curl -x https://localhost:8899 --proxy-cacert https-cert.pem https://httpbin.org/get:
{
"args": {},
"headers": {
"Accept": "*/*",
"Host": "httpbin.org",
"User-Agent": "curl/7.54.0"
},
"origin": "1.2.3.4, 5.6.7.8",
"url": "https://httpbin.org/get"
}
By default, proxy.py doesn't decrypt https traffic between client and server.
To enable TLS interception first generate CA certificates:
make ca-certificates
Start proxy.py as:
$ proxy.py \
--ca-key-file ca-key.pem \
--ca-cert-file ca-cert.pem \
--ca-signing-key-file ca-signing-key.pem
Verify using curl -x localhost:8899 --cacert ca-cert.pem https://httpbin.org/get
{
"args": {},
"headers": {
"Accept": "*/*",
"Host": "httpbin.org",
"User-Agent": "curl/7.54.0"
},
"origin": "1.2.3.4, 5.6.7.8",
"url": "https://httpbin.org/get"
}
Now you can use CA flags with
plugin examples to make them work for https traffic.
As you might have guessed by now, in proxy.py everything is a plugin.
-
We enabled proxy server plugins using
--pluginsflag. All the plugin examples were implementingHttpProxyBasePlugin. See documentation of HttpProxyBasePlugin for available lifecycle hooks. UseHttpProxyBasePluginto modify behavior of http(s) proxy protocol between client and upstream server. Example, FilterByUpstreamHostPlugin. -
We also enabled inbuilt web server using
--enable-web-server. Inbuilt web server implementsHttpProtocolBasePluginplugin. See documentation of HttpProtocolBasePlugin for available lifecycle hooks. UseHttpProtocolBasePluginto add new features for http(s) clients. Example, HttpWebServerPlugin. -
There also is a
--disable-http-proxyflag. It disables inbuilt proxy server. Use this flag with--enable-web-serverflag to runproxy.pyas a programmable http(s) server. HttpProxyPlugin also implementsHttpProtocolBasePlugin.
-
HttpProtocolHandler thread is started with the accepted TcpClientConnection.
HttpProtocolHandleris responsible for parsing incoming client request and invokingHttpProtocolBasePluginlifecycle hooks. -
HttpProxyPluginwhich implementsHttpProtocolBasePluginalso has its own plugin mechanism. Its responsibility is to establish connection between client and upstream TcpServerConnection and invokeHttpProxyBasePluginlifecycle hooks. -
HttpProtocolHandlerthreads are started by Worker processes. -
--num-workersWorkerprocesses are started by MultiCoreRequestDispatcher on start-up.Workerprocesses receivesTcpClientConnectionover a pipe fromMultiCoreRequestDispatcher. -
MultiCoreRequestDispatcherimplements TcpServer abstract class.TcpServeracceptsTcpClientConnection.MultiCoreRequestDispatcherensures full utilization of available CPU cores, for which it dispatches acceptedTcpClientConnectiontoWorkerprocesses in a round-robin fashion.
$ proxy.py -h
usage: proxy.py [-h] [--backlog BACKLOG] [--basic-auth BASIC_AUTH]
[--ca-key-file CA_KEY_FILE] [--ca-cert-dir CA_CERT_DIR]
[--ca-cert-file CA_CERT_FILE]
[--ca-signing-key-file CA_SIGNING_KEY_FILE]
[--cert-file CERT_FILE]
[--client-recvbuf-size CLIENT_RECVBUF_SIZE]
[--disable-headers DISABLE_HEADERS] [--disable-http-proxy]
[--enable-web-server] [--hostname HOSTNAME]
[--key-file KEY_FILE] [--log-level LOG_LEVEL]
[--log-file LOG_FILE] [--log-format LOG_FORMAT]
[--num-workers NUM_WORKERS]
[--open-file-limit OPEN_FILE_LIMIT] [--pac-file PAC_FILE]
[--pac-file-url-path PAC_FILE_URL_PATH] [--pid-file PID_FILE]
[--plugins PLUGINS] [--port PORT]
[--server-recvbuf-size SERVER_RECVBUF_SIZE] [--version]
proxy.py v1.0.0
optional arguments:
-h, --help show this help message and exit
--backlog BACKLOG Default: 100. Maximum number of pending connections to
proxy server
--basic-auth BASIC_AUTH
Default: No authentication. Specify colon separated
user:password to enable basic authentication.
--ca-key-file CA_KEY_FILE
Default: None. CA key to use for signing dynamically
generated HTTPS certificates. If used, must also pass
--ca-cert-file and --ca-signing-key-file
--ca-cert-dir CA_CERT_DIR
Default: ~/.proxy.py. Directory to store dynamically
generated certificates. Also see --ca-key-file, --ca-
cert-file and --ca-signing-key-file
--ca-cert-file CA_CERT_FILE
Default: None. Signing certificate to use for signing
dynamically generated HTTPS certificates. If used,
must also pass --ca-key-file and --ca-signing-key-file
--ca-signing-key-file CA_SIGNING_KEY_FILE
Default: None. CA signing key to use for dynamic
generation of HTTPS certificates. If used, must also
pass --ca-key-file and --ca-cert-file
--cert-file CERT_FILE
Default: None. Server certificate to enable end-to-end
TLS encryption with clients. If used, must also pass
--key-file.
--client-recvbuf-size CLIENT_RECVBUF_SIZE
Default: 1 MB. Maximum amount of data received from
the client in a single recv() operation. Bump this
value for faster uploads at the expense of increased
RAM.
--disable-headers DISABLE_HEADERS
Default: None. Comma separated list of headers to
remove before dispatching client request to upstream
server.
--disable-http-proxy Default: False. Whether to disable
proxy.HttpProxyPlugin.
--enable-web-server Default: False. Whether to enable
proxy.HttpWebServerPlugin.
--hostname HOSTNAME Default: ::1. Server IP address.
--key-file KEY_FILE Default: None. Server key file to enable end-to-end
TLS encryption with clients. If used, must also pass
--cert-file.
--log-level LOG_LEVEL
Valid options: DEBUG, INFO (default), WARNING, ERROR,
CRITICAL. Both upper and lowercase values are allowed.
You may also simply use the leading character e.g.
--log-level d
--log-file LOG_FILE Default: sys.stdout. Log file destination.
--log-format LOG_FORMAT
Log format for Python logger.
--num-workers NUM_WORKERS
Defaults to number of CPU cores.
--open-file-limit OPEN_FILE_LIMIT
Default: 1024. Maximum number of files (TCP
connections) that proxy.py can open concurrently.
--pac-file PAC_FILE A file (Proxy Auto Configuration) or string to serve
when the server receives a direct file request. Using
this option enables proxy.HttpWebServerPlugin.
--pac-file-url-path PAC_FILE_URL_PATH
Default: /. Web server path to serve the PAC file.
--pid-file PID_FILE Default: None. Save parent process ID to a file.
--plugins PLUGINS Comma separated plugins
--port PORT Default: 8899. Server port.
--server-recvbuf-size SERVER_RECVBUF_SIZE
Default: 1 MB. Maximum amount of data received from
the server in a single recv() operation. Bump this
value for faster downloads at the expense of increased
RAM.
--version, -v Prints proxy.py version.
Proxy.py not working? Report at:
https://github.com/abhinavsingh/proxy.py/issues/new