This is a migrated thread and some comments may be shown as answers.

Best place for CONFIG.sHostsThatBypassFiddler

11 Answers 247 Views
FiddlerCore
This is a migrated thread and some comments may be shown as answers.
Hendrik
Top achievements
Rank 1
Hendrik asked on 05 Aug 2015, 09:07 PM

Hi Eric,

Firstly thanks for your time and dedication to an amazing product.

I am creating an application using C# fiddlecore.
I want my application to ignore every website on the internet, Except a small handful of specified websites (example "abc.com and "xyz.com").

In my Googling I came across this:

CONFIG.sHostsThatBypassFiddler = "<local>";

I know this will prevent fiddler routing all INTRANET traffic.

However, what other string values can I use in place of "<local>" in order to tell fiddler to route ONLY the 2 above mentioned sites.
In fact what are all the different options I can use in place of "<local>" string ?

Please can you also tell me where the "CONFIG.sHostsThatBypassFiddler" would go ?
In BeforeRequest or BeforeResponse or anywhere else?

11 Answers, 1 is accepted

Sort by
0
Eric Lawrence
Telerik team
answered on 06 Aug 2015, 08:27 PM
Hello, Hendrik--

You should set the property in question in your C# code before you call .Startup, because setting it any later than that will cause it to be ignored.

The string in question is a standard "proxy exception list" string that is seen inside browser configuration UI; you can do things like "*.example.com; *.net; 192.168.*; <local>" etc. I previously wrote a TON about proxies here: http://blogs.msdn.com/b/ieinternals/archive/2013/10/11/web-proxy-configuration-and-ie11-changes.aspx

Sadly, for your scenario, there's no way to flip the proxy bypass list around and make it a proxy "opt-in" list. Instead, you need to use a Proxy Configuration script (PAC file) and implement a FindProxyForURL function that examines the target hostname and returns "PROXY 127.0.0.1:8888" if and only if you want the traffic to be sent to the proxy and returns DIRECT otherwise. That, however, has its own set of problems, because, for instance, Internet Explorer defaults to treating any "DIRECT" site as being on your Intranet Zone, affording it additional permissions. 

So, generally speaking what you're trying to do is much harder than it looks. :-(

Regards,
Eric Lawrence
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
0
Hendrik
Top achievements
Rank 1
answered on 08 Aug 2015, 10:03 PM

Hi Eric,

 So I tried what you said and made a pac rule, converted it to a c# compatible string

​I then changed the default pem preference for fiddler l (in the constructor) ​as follows
(idea 1)

            String pacString1 = "\tif (dnsDomainIs(host, \".www.mysite.com\") ||" + Environment.NewLine;
            String pacString2 = "\t\tshExpMatch(host, \"(*.mysite.com|mysite.com)\"))" + Environment.NewLine;
            String pacString3 = "\t\treturn \"PROXY 127.0.0.1:8888\";" + Environment.NewLine;
            String pacString4 = "\t\treturn \"DIRECT\";" + Environment.NewLine;
            String createText = pacString1 + pacString2 + pacString3 + pacString4;

            FiddlerApplication.Prefs["fiddler.proxy.pacfile.text"] = createText;

 (see attached for what the output of this string would look like):

Although this is not working for some reason ? Is it perhaps in the wrong place, or what could be the issue ?

(idea 2)

Fiddler.CONFIG.sHostsThatBypassFiddler = "*";
Fiddler.CONFIG.sHostsThatBypassFiddler.exclude = "http://www.mysite.com"; //I known this part doesn't exist yet, but it would be amazing for the future versions. It could exclude everything and then exclude one thing from the exclusion list (mysite.com)

(idea 3)
Fiddler.CONFIG.sHostsThatBypassFiddler = "[insert amazingly fancy Regular Expression here that can exclude everything except one site- mysite.com]";.

Please could you advise me (especially for the first one)

Thanks

Hendrik


0
Eric Lawrence
Telerik team
answered on 10 Aug 2015, 05:34 PM
Hi, Hendrik--

Your "idea 2" and "idea 3" require every web browser and other client to change-- the code that would respect such rules is in the client, not in Fiddler.

For "idea 1"-- The script looks generally correct, but you need to show me the rest of your code too. For instance, did you set the FiddlerCoreStartupFlags.HookUsingPACFile bit in the flags you passed to the .Startup method?

Regards,
Eric Lawrence
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
0
Hendrik
Top achievements
Rank 1
answered on 14 Aug 2015, 06:28 PM

Hi Eric,

I attached my project. Please could you have a look at "FiddlerReplace.cs"

Could you give me an example of exactly how the "FiddlerCoreStartupFlags.HookUsingPACFile" would be implemented ? and is this supported in all the fiddlercore versions ?

(Here is my code : taxiservicejohannesburg.co.za/fiddlerproject.zip

Thanks

Hendrik

0
Eric Lawrence
Telerik team
answered on 17 Aug 2015, 07:05 PM
Hi,

In StartListenAndReplace, delete

   Fiddler.FiddlerApplication.Startup(iPort, true, true);

and replace it with:

    FiddlerCoreStartupFlags oFCSF = FiddlerCoreStartupFlags.Default | FiddlerCoreStartupFlags.HookUsingPACFile;
    Fiddler.FiddlerApplication.Startup(iPort, oFCSF);
If it doesn't do what you expect, when your program is running, open IE, click Tools > Internet Options > Connections > LAN Settings and take a screenshot of that dialog and reply to this thread (or email Help > Send Feedback).


Regards,
Eric Lawrence
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
0
Hendrik
Top achievements
Rank 1
answered on 18 Aug 2015, 07:52 PM

Hi Eric,

Ok so now it does seem to only proxy one site in particular.
However once I test my program with that specific site, it gives issues (see attached pics).
I also added the screenshot of my lan settings.

Regards

Hendrik


0
Eric Lawrence
Telerik team
answered on 20 Aug 2015, 03:32 PM
Hi, Hendrik--

Per the screenshot, your FiddlerCore instance is running on port 8877, so you need to change the script it sets from

PROXY 127.0.0.1:8888

to

PROXY 127.0.0.1:8877

Regards,
Eric Lawrence
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
0
Hendrik
Top achievements
Rank 1
answered on 23 Aug 2015, 08:17 AM
Hi Eric,

Thanks, that worked perfectly.

I decided that separating my project into 2 pieces (one has the libraries and the other the GUI forms) would be cleaner. So its one solution with 2 projects. I created a solution with a class library and WindowsFormProject and inserted everything accordingly.

I am also using the latest fiddlercore I got from nuget in visual studio. I am starting the WindowsFormProject project in Visual Studio admin mode.

Everything works as the previous version, EXept https websites. They give me "Your connection is not private" errors.

I double checked and everything looks the same between the new and old versions.

Is there anything else I would have to add to make this 2 project solution work ?

I figured that maybe there is something else extra I need to do when separating them ?

(the old version gives no issues with https)

Here is the new code if you would like to have a look: www.taxiservicejohannesburg.co.za/project.zip

Kindly let me know what you think

Thanks
Hendrik



0
Eric Lawrence
Telerik team
answered on 24 Aug 2015, 03:13 PM
Hi, Hendrik--

What is the full text of the error message (particularly, the bold error code at the bottom)? The most likely explanation is that the certificate being returned by your new project is different than the certificate returned by the old project, and hence it is not trusted. 

I didn't see any code in your project that trusts Fiddler's root certificate. Did the old project maybe use makecert.exe (and you manually trusted the certificate)? Since the new project doesn't have makecert.exe adjacent to the binary, that means that you're falling back to the CertEnroll certificate generator which would generate a different certificate than makecert does.

Regards,
Eric Lawrence
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
0
Hendrik
Top achievements
Rank 1
answered on 24 Aug 2015, 08:12 PM

Hi Eric,
Here is the chrome error, ->
===
Your connection is not private
Attackers might be trying to steal your information from www.​mywebsiteexample.com (for example, passwords, messages or credit cards). 
NET::ERR_CERT_AUTHORITY_INVALID
 Automatically report details of possible security incidents to Google. Privacy policy
Back to safetyHide advanced
This server could not prove that it is www.mywebsiteexample.com; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.
Proceed to www.mywebsiteexample.com (unsafe)

===
Internet Explorer ->

There is a problem with this website's security certificate.
The security certificate presented by this website was not issued by a trusted certificate authority.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Click here to close this webpage.
Continue to this website (not recommended).
===

The old one didn't use makecert.exe . The functionality did it automatically.

So in other words 2 different certificates are being generated (and are conflicting with each other)?

[1 min later]
Ok.... So based on this asumption i tried :

        private void Form1_FormClosing(object sender, FormClosingEventArgs e)
        {
            AllCore.FiddleCore.UninstallCerts();
        }
This seemed to make it work (except that it slows the program down alot and gave a mean looking uninstall alert the first time). Is there maybe a better way ?

Please can you also tell me how to trust "Fiddler's root certificate" as mentioned above.

Regards
Hendrik

0
Eric Lawrence
Telerik team
answered on 24 Aug 2015, 08:44 PM
NET::ERR_CERT_AUTHORITY_INVALID means that the root certificate has not been trusted.

"The old one didn't use makecert.exe . The functionality did it automatically"

Depending on configuration, FiddlerCore will "automatically" use makecert.exe to generate certificates. When it cannot be found and when you don't have the BouncyCastle certificate generator in place, FiddlerCore will, on Windows 7 and later, attempt to use CertEnroll.dll to generate certificates instead.

The Fiddler book and FiddlerCore demo application (\Demo\Program.cs) show how to trust and distrust FiddlerCore certificates.

I'm not sure what "slows the program down alot" means specifically. Generating a new root certificate can take several seconds; this cost is paid once if you reuse the root certificate on subsequent runs of the application. If you uninstall all of the certificates and recreate them every time your program runs, then yes, this will slow it down a lot.

Regards,
Eric Lawrence
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Tags
FiddlerCore
Asked by
Hendrik
Top achievements
Rank 1
Answers by
Eric Lawrence
Telerik team
Hendrik
Top achievements
Rank 1
Share this question
or