Best place for CONFIG.sHostsThatBypassFiddler

12 posts, 0 answers
  1. Hendrik
    Hendrik avatar
    10 posts
    Member since:
    Aug 2015

    Posted 05 Aug 2015 Link to this post

    Hi Eric,

    Firstly thanks for your time and dedication to an amazing product.

    I am creating an application using C# fiddlecore.
    I want my application to ignore every website on the internet, Except a small handful of specified websites (example "abc.com and "xyz.com").

    In my Googling I came across this:

    CONFIG.sHostsThatBypassFiddler = "<local>";

    I know this will prevent fiddler routing all INTRANET traffic.

    However, what other string values can I use in place of "<local>" in order to tell fiddler to route ONLY the 2 above mentioned sites.
    In fact what are all the different options I can use in place of "<local>" string ?

    Please can you also tell me where the "CONFIG.sHostsThatBypassFiddler" would go ?
    In BeforeRequest or BeforeResponse or anywhere else?

  2. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 06 Aug 2015 Link to this post

    Hello, Hendrik--

    You should set the property in question in your C# code before you call .Startup, because setting it any later than that will cause it to be ignored.

    The string in question is a standard "proxy exception list" string that is seen inside browser configuration UI; you can do things like "*.example.com; *.net; 192.168.*; <local>" etc. I previously wrote a TON about proxies here: http://blogs.msdn.com/b/ieinternals/archive/2013/10/11/web-proxy-configuration-and-ie11-changes.aspx

    Sadly, for your scenario, there's no way to flip the proxy bypass list around and make it a proxy "opt-in" list. Instead, you need to use a Proxy Configuration script (PAC file) and implement a FindProxyForURL function that examines the target hostname and returns "PROXY 127.0.0.1:8888" if and only if you want the traffic to be sent to the proxy and returns DIRECT otherwise. That, however, has its own set of problems, because, for instance, Internet Explorer defaults to treating any "DIRECT" site as being on your Intranet Zone, affording it additional permissions. 

    So, generally speaking what you're trying to do is much harder than it looks. :-(

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  3. Hendrik
    Hendrik avatar
    10 posts
    Member since:
    Aug 2015

    Posted 08 Aug 2015 in reply to Eric Lawrence Link to this post

    Hi Eric,

     So I tried what you said and made a pac rule, converted it to a c# compatible string

    ​I then changed the default pem preference for fiddler l (in the constructor) ​as follows
    (idea 1)

                String pacString1 = "\tif (dnsDomainIs(host, \".www.mysite.com\") ||" + Environment.NewLine;
                String pacString2 = "\t\tshExpMatch(host, \"(*.mysite.com|mysite.com)\"))" + Environment.NewLine;
                String pacString3 = "\t\treturn \"PROXY 127.0.0.1:8888\";" + Environment.NewLine;
                String pacString4 = "\t\treturn \"DIRECT\";" + Environment.NewLine;
                String createText = pacString1 + pacString2 + pacString3 + pacString4;

                FiddlerApplication.Prefs["fiddler.proxy.pacfile.text"] = createText;

     (see attached for what the output of this string would look like):

    Although this is not working for some reason ? Is it perhaps in the wrong place, or what could be the issue ?

    (idea 2)

    Fiddler.CONFIG.sHostsThatBypassFiddler = "*";
    Fiddler.CONFIG.sHostsThatBypassFiddler.exclude = "http://www.mysite.com"; //I known this part doesn't exist yet, but it would be amazing for the future versions. It could exclude everything and then exclude one thing from the exclusion list (mysite.com)

    (idea 3)
    Fiddler.CONFIG.sHostsThatBypassFiddler = "[insert amazingly fancy Regular Expression here that can exclude everything except one site- mysite.com]";.

    Please could you advise me (especially for the first one)

    Thanks

    Hendrik


  4. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 10 Aug 2015 Link to this post

    Hi, Hendrik--

    Your "idea 2" and "idea 3" require every web browser and other client to change-- the code that would respect such rules is in the client, not in Fiddler.

    For "idea 1"-- The script looks generally correct, but you need to show me the rest of your code too. For instance, did you set the FiddlerCoreStartupFlags.HookUsingPACFile bit in the flags you passed to the .Startup method?

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  5. Hendrik
    Hendrik avatar
    10 posts
    Member since:
    Aug 2015

    Posted 14 Aug 2015 in reply to Eric Lawrence Link to this post

    Hi Eric,

    I attached my project. Please could you have a look at "FiddlerReplace.cs"

    Could you give me an example of exactly how the "FiddlerCoreStartupFlags.HookUsingPACFile" would be implemented ? and is this supported in all the fiddlercore versions ?

    (Here is my code : taxiservicejohannesburg.co.za/fiddlerproject.zip

    Thanks

    Hendrik

  6. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 17 Aug 2015 Link to this post

    Hi,

    In StartListenAndReplace, delete

       Fiddler.FiddlerApplication.Startup(iPort, true, true);

    and replace it with:

        FiddlerCoreStartupFlags oFCSF = FiddlerCoreStartupFlags.Default | FiddlerCoreStartupFlags.HookUsingPACFile;
        Fiddler.FiddlerApplication.Startup(iPort, oFCSF);
    If it doesn't do what you expect, when your program is running, open IE, click Tools > Internet Options > Connections > LAN Settings and take a screenshot of that dialog and reply to this thread (or email Help > Send Feedback).


    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  7. Hendrik
    Hendrik avatar
    10 posts
    Member since:
    Aug 2015

    Posted 18 Aug 2015 Link to this post

    Hi Eric,

    Ok so now it does seem to only proxy one site in particular.
    However once I test my program with that specific site, it gives issues (see attached pics).
    I also added the screenshot of my lan settings.

    Regards

    Hendrik


  8. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 20 Aug 2015 Link to this post

    Hi, Hendrik--

    Per the screenshot, your FiddlerCore instance is running on port 8877, so you need to change the script it sets from

    PROXY 127.0.0.1:8888

    to

    PROXY 127.0.0.1:8877

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  9. Hendrik
    Hendrik avatar
    10 posts
    Member since:
    Aug 2015

    Posted 23 Aug 2015 Link to this post

    Hi Eric,

    Thanks, that worked perfectly.

    I decided that separating my project into 2 pieces (one has the libraries and the other the GUI forms) would be cleaner. So its one solution with 2 projects. I created a solution with a class library and WindowsFormProject and inserted everything accordingly.

    I am also using the latest fiddlercore I got from nuget in visual studio. I am starting the WindowsFormProject project in Visual Studio admin mode.

    Everything works as the previous version, EXept https websites. They give me "Your connection is not private" errors.

    I double checked and everything looks the same between the new and old versions.

    Is there anything else I would have to add to make this 2 project solution work ?

    I figured that maybe there is something else extra I need to do when separating them ?

    (the old version gives no issues with https)

    Here is the new code if you would like to have a look: www.taxiservicejohannesburg.co.za/project.zip

    Kindly let me know what you think

    Thanks
    Hendrik



  10. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 24 Aug 2015 Link to this post

    Hi, Hendrik--

    What is the full text of the error message (particularly, the bold error code at the bottom)? The most likely explanation is that the certificate being returned by your new project is different than the certificate returned by the old project, and hence it is not trusted. 

    I didn't see any code in your project that trusts Fiddler's root certificate. Did the old project maybe use makecert.exe (and you manually trusted the certificate)? Since the new project doesn't have makecert.exe adjacent to the binary, that means that you're falling back to the CertEnroll certificate generator which would generate a different certificate than makecert does.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  11. Hendrik
    Hendrik avatar
    10 posts
    Member since:
    Aug 2015

    Posted 24 Aug 2015 Link to this post

    Hi Eric,
    Here is the chrome error, ->
    ===
    Your connection is not private
    Attackers might be trying to steal your information from www.​mywebsiteexample.com (for example, passwords, messages or credit cards). 
    NET::ERR_CERT_AUTHORITY_INVALID
     Automatically report details of possible security incidents to Google. Privacy policy
    Back to safetyHide advanced
    This server could not prove that it is www.mywebsiteexample.com; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.
    Proceed to www.mywebsiteexample.com (unsafe)

    ===
    Internet Explorer ->

    There is a problem with this website's security certificate.
    The security certificate presented by this website was not issued by a trusted certificate authority.
    Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
    We recommend that you close this webpage and do not continue to this website.
    Click here to close this webpage.
    Continue to this website (not recommended).
    ===

    The old one didn't use makecert.exe . The functionality did it automatically.

    So in other words 2 different certificates are being generated (and are conflicting with each other)?

    [1 min later]
    Ok.... So based on this asumption i tried :

            private void Form1_FormClosing(object sender, FormClosingEventArgs e)
            {
                AllCore.FiddleCore.UninstallCerts();
            }
    This seemed to make it work (except that it slows the program down alot and gave a mean looking uninstall alert the first time). Is there maybe a better way ?

    Please can you also tell me how to trust "Fiddler's root certificate" as mentioned above.

    Regards
    Hendrik

  12. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 24 Aug 2015 Link to this post

    NET::ERR_CERT_AUTHORITY_INVALID means that the root certificate has not been trusted.

    "The old one didn't use makecert.exe . The functionality did it automatically"

    Depending on configuration, FiddlerCore will "automatically" use makecert.exe to generate certificates. When it cannot be found and when you don't have the BouncyCastle certificate generator in place, FiddlerCore will, on Windows 7 and later, attempt to use CertEnroll.dll to generate certificates instead.

    The Fiddler book and FiddlerCore demo application (\Demo\Program.cs) show how to trust and distrust FiddlerCore certificates.

    I'm not sure what "slows the program down alot" means specifically. Generating a new root certificate can take several seconds; this cost is paid once if you reuse the root certificate on subsequent runs of the application. If you uninstall all of the certificates and recreate them every time your program runs, then yes, this will slow it down a lot.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Back to Top