I'm trying to set up Fiddler as a transparent MITM proxy for HTTPS traffic. It works fine for HTTP traffic, but am having trouble figuring out configuration for HTTPS.
I have Fiddler running on a Windows host, listening on port 8888.
On my linux host, I have added the following rule:\
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 192.168.5.212:8888
This works great for regular HTTP traffic. I see any request on the linux host get transparently redirected to fiddler.
However, for HTTPS traffic, this does not work as Fiddler's 8888 port is not HTTPS and consequently the following fails to connect/handshake:
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to 192.168.5.212:8888I dug around and found that I can enable an additional listener using QuickExec by doing the following in the QuickExec window
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to 192.168.5.212:8888 curl https://www.google.com
I have installed the FidderRoot CA certificate and this gets me one step closer, but my curl/wget from my host fails in that it receives a certificate to CN=localhost and not the actual host I'm trying to reach.
How can I setup Fiddler for it to auto-sign the certificates from port 8889 with proper MITM certificates?
Thanks,
Eric
3 Answers, 1 is accepted
Hello Eric B,
While Fiddler is not meant to work as a transparent proxy (refer to this thread).
However, you could actually try to install the Fiddler certificate on the test device - at least this is the step you are missing compared to the mitmproxy instructions (see here). You mentioned that you had installed the certificate, but is it installed in the certificate store of the application you are using to execute the requests?
Try passing the Fiddler certificate when executing the curl command.
curl --proxy 127.0.0.1:8888 --cacert <path-to-fiddler-certifiacate> https://example.com/
Regards,
Nick Iliev
Progress Telerik
Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.
Rank 1
Hi Nick,
Thanks, but this is not the issue with the Fiddler Root certificate. `curl -vvI` shows me that the received certificate is properly signed (by FiddlerRoot), but the endpoint itself (8889) is signed by someone/something other than the expected host (in this case, it is the hostname that is specified when setting up the additional port).
If I try to use port 8888 as my proxy port, my requests fail.
I am intentionally not using the `--proxy` option to curl as I am trying to get this working in transparent mode. My end game is not curl but another application which has no proxy configuration options.
Is there no way to get Fiddler working as a transparent proxy for SSL connections?
Thanks,
Eric
Hi Eric B,
Indeed Fiddler does not support working as a transparent proxy. Looking into a similar discussion, I found a possible solution suggested here. Could you try this one and let us know if that works out at your end?
Regards,
Nick Iliev
Progress Telerik
Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.