feat: 🎸 Added API url for downloading CA cert

README.md

@@ -172,6 +172,14 @@ proxy := gomitmproxy.NewProxy(gomitmproxy.Config{
 })
 ```
 
+If you configure the `APIHost`, you'll be able to download the CA certificate
+from `http://[APIHost]/cert.crt` when the proxy is configured.
+
+```go
+// Navigate to http://gomitmproxy/cert.crt to download the CA certificate
+proxy.APIHost = "gomitmproxy"
+```
+
 ### Custom certs storage
 
 By default, `gomitmproxy` uses an in-memory map-based storage for the certificates,
@@ -218,12 +226,12 @@ mitmConfig, err := mitm.NewConfig(x509c, privateKey, &CustomCertsStorage{
     * [X] How-to doc
     * [X] Travis configuration
     * [X] Proxy-Authorization
-    * [ ] Unit tests
     * [X] WebSockets support (see [this](https://github.com/google/martian/issues/31))
     * [X] `certsCache` -- allow custom implementations
     * [X] Support HTTP CONNECT over TLS
-    * [ ] Test plain HTTP requests inside HTTP CONNECT
-    * [ ] Test memory leaks
+    * [X] Test plain HTTP requests inside HTTP CONNECT
+    * [X] Test memory leaks
+    * [ ] Unit tests
     * [ ] Check & fix TODOs
 * [ ] MITM
     * [X] Basic MITM

config.go

@@ -24,6 +24,12 @@ type Config struct {
 	MITMConfig     *mitm.Config // If not nil, MITM is enabled for the proxy
 	MITMExceptions []string     // A list of hostnames for which MITM will be disabled
 
+	// APIHost is a name of the gomitmproxy API
+	// If it is set to "", there will be no API
+	// Here are the methods exposed:
+	// 1. apihost/cert.crt -- serves the authority cert (if MITMConfig is configured)
+	APIHost string
+
 	// OnRequest is called when the request has been just received,
 	// but has not been sent to the remote server.
 	//

examples/mitm/main.go

@@ -15,11 +15,17 @@ import (
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/gomitmproxy"
 	"github.com/AdguardTeam/gomitmproxy/mitm"
+
+	_ "net/http/pprof"
 )
 
 func main() {
 	log.SetLevel(log.DEBUG)
 
+	go func() {
+		log.Println(http.ListenAndServe("localhost:6060", nil))
+	}()
+
 	// READ CERT AND KEY
 	tlsCert, err := tls.LoadX509KeyPair("demo.crt", "demo.key")
 	if err != nil {
@@ -43,13 +49,13 @@ func main() {
 	mitmConfig.SetOrganization("gomitmproxy")  // cert organization
 
 	// GENERATE A CERT FOR HTTP OVER TLS PROXY
-	proxyCert, err := mitmConfig.GetOrCreateCert("127.0.0.1")
-	if err != nil {
-		panic(err)
-	}
-	tlsConfig := &tls.Config{
-		Certificates: []tls.Certificate{*proxyCert},
-	}
+	//proxyCert, err := mitmConfig.GetOrCreateCert("127.0.0.1")
+	//if err != nil {
+	//	panic(err)
+	//}
+	//tlsConfig := &tls.Config{
+	//	Certificates: []tls.Certificate{*proxyCert},
+	//}
 
 	// PREPARE PROXY
 	addr := &net.TCPAddr{
@@ -59,10 +65,11 @@ func main() {
 
 	proxy := gomitmproxy.NewProxy(gomitmproxy.Config{
 		ListenAddr: addr,
-		TLSConfig:  tlsConfig,
+		//		TLSConfig:  tlsConfig,
 
 		Username: "user",
 		Password: "pass",
+		APIHost:  "gomitmproxy",
 
 		MITMConfig:     mitmConfig,
 		MITMExceptions: []string{"example.com"},

mitm/mitm.go

@@ -169,6 +169,11 @@ func NewConfig(ca *x509.Certificate, privateKey *rsa.PrivateKey, storage CertsSt
 	}, nil
 }
 
+// GetCA returns the authority cert
+func (c *Config) GetCA() *x509.Certificate {
+	return c.ca
+}
+
 // SetOrganization sets the organization name that
 // will be used in generated certs
 func (c *Config) SetOrganization(organization string) {

proxy.go

@@ -5,6 +5,7 @@ import (
 	"bufio"
 	"bytes"
 	"crypto/tls"
+	"encoding/pem"
 	"io"
 	"net"
 	"net/http"
@@ -224,6 +225,10 @@ func (p *Proxy) handleRequest(ctx *Context) error {
 		}
 	}
 
+	if session.req.Host == p.APIHost {
+		return p.handleAPIRequest(session)
+	}
+
 	if !customRes {
 		// check proxy authorization
 		if p.Username != "" {
@@ -292,6 +297,33 @@ func (p *Proxy) handleRequest(ctx *Context) error {
 	return nil
 }
 
+// handleAPIRequest handles a request to gomitmproxy's API
+func (p *Proxy) handleAPIRequest(session *Session) error {
+	if session.req.URL.Path == "/cert.crt" && p.MITMConfig != nil {
+		// serve ca
+		b := pem.EncodeToMemory(&pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: p.MITMConfig.GetCA().Raw,
+		})
+
+		// nolint:bodyclose
+		// body is actually closed
+		session.res = NewResponse(http.StatusOK, bytes.NewReader(b), session.req)
+		defer session.res.Body.Close()
+		session.res.Close = true
+		session.res.Header.Set("Content-Type", "application/x-x509-ca-cert")
+		session.res.ContentLength = int64(len(b))
+		return p.writeResponse(session)
+	}
+
+	// nolint:bodyclose
+	// body is actually closed
+	session.res = newErrorResponse(session.req, errors.Errorf("wrong API method"))
+	defer session.res.Body.Close()
+	session.res.Close = true
+	return p.writeResponse(session)
+}
+
 // returns true if this session's response or request signals that
 // the connection must be closed
 func (p *Proxy) isClosing(session *Session) bool {
@@ -580,11 +612,16 @@ func (p *Proxy) canMITM(hostname string) bool {
 	}
 
 	// Remove the port if it exists.
-	host, _, err := net.SplitHostPort(hostname)
+	host, port, err := net.SplitHostPort(hostname)
 	if err == nil {
 		hostname = host
 	}
 
+	if port != "443" {
+		log.Debug("do not attempt to MITM connections to a port different from 443")
+		return false
+	}
+
 	p.invalidTLSHostsMu.RLock()
 	_, found := p.invalidTLSHosts[hostname]
 	p.invalidTLSHostsMu.RUnlock()