Add support for proxying websocket (ws and wss protocols).

Useful to proxify website using this technology.
On top of that websocket is often mixed up with http/https in browser proxy settings.

Hi

I am having trouble with HTTS connections passing through the proxy. Its seems that somehow these do not validate against the self signed SSL keys. I am able to see that the proxy works fine if I manually make an exception in Firefox, but these should work without having to manually make an exception after adding the keys to the keychain.

See below for the quests, I even tried to use "--cacert certificate" but it still fails.

curl -v --proxy https://localhost:8080 https://google.com

• Rebuilt URL to: https://google.com/
• Hostname was NOT found in DNS cache
• Trying ::1...
• Connected to localhost (::1) port 8080 (#0)
• Establish HTTP proxy tunnel to google.com:443

  CONNECT google.com:443 HTTP/1.1
  Host: google.com:443
  User-Agent: curl/7.37.1
  Proxy-Connection: Keep-Alive

  < HTTP/1.1 200 OK
  <
• Proxy replied OK to CONNECT request
• SSL certificate problem: Invalid certificate chain
• Closing connection 0
  curl: (60) SSL certificate problem: Invalid certificate chain
  More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

Thanks,
Mauro

I'm pretty sure this is an issue of my code and not this library but wanted to ask to make sure.

I'm doing the following, in purpose of caching requests locally:

var Proxy = require('http-mitm-proxy')
var proxy = Proxy()
var Immutable = require('immutable')
var crypto = require('crypto')

var port = 8081

var Cache = Immutable.Map({})

const idFromReq = (ctx) => {
  const req = ctx.clientToProxyRequest
  const url = req.url
  const host = req.headers.host
  return crypto.createHash('md5').update(host + url).digest('hex')
}

const saveCache = (ctx, chunks) => {
  const id = idFromReq(ctx)
  return Cache.set(id, Immutable.Map({
    chunks: chunks,
    statusCode: ctx.serverToProxyResponse.statusCode,
    headers: ctx.serverToProxyResponse.headers
  }))
}

proxy.onError(function (ctx, err) {
  console.error('proxy error:', err)
})

proxy.onRequest(function (ctx, callback) {
  ctx.chunks = []
  ctx.use(Proxy.gunzip)
  if (Cache.get(idFromReq(ctx)) !== undefined) {
    console.log('Using cache for ' + idFromReq(ctx))
    const cached = Cache.get(idFromReq(ctx))
    ctx.proxyToClientResponse.writeHead(cached.get('statusCode'), cached.get('headers'))
    ctx.proxyToClientResponse.end(Buffer.concat(cached.get('chunks')))
    return
  }
  proxy.onResponseData(function (ctx, chunk, dataCallback) {
    // var new_chunk = chunk.toString()
    // if (new_chunk.indexOf('integrity=') !== -1) {
    //   new_chunk = new_chunk.replace(/(integrity=".*?")/g, '')
    // }
    ctx.chunks.push(chunk)
    return dataCallback(null, chunk)
  })

  proxy.onResponseEnd(function (ctx, endCallback) {
    Cache = saveCache(ctx, ctx.chunks)
    const chunks = ctx.chunks
    return endCallback(null, Buffer.concat(chunks))
  })
  callback()
})

proxy.listen({ port: port })
console.log('listening on ' + port)

Which is working fine when I do one request and then another request, after each other. But it fails when making more than one request at the same time, seems to be an issue where the chunks are getting mixed up.

Any pointers to what I could be doing wrong?

I was wondering why this cool project is not published to npm.
Is it a choice?

You can publish it to npm by creating an account on npmjs.org and then executing the following command at the root of the project:

npm login
# then enter your login and passwod
npm publish

maybe MIT?

So that you can use the proxy for both HTTP and HTTPS traffic even if you don't do the cert re-generation dance.

As described here. Also, I believe squid uses it correctly.

I've set things up using the generated CA.perm as a trusted root CA. I see in the logs often errors like this:

W20160222-16:07:01.200(-3)? (STDERR) HTTPS_CLIENT_ERROR on : [Error: 140735123144704:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:../deps/openssl/openssl/ssl/s3_srvr.c:1436:

This seems to be related to problems with some kinds of web socket connections over SSL, though I'm not yet 100% clear on the association. It may be that all examples produce the error but https://github.com/joeferner/node-http-mitm-proxy/blob/master/examples/processFullResponseBody.js definitely does.

Hi,
is it possible to modify all chunks at once? The response is a big json document and to parse it, I need to get all chunks first.
With the default https.request I could collect all chunks with the on data event and push all concated chunks in the on end event. I found the onResponseEnd event in the script, but I don't know how to return the combined chunks at once.

I am able to run the example, but I'm not sure how to test it out in my browser. How do I get my browser to use this proxy server?

Trying to set Chrome's proxy server redirected me to do this in my network settings. Frankly, I've never created/used a proxy.

I have a server that returns an invalid certificate, how can I set the proxy not to reject the invalid cert on a particular request?

I can set, process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; but that's not a nice solution, I want to check the host on the request header and accept all certificates only for certain hosts, is this possible?

Thanks

Small feature request. IMO I'd be a bit more convenient to write:

proxy.onRequest(handleIncomingRequest.bind(this))
     .onResponse(handleIncomingResponse.bind(this))
     .onError(handleProxyError.bind(this))
     .listen({port: port});

instead of:

  proxy.onRequest(handleIncomingRequest.bind(this));
  proxy.onResponse(handleIncomingResponse.bind(this));
  proxy.onError(handleProxyError.bind(this));
  proxy.listen({port: port});

Hey, as long as the module is running in the system, I see a growing number of open ports. How to clean unnecessary open HTTPS servers?

I tried this way on ctx.onResponseEnd:

(Object.keys(proxy.sslServers)).forEach(function (srvName) {
    if (proxy.sslServers[srvName].server._connections === 0 && !proxy.sslServers[srvName].server._handle.reading && proxy.sslServers[srvName].server._handle.writeQueueSize === 0) {
        console.log('Can: ', proxy.sslServers[srvName].server);
        proxy.sslServers[srvName].server.close();
        delete proxy.sslServers[srvName];
        console.log('HTTPS Server: "' + srvName.yellow + '" closed.');
    } else {
        console.log('Cannot: ', proxy.sslServers[srvName].server);
    }
});

Did not work. Proxy client loses the connection and make mistakes. Please help.

Hello,

For my personal use, I've implemented buffering of requests and responses (including automatic gunzip) as a layer on top of this library. I don't think it is particularly useful to rewrite data at a chunk level, but admittedly good for performance.

I would like to do a pull request, but I'm at a loss on how to proceed and wanted to get some opinions and gauge interest.

Perhaps ctx.onRequestBody and ctx.onResponseBody?? This could possibly have weird interactions with .use middleware.

Let me know your thoughts

Where do I find the IP address of the client of the clientToProxyRequest?

I didn't find a way to set a proxy in mitm-proxy to have multiple proxies chain.
Something like

Browser -> Node-Http-Mitm-Proxy -> Internal Squid Proxy -> Internet

Is there any workaround?

Currently, the proxy pipe the request either to an internal http or https server depending on the port of the request.

As a result HTTP requests made on port 443 (not usual) and HTTPS requests made on any port different than 443 (more frequent) are not proxied correctly.

That's also the case for websocket requests
Here a usecase for not secure websockets on port 443: http://websocketstest.com/

Examples:

proxy.onRequest(function(ctx, callback) {
  // I want to answer the request myself, without making a request to a server  

  // callback() would create the request to the server with the ctx.proxyToServerRequestOptions
  // callback();

  // callback("Any error") would trigger a "Proxy error"
  // callback("Any error");

  // No callback may not be clean and may have side effect, like not calling next handlers
});

proxy.onResponseData(function(ctx, chunk, callback) {
  // I want to collect all chunks without sending it to the client and then send something to the client at the ResponseEnd

  // callback(chunk) would send the chunk to the client
  // callback(null, chunk);

  // callback(null, null) or callback(null, []) may break or at least send the headers and is not clean at all
  // callback(null, null);
  // callback(null, []);

  // callback("Any error") would trigger a "Proxy error"
  // callback("Any error");

  // No callback may not be clean and may have side effect, like not calling next handlers and may lead to no responseEnd event
});

Maybe the best way is to rewrite the API with a switch to prevent default operation after the handler execution.
Maybe the most transparent and intuitive way would be to test the second parameter of the callback and cancel default behavior if it is equals to false or null (but not undefined)

First of all great library.

I'm wondering how to detect the end of a response though - onResponseData might fire multiple times for a chunked response and i don't currently see a way to detect that something is the final chunk.

Have i completely missed something or is it not implemented yet?

I am developing a Firefox addon which rewrites incoming traffic using nsITraceableChannel, and I tried to decouple it from Firefox and put the logic into a separate HTTP proxy using this package. I knew doing MITM with HTTPS would use a little more resources due to SSL/gzip decoding/encoding, but the proxy is much slower, to the point that I can't even use it for testing. And it doesn't even seem like the proxy is hitting the CPU too hard, it's just slow! Is the slower performance normal, or do I definitely have some sort of bug that severely degrades performance? I am caching requests with the following helper function, based on the examples in tests/:

ctx.cacheAndModify = function(f) {
  var data = "";
  ctx.onResponseData(function(ctx, chunk, cb) {
    data += chunk.toString();
    return cb(null, null);
  });
  ctx.onResponseEnd(function(ctx, cb) {
    var opts = ctx.proxyToServerRequestOptions;
    var url = (ctx.isSSL ? "https" : "http") + "://" + opts.host +
      (opts.port === 443 || opts.port === 80 ? "" : ":" + opts.port) +
      opts.path;
    ctx.proxyToClientResponse.write(new Buffer(f(data, url)));
    return cb();
  });
};

so then I can just use ctx.cacheAndModify(handler) in onResponse. I also use Proxy.gunzip

I was wondering if the proxy could be made to serve the cert file directly to HTTP clients. It seems to be easily confused by non-proxy HTTP requests right now.

GET / HTTP/1.0 results in:

.../http-mitm-proxy/lib/proxy.js:708                                                                                                                                                       
    host: hostPort.host,                                                                                                                                                                                                          
                  ^                                                                                                                                                                                                               

TypeError: Cannot read property 'host' of null                                                                                                                                                                                    
  at [object Object].Proxy._onHttpServerRequest (.../http-mitm-proxy/lib/proxy.js:708:19)                                                                                                  
  at emitTwo (events.js:87:13)                                                                                                                                                                                                    
  at Server.emit (events.js:172:7)                                                                                                                                                                                                
  at HTTPParser.parserOnIncoming [as onIncoming] (_http_server.js:528:12)                                                                                                                                                         
  at HTTPParser.parserOnHeadersComplete (_http_common.js:88:23)                                                                                                                                                                   

Installed the ca.pem file, trusted it. but connecting to a running example proxy raises
HTTPS_CLIENT_ERROR on : [Error: 140735258857472:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/s3_pkt.c:1472:SSL alert number 48

This is likely because i am doing something wrong, but i am having a hard time understanding what i am missing by looking at the readme.

http-mitm-proxy without "onConnect" exposing, how can I tunnel https directly without create httpsServer ?

In some case, proxy https request doesn't need decrypting : )

Maybe I'm missing something, but how do I know if client finished sending request body? For responses we have onResponseEnd, but there is no equivalent for requests. From what I've tested multiple chunks are possible (e.g. when trying to POST a 5m file).

Given the following command: curl -i -x https://localhost:3001 https://www.google.co.uk/

After launching the server, I'm first getting a response of Server aborted the SSL handshake

The next response is Unknown SSL protocol error in connection

The server is outputting HTTPS_CLIENT_ERROR on : [Error: TLS handshake timeout]

I've added the ca.pem into my OSX keychain.

When using a different command line tool, I get HTTPS_CLIENT_ERROR on : [Error: 19282344:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/s3_pkt.c:1472:SSL alert number 42 19282344:error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure:../deps/openssl/openssl/ssl/s3_pkt.c:1210

The server is based on your example. Any way to resolve this?

Here is the code

var Proxy = require('http-mitm-proxy');
var proxy = Proxy();

proxy.onError(function(ctx, err) {
    console.error('proxy error:', err);
});

proxy.onRequest(function(ctx, callback) {
    console.log(ctx.clientToProxyRequest.headers.host)

    return callback();
});

proxy.listen({
    port: 8080
});

Im starting my server node index.js and refreshing google.com and dont see any console logging?

Hi,

I've tried out your modifyGoogle example, but I always got this error:

PROXY_TO_SERVER_REQUEST_ERROR on /: { [Error: read ECONNRESET] code: 'ECONNRESET', errno: 'ECONNRESET', syscall: 'read' }
PROXY_TO_SERVER_REQUEST_ERROR on /favicon.ico: { [Error: socket hang up] code: 'ECONNRESET' }

Do you have any idea why?

I installed the certificate.

Thx

The ca.pem provided here does not work for my android (n). I can get it to work by generating a ca.crt from your ca.pem like so:

openssl x509 -inform PEM -outform DM -in .http-mitm-proxy/certs/ca.pem -out .http-mitm-proxy/certs/ca.crt

but this requires the openssl binary which may not always be easy to come by. Could the project here directly generate the ca.crt that many of us need?
see: justinleewells/pogo-optimizer#108

I've got a basic HTTP/HTTPS proxy running:

var Proxy = require('http-mitm-proxy');
var proxy = Proxy();

proxy.onError( (ctx, err, errorKind) => {
  var url = (ctx && ctx.clientToProxyRequest) ? ctx.clientToProxyRequest.url : '';
  console.error(errorKind + ' on ' + url + ':', err);
});

proxy.use(Proxy.gunzip);

proxy.listen({port: 8089, sslCaDir: "/Users/peter/Development/fetching-proxy/certs"});

I notice that Safari (possibly other browsers) frequently show this kind of error in the console for JS and CSS assets:

Failed to load resource: The network connection was lost.

I'm not sure they are related, but the node console also has many:

HTTPS_CLIENT_ERROR on : { [Error: socket hang up] code: 'ECONNRESET' }

and

PROXY_TO_SERVER_REQUEST_ERROR on /510080801/: { [Error: connect ETIMEDOUT 31.13.85.8:443]

Needless to say this causes most websites to have trouble loading.

Thank you!

I'm seeing a lot of these errors thrown when intercepting HTTPS traffic:

Error: 140735158005760:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../../vendor/node/deps/openssl/openssl/ssl/s3_pkt.c:1472:SSL alert number 48
140735158005760:error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure:../../vendor/node/deps/openssl/openssl/ssl/s3_pkt.c:1210:

I'm able to reproduce it on node 4.1.1 and 5.1.1 for multiple hosts.

What's the recommended way to do authentication to the proxy?

First, thanks for making this!

Second, using your examples I've got a proxy running. On some HTTPS sites it works as expected however on some it fails with the error:

proxy error: { [Error: socket hang up] code: 'ECONNRESET', sslError: undefined }

For example https://github.com and https://en.wikipedia.org fail to load. Safari, for example, indicates that it's not able to establish a secure connection to the web server.

Any suggestions?

Hi,

We are using proxy as part of our testing infrastructure to block javascript (with webdriverio). We are now constantly, getting this error:

We are running on Node 7 and latest version http-mitm.

We also get the deprecation warning too.

Could you please advice, as its a bit urgent.

Thanks a lot!
Jeremy

On top of the message frame kind WebSocket also have ping and pong frame types that are mostly used to keep alive a websocket connection but can also carry data.

Thoose frame kind are currently not handled by node-http-mitm-proxy (not forwarded).
As a result websocket connection may not be kept alive and broke on some websites.

Hi Joe,
Congrats for your work on this module.

As you can imagine (because of my pull requests) I am working on it to enable SSL signing on the fly.
I have already extended the module adding an onCertificateRequired and onCertificateMissing "hooks" (as soon as I can test it, I will do a pull request).

Meanwhile I am having some troubles and I would like to have your feedback.
On Proxy.prototype._onHttpServerConnect the makeConnection call is async, what I think will cause problems with incoming requests for the same hostname which will find var sslServer = this.sslServers[hostname]; undefined and start a "race condition".

Do you agree that the SSL connection logic has to be sync?
I will be working in this but I would really appreatiate your feedback.

Regards,
Paulo

Hello,
when we have self signed certificates, the proxy does triggers an error.
curl -x 127.0.0.1:8082 https://127.0.0.1 -ki
HTTP/1.1 200 OK

HTTP/1.1 504 Proxy Error
Date: Mon, 22 Feb 2016 20:41:20 GMT
Connection: keep-alive
Transfer-Encoding: chunked

PROXY_TO_SERVER_REQUEST_ERROR: Error: unable to verify the first certificate

I resolved using:
NODE_TLS_REJECT_UNAUTHORIZED=0 node myproxy.js

 //myproxy.js
Proxy().listen({port: 8082});

but I think It would be nice:

1. Since it's a proxy, to allow self signed certs to go through by default.
2. to have some way to easily set this option to true or false from the code.

Am I missing something?
Thanks and keep up the great work!

http-mitm-proxy without "onConnect" exposing, how can I tunnel https directly without create httpsServer ?

In some case, proxy https request doesn't need decrypting : )

I tried the example in the project's page and it doesn't work, I get the following error even though the port is specified as 8081:

internal/net.js:17
    throw new RangeError('"port" argument must be >= 0 and < 65536');
RangeError: "port" argument must be >= 0 and < 65536

Here's the code I used:

var Proxy = require('http-mitm-proxy');
var proxy = Proxy();

proxy.onError(function(ctx, err) {
  console.error('proxy error:', err);
});

proxy.onRequest(function(ctx, callback) {
  if (ctx.clientToProxyRequest.headers.host == 'www.google.com'
    && ctx.clientToProxyRequest.url.indexOf('/search') == 0) {
    ctx.use(Proxy.gunzip);

    ctx.onResponseData(function(ctx, chunk, callback) {
      chunk = new Buffer(chunk.toString().replace(/<h3.*?<\/h3>/g, '<h3>Pwned!</h3>'));
      return callback(null, chunk);
    });
  }
  return callback();
});

proxy.listen({port: 8081});

Any ideas why this is not working? not even the first example works which may suggest something went awry with the current version

Thank you for making such great software available. I would like to intercept requests for a single domain and url and cause the request to be proxied to a different remote host. I've gotten as far as matching the request and sending a different response from the proxy to the client but that's it.

Trying to figure out how to catch an ENOTFOUND error (from request made to the proxy using URL with a non-existent host that fails dns lookup) or similar request level errors -- they become uncaught exceptions and crash the process. Of course I can use

process.on('uncaughtException', function(err) ...

but that doesn't really help respond to bad request (it isn't tied to specific request) and leaves the process in an unstable state. I'm just not experienced enough with node to figure this out. (Simply avoiding bad requests is impossible as many come from secondary requests from a site, for instance it may link to a .css file on a non-existent host.)

https://www.npmjs.com/package/http-mitm-proxy

Your package has a low search / page rank (couldn't find it on top google hits even using the search term http-mitm-proxy npm)

You should update your package.json to use ws@^1.1.1.

https://www.npmjs.com/package/ws

It is extremely hard to contribute to the codebase when there are no linting rules/ code style is inconsistent between files.

I suggest to use one of the existing style guides, https://github.com/dustinspecker/awesome-eslint#configs:

• Canonical is the most strict of them all (I am biased though, since it is the package that I maintain).
• AirBnb is the most popular.
• Standard while popular, is very loose

@joeferner Do you agree that linting rules need to be added? Do you have preference for which style guide to use?

Steps to reproduce:

1. node examples/processFullResponseBody.js
2. Open Chrome (with proxy setup)
3. Navigate to http://humblebundle.com (should succeed)
4. Refresh page, and see console output for exception below.

$ node examples/processFullResponseBody.js
listening on 8081

...some lines removed, everything below is after refresh...

starting server for humble.pubnub.com
https server started for humble.pubnub.com on 56619
starting server for www.humblebundle.com
https server started for www.humblebundle.com on 56888
starting server for humblebundle-a.akamaihd.net
https server started for humblebundle-a.akamaihd.net on 56958
starting server for checkout.stripe.com
https server started for checkout.stripe.com on 56969
starting server for www.youtube.com
https server started for www.youtube.com on 56995
starting server for connect.facebook.net
https server started for connect.facebook.net on 56999
starting server for apis.google.com
https server started for apis.google.com on 57005
starting server for platform.twitter.com
https server started for platform.twitter.com on 57008
starting server for chart.googleapis.com
https server started for chart.googleapis.com on 57012
events.js:154
      throw er; // Unhandled 'error' event
      ^

Error: unexpected end of file
    at Zlib._handle.onerror (zlib.js:363:17)

When I MitM myself chrome stable returns quite a few errors due to the cert being outside the valid date range even though my clocks are synchronized between the machine that's acting as my proxy and my desktop. Adjusting the from date to 2 days back removed all the errors. The change is trivial and I'm not sure how far back you would want to go, so I'm just attaching the diff. Perhaps a better alternative would be to match the to/from date of the original cert? I can submit a pull request for either solution if there's interest.

Thanks,
-Matt

$ git diff
diff --git a/lib/ca.js b/lib/ca.js
index 4fb83c1..7345ba2 100644
--- a/lib/ca.js
+++ b/lib/ca.js
@@ -200,7 +200,8 @@ CA.prototype.generateServerCertificateKeys = function (hosts, cb) {
   var certServer = pki.createCertificate();
   certServer.publicKey = keysServer.publicKey;
   certServer.serialNumber = this.randomSerialNumber();
-  certServer.validity.notBefore = new Date();
+  var date = new Date();
+  certServer.validity.notBefore.setDate(date.getDate()-2);
   certServer.validity.notAfter = new Date();
   certServer.validity.notAfter.setFullYear(certServer.validity.notBefore.getFullYear() + 2);
   var attrsServer = ServerAttrs.slice(0);

I got this error when i am trying to use "http-mitm-proxy".

/home/shark_s/node_modules/http-mitm-proxy/lib/middleware/wildcard.js:8
const HOSTNAME_REGEX = /^(.+)(.[^.]{4,}(.[^.]{1,3})*.[^.]+)$/;
^^^^^
SyntaxError: Use of const in strict mode.
at Module._compile (module.js:439:25)
at Object.Module._extensions..js (module.js:474:10)
at Module.load (module.js:356:32)
at Function.Module._load (module.js:312:12)
at Module.require (module.js:364:17)
at require (module.js:380:17)
at Object. (/home/shark_s/node_modules/http-mitm-proxy/lib/proxy.js:24:27)
at Module._compile (module.js:456:26)
at Object.Module._extensions..js (module.js:474:10)
at Module.load (module.js:356:32)

When I install with the command line:
npm install --save http-mitm-proxy
I get the following message and the install stops:
npm WARN install Refusing to install http-mitm-proxy as a dependency of itself

According to the documentation serverToProxyResponse should be a ServerResponse, as far as I can see it's an IncommingMessage instead. My guess is that it's a documentation bug?

P.S. This project rocks, thank you!

Currently requests timeout after 2min of inactivity
This is due to nodejs http & https servers default timeout

This may be an issue in some cases.
For example in case of a request upgraded to websocket. WebSocket connection does not timeout by default and some websocket servers does not have any timeout. In such case, the websocket connection is unexpectedly closed after 2min of inactivity.

The proxy should not enforce any timeout by default and rely on the server instead.

Hello,

In your documentation you have:

proxy.onCertificateMissing = function(ctx, files, callback) {
  console.log('Looking for "%s" certificates',   ctx.hostname);
  console.log('"%s" missing', ctx.files.keyFile);
  console.log('"%s" missing', ctx.files.certFile);

  // Here you have the last chance to provide certificate files data
  // A tipical use case would be creating them on the fly
  //
  // return callback(null, {
  //   key: keyFileData,
  //   cert: certFileData
  // });
  };

The required keys for the object sent to the callback are actually keyFileData and certFileData.

Is there any way to generate .p12 certificate bundle to work with Windows?

Hello! I've attempted your suggested approach to implement basic authentication (included below). However I'm seeing that HTTPS requests do not include the same header information that HTTP requests include. For example, this HTTP request includes the expected headers:

The CURL request:

curl http://stackoverflow.com -v -x http://username:[email protected]:8089

* Rebuilt URL to: http://stackoverflow.com/
*   Trying 127.0.0.1...
* Connected to myproxy.com (127.0.0.1) port 8089 (#0)
* Proxy auth using Basic with user 'username'
> GET http://stackoverflow.com/ HTTP/1.1
> Host: stackoverflow.com
> Proxy-Authorization: Basic cGV0ZXI6cGFzc3dvcmQ=
> User-Agent: curl/7.43.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< date: Sat, 12 Mar 2016 16:03:29 GMT
< content-type: text/html; charset=utf-8
< transfer-encoding: chunked
< connection: close
< set-cookie: __cfduid=d0a207fda936835992317de3be8a24ecc1457798609; expires=Sun, 12-Mar-17 16:03:29 GMT; path=/; domain=.stackoverflow.com; HttpOnly
< set-cookie: prov=359b8d31-d451-4ea5-8a12-8824bb92b971; domain=.stackoverflow.com; expires=Fri, 01-Jan-2055 00:00:00 GMT; path=/; HttpOnly
< cache-control: public, no-cache="Set-Cookie", max-age=60
< expires: Sat, 12 Mar 2016 16:04:29 GMT
< last-modified: Sat, 12 Mar 2016 16:03:29 GMT
< vary: *
< x-frame-options: SAMEORIGIN
< x-request-guid: 91d04c64-9c57-4475-a188-e917ec63193d
< server: cloudflare-nginx
< cf-ray: 282879fbf28c2a5b-SEA
< 

The node-http-mite-proxy request headers:

{ 
  host: 'stackoverflow.com',
  'proxy-authorization': 'Basic cGV0ZXI6cGFzc3dvcmQ=',
  'user-agent': 'curl/7.43.0',
  accept: '*/*',
  'proxy-connection': 'Keep-Alive' 
}

Whereas an HTTPS request, while showing similar header information in the CURL request, does not include the same headers in the proxy:

The CURL request

curl https://github.com -v -x http://username:[email protected]:8089

* Rebuilt URL to: https://github.com/
*   Trying 127.0.0.1...
* Connected to my proxy.com (127.0.0.1) port 8089 (#0)
* Establish HTTP proxy tunnel to github.com:443
* Proxy auth using Basic with user 'username'
> CONNECT github.com:443 HTTP/1.1
> Host: github.com:443
> Proxy-Authorization: Basic cGV0ZXI6cGFzc3dvcmQ=
> User-Agent: curl/7.43.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< 
* Proxy replied OK to CONNECT request
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: github.com
* Server certificate: NodeMITMProxyCA
> GET / HTTP/1.1
> Host: github.com
> User-Agent: curl/7.43.0
> Accept: */*
> 
< HTTP/1.1 407 Proxy Authentication Required
* Authentication problem. Ignoring this.
< Proxy-Authenticate: Basic
< Date: Sat, 12 Mar 2016 16:06:34 GMT
< Connection: keep-alive
< Transfer-Encoding: chunked
< 
* Connection #0 to host local.fetching.io left intact

The headers included in the proxy:

{ 
  host: 'github.com',
  'user-agent': 'curl/7.43.0',
  accept: '*/*' 
}

My proxy code:

'use strict';

const Proxy = require('http-mitm-proxy');
const proxy = Proxy();
const logger = require('./logger.js');

proxy.onRequest( (ctx, callback) => {
  let request = ctx.clientToProxyRequest;
  let host = request.headers['host'];
  let path = request.url;
  let protocol = ctx.isSSL ? 'https' : 'http';
  let url = `${protocol}://${host}${path}`;
  let proxyAuthorization = request.headers['proxy-authorization'];

  console.log('DEBUG', url, request.headers);

  if (proxyAuthorization) {
    let encodedLoginPassword = proxyAuthorization.replace('Basic ', '');
    let loginPassword = new Buffer(encodedLoginPassword, 'base64').toString().split(':');
    let login = loginPassword[0];
    let password = loginPassword[1];
    callback();
  } else {
    let response = ctx.proxyToClientResponse;
    response.writeHead(407, {'Proxy-Authenticate': 'Basic'});
    response.end();
  }
});

proxy.onRequest( (ctx, callback) => {
  let request = ctx.clientToProxyRequest;
  let proxyAuthorization = request.headers['proxy-authorization'];
  callback();
});

proxy.onError( (ctx, err, errorKind) => {
  let url = (ctx && ctx.clientToProxyRequest) ?
    ctx.clientToProxyRequest.url :
    '';
  logger.log('error', `${errorKind} on ${url}`, err);
});

proxy.listen({
  port: 8089,
  forceSNI: true,
  silent: true,
  sslCaDir: "~/Development/proxy/certs"
});

In short, the proxy authentication works for HTTP requests but doesn't work for HTTPS requests and I'm not sure what accounts for the difference.

Thank you!