{"id":19184075,"url":"https://github.com/worstcase/cloudproxy","last_synced_at":"2025-05-08T00:00:30.973Z","repository":{"id":21323575,"uuid":"24640243","full_name":"worstcase/cloudproxy","owner":"worstcase","description":"A MITM proxy for instrumenting HTTP/S traffic","archived":false,"fork":false,"pushed_at":"2014-09-30T14:03:00.000Z","size":108,"stargazers_count":28,"open_issues_count":0,"forks_count":7,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-04-20T05:32:06.356Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/worstcase.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-09-30T13:58:47.000Z","updated_at":"2024-11-28T16:30:05.000Z","dependencies_parsed_at":"2022-08-20T19:00:55.918Z","dependency_job_id":null,"html_url":"https://github.com/worstcase/cloudproxy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/worstcase%2Fcloudproxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/worstcase%2Fcloudproxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/worstcase%2Fcloudproxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/worstcase%2Fcloudproxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/worstcase","download_url":"https://codeload.github.com/worstcase/cloudproxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252973674,"owners_count":21834107,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-09T11:06:06.610Z","updated_at":"2025-05-08T00:00:30.942Z","avatar_url":"https://github.com/worstcase.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cloudproxy\nA MITM proxy for tracking cloud API calls.\n\n## How it works\n`cloudproxy` functions like any other proxy. It doesn't do any caching and logs request data to stdout and optionally can push it to graphite.\n\nIt can also \"hijack\" your SSL connections and peek in to them. It does this like so:\n\n- SSL request comes in. By default proxies will simply act as a dumb conduit as the http client application will use `CONNECT`.\n- `cloudproxy` will make the request itself and reencrypt the reponse with its own CA cert.\n- It will respond to the requestor with the data reencrypted with its own cert\n\nNormally this would generate an SSL verification warning/error. However if you import the CA certificate `cloudproxy` is using for resigning into your own SSL store as a trusted CA, you'll never know the difference. Meanwhile `cloudproxy` was able to see inside the request and extract information.\n\n## Requirements\n- `git`\n- `mercurial` _lol googlecode_\n- `bzr` _lol launchpad_\n- `go`\n\n## Building\nBefore anything will work, you need a CA certificate generated\n\n- `make ca`\n\nThis just wraps the openssl commands. You really should generate a CA certificate per installation. Answer all the questions for your CA's identity.\n\nNow you can build it.\n\n- `make clean all`\n\n- `bin/cloudproxy -h`\n\n```\n  -address=\"127.0.0.1\": IP to listen on\n  -batch_size=1000: The size of the buffer for sending to graphite. Metrics beyond this will block the proxy!\n  -debug=false: Enable debug logging (warning really noisy!)\n  -graphite_server=\"\": ip:port of the graphite server to use\n  -keyfile=\"pki/CA/private/ca.key.pem.clear\": Your MITM CA pem\n  -metric_prefix=\"cloudproxy\": The prefix for all metrics\n  -pemfile=\"pki/CA/certs/ca.cert.pem\": Your MITM CA pem\n  -port=3128: port to listen on\n  -tracking_header=\"x-dasein-id\": The header to use for correlating requests\n```\n\nNormally `cloudproxy` will just log data to stdout. If you set `--debug=true`, you'll get even more data. Otherwise you'll just get metrics logged to stdout. \n\nThis is nice and all but the real value comes when logging it to graphite. If you specify `--graphite_server=ip:port` pointing to a graphite (or graphite-compatible) server, it will shove all the collected metrics in there.\n\nBecause this was designed to be used as part of performance troubleshooting and metric gathering, cloudproxy can look for any header inside the original request specified with `-tracking_header=XXXXXX`. It will then namespace the metrics it collects based on that header. This allows you to correlate raw request data with some upstream api.\n\n## Verifying\n`http_proxy=127.0.0.1:3128 https_proxy=127.0.0.1:3128 curl -Iv https://google.com/`\n\nYou should get a failure from curl:\n\n```\n* Rebuilt URL to: https://google.com/\n* Hostname was NOT found in DNS cache\n*   Trying 127.0.0.1...\n* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)\n* Establish HTTP proxy tunnel to google.com:443\n\u003e CONNECT google.com:443 HTTP/1.1\n\u003e Host: google.com:443\n\u003e User-Agent: curl/7.35.0\n\u003e Proxy-Connection: Keep-Alive\n\u003e \n\u003c HTTP/1.0 200 OK\nHTTP/1.0 200 OK\n\u003c \n\n* Proxy replied OK to CONNECT request\n* successfully set certificate verify locations:\n*   CAfile: none\n  CApath: /etc/ssl/certs\n* SSLv3, TLS handshake, Client hello (1):\n* SSLv3, TLS handshake, Server hello (2):\n* SSLv3, TLS handshake, CERT (11):\n* SSLv3, TLS alert, Server hello (2):\n* SSL certificate problem: self signed certificate in certificate chain\n* Closing connection 0\n```\n\nNow point curl to your ca cert:\n`http_proxy=127.0.0.1:3128 https_proxy=127.0.0.1:8080 curl --cacert pki/CA/certs/ca.cert.pem -Iv https://google.com`\n\nOh look, it validates!:\n\n```\n* Rebuilt URL to: https://google.com/\n* Hostname was NOT found in DNS cache\n*   Trying 127.0.0.1...\n* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)\n* Establish HTTP proxy tunnel to google.com:443\n\u003e CONNECT google.com:443 HTTP/1.1\n\u003e Host: google.com:443\n\u003e User-Agent: curl/7.35.0\n\u003e Proxy-Connection: Keep-Alive\n\u003e \n\u003c HTTP/1.0 200 OK\nHTTP/1.0 200 OK\n\u003c \n```\n\n## Verifying with Java\nTo verify/use this with java, you'll need to import the CA pem as a trusted root into the keystore used by your jvm. On ubuntu, this defaults to `/etc/ssl/certs/java/cacerts`. The default keystore password is `changeit`.\n\nYou can import the CA pem with the following invocation:\n\n`keytool -import -trustcacerts -alias CloudProxyExternalCARoot -file pki/CA/certs/ca.cert.pem -keystore /etc/ssl/certs/java/cacerts`\n\nNow when you start your JVM and use the proxy (the method for specifying this is different per java application), you'll be going through the proxy.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fworstcase%2Fcloudproxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fworstcase%2Fcloudproxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fworstcase%2Fcloudproxy/lists"}