Passing response to upstream proxy only in certain cases - mitmproxy

I am trying to implement routing in this manner:
no
client --> mitmproxy --> (check if hostname is in list of accepted) --> upstream proxy response
|
| yes
|
intercept response, check, return to client
+ don't allow to propagate upstream
I'm trying to implement a dynamic filter which will override the upstream proxy in some cases, and not in other cases.
I have a workaround method which is to have two mitm proxies, one which filters requests and chooses which proxy to use (upstream proxy or filter proxy) and then the filter proxy which inspects the content.

Related

Vertx reverse proxy redirect handling

I'm pretty new to Vertx, I'm building a reverse proxy on Quarkus.
I need to handle a redirect response from my Apache to my Quarkus reverse proxy, so that my Client doesn't get redirected directly to the Apache server (bypassing the proxy).
Resource is located in custom.url/myResource/index.php
My reverse proxy is running on localhost:8080
Basically what happens is:
Browser sends a GET request on localhost:8080/myResource, Quarkus is listening on 8080 so he receives the request, remaps the url tocustom.url/myResource and forwards to Apache.
Apache creates a redirect response, because a slash was missing at the end of the url, so he sends a 301 response with the Location header set to custom.url/myResource/ (with slash at the end) to the Quarkus reverse proxy.
Quarkus will forward the redirect response (301 custom.url/myResource/) to the Client, so he will make a GET call straight to custom.url/myResource/ bypassing the Reverse Proxy.
This behavior is not acceptable, since I can't allow the client to know the resource address of my backend service.
Code snippet
Route route = this.proxyRouter.route(method, path)
.handler(CorsHandler.create("*"))
.handler(LoggerHandler.create())
.handler(ctx ->{ //need to create an handler to handle this behaviour })
.handler(ProxyHandler.create(myProxy);
What i have to do is basically setting the Location header of the response to the correct path, including the slash.
I tried to get the request.absoluteURI() hostname, the response subdomain (with the slash) and merge them together.
request URI: localhost:8080/myResource -> localhost:8080 (1)
response Location: custom.url/myResource/ -> /myResource/ (2)
So i get the wanted Location header merging (1) and (2): localhost:8080/myResource/
Logically this works, but I don't know where and if I'm able to do this inside the handler, or if I need to do it some other way. I tried to implement this logic inside the handler, but I'm only able to get the request URI, there was no way to find the 301 response.
Need help plz.

How to disable upstream proxy based on request.url in mitmproxy

Is it possible to disable upstream proxy in Mitmproxy for request based on request properties (for example URL)?

filter traffic with client dynamic IP

we have IP Filtering at F5 along with SSL Authentication.
Now the issue is client application moved to cloud and his IP address/subnet both will vary dynamically time to time, when client calls our webservices how do we allow them ?(how do we filter them)
I have workaround solutions as below but I am looking for apt one at F5 layer itself.
keep proxy in front of client and configure proxy IP in IP Filtering
Ask client to keep some custom header and authenticate using that header key/value pairs (which can be insecure too)

Zuul RibbonRoutingFilter Content-Encoding gzip response

In our setup, We are accessing the Node JS server thorough ZUUL and Sidecar.
When we invoke the java scripts resources with Accept-Encoding=[gzip] header, Node JS returns compressed file with Content-Encoding=[gzip] header. But if the same request is routed through Zuul we are getting a decompressed response.
Based on our analysis we found that
When the request is forwarded to downstream systems based on service id, zuul is using the ribbon load balanced routing filter. In this process, the apache HTTP client removes the below headers from response in ResponseContentEncoding class
o "Content-Length"
o "Content-Encoding"
o "Content-MD5"
Because of that the content is automatically decompressed in zuul and send it to the caller.
When the request is forwarded to downstream systems based on URL, zuul is using simple host routing filter. In this flow, disableContentCompression method is used while building the HTTP client so the content is sent to the caller without decompressing.
Please let me know of any specific reason for not using disableContentCompression in ribbonloadbalancedroutingfilter route and let me know of any workaround to resolve this?
Environment :
Spring Cloud version: Dalston.SR2
Spring Boot: 1.5.4.RELEASE

Difference between sip proxy and sip outbound proxy

I'm little bit confused about sip proxy and sip outbound proxy? What is the basic difference between sip proxy and sip outbound proxy? Is it mandatory to use sip outbound proxy along with sip proxy? Can anyone point me out from the below image which one is the sip proxy and outbound proxy?
As your attached picture, it should be:
User Agent: Client
SIP outbound proxies: SIP Proxy port 5060 & SIP Proxy port 5070 when they're receiving incoming request from UA
A sip proxy can be understood as an "outbound proxy" or an "inbound proxy".
Details explanation can be describe as below:
"Pretend you are a SIP User Agent, perhaps a very simple UA that
doesn't even do DNS lookups.
A call coming to you is "inbound".
It may hit your home proxy first, and receive treatment such as being
proxied to you based on your registered contact. This is an "inbound
service", and your home proxy is acting as an "inbound proxy".
Now you want to make a call. Since you're making the call, it is going
"out", or can be called "outbound". You send this call to a proxy,
which looks up the request URI in DNS and sends the call on towards
its destination. This proxy is providing the "outbound service" of DNS
resolution, and is acting as an "outbound proxy" for this call.
On any call there may be any number of inbound and outbound proxies
and services. Some proxies may even provide both sorts for a single
call.
Assume the simple network UA1----P1----P2----UA2
UA1 places a call to UA2."
//refer: https://www.ietf.org/mail-archive/web/sip/current/msg06276.html
SIP Proxy
A SIP proxy server receives a SIP request from a user agent or another
proxy and acts on behalf of the user agent in forwarding or responding
to the request.
Sip Outbound Proxy
An outbound Proxy: A proxy that receives requests from a client, even
though it may not be the server resolved by the Request-URI.
Typically, a SIP user agent is manually configured with an outbound proxy, or
can learn about one through auto-configuration protocols.
Basically they are the same, the only difference, is that SIP Proxy treats requests both for UAC (client) and UAS (server), but SIP Outbound Proxy receives requests from UAC.
And, no, it's not mandatory to use SIP Outbound Proxy along with SIP Proxy.
What about scheme from your image, these are not proxy servers, but are registrar servers which are used to register requests of the users and keep the information from these requests.