MITM configuration standard

[mnatan]

We want to support 2 whitelist types:

1. passthrough - does not decrypt HTTPS
2. inspected - decrypts HTTPS. Requires trusting MITM CA.

By default, we should deny all other traffic

Additionally, MITM supports TCP proxying, so we should be able to create rules for non-HTTP traffic, like LDAP or SMTP.

Definition of done

• [ ] Learn about MITM Filter Expressions
• [ ] run MITM either locally or in the cloud and test the config (might be easier to use non-transparent mode for testing)
• [ ] propose how the configuration should look in terraform
• [ ] propose how to store the configuration in the cloud (GCS, firewall rule descriptions, or other)
• [ ] document the configuration in Readme
• [ ] optionally: provide reference implementation in terraform

[mnatan]

MITM proxy supports our whitelist use case like this:

mitmweb --set block_list="/!(~d google.com | ~d facebook.com)/444" --set ignore_hosts="~d google.com | ~d facebook.com"

but ignore_hosts completely removes the access log, which is an issue.

Alternative projects to consider:

• [ ] https://github.com/sonertari/SSLproxy
• [ ] https://github.com/e2guardian/e2guardian
• [ ] https://github.com/snail007/goproxy

Found here: https://github.com/topics/transparent-proxy

[mnatan]

Closing for now - we might revisit this in the future but these projects did not meet our expectations. We will use Squid proxy.