RFC: Support for MITM Proxy in Computer Use Requests

[jwalsh]

Summary

Add built-in support for MITM proxy configuration across all computer use requests, enabling secure traffic inspection and debugging capabilities.

Background

Currently, configuring MITM proxy support requires manual certificate installation and environment configuration for each application (shell, Python, Firefox). This process should be streamlined and standardized across all computer use requests.

Motivation

• Enable secure debugging and testing of HTTPS traffic
• Simplify proxy configuration across different applications
• Provide consistent behavior for all network requests
• Support common development and testing workflows

Detailed Design

1. Certificate Management

• Automatically detect MITM proxy certificate at standard location (~/.mitmproxy/mitmproxy-ca-cert.pem)
• Install certificate in system-wide trust store (/usr/local/share/ca-certificates/)
• Configure application-specific certificate stores:
  • Firefox ESR profile directory
  • Python certificate store
  • System CA store

2. Environment Configuration

Automatically set proxy-related environment variables:

HTTP_PROXY="http://proxy:8080"
HTTPS_PROXY="http://proxy:8080"
NO_PROXY="localhost,127.0.0.1"
REQUESTS_CA_BUNDLE="/usr/local/share/ca-certificates/mitmproxy-ca-cert.crt"

3. Application-Specific Configuration

Firefox ESR

certutil -d sql:$HOME/.mozilla/firefox-esr/*/default-esr*/ -A -t "C,," -n "mitmproxy" -i /usr/local/share/ca-certificates/mitmproxy-ca-cert.crt

Python Requests

import os
os.environ['REQUESTS_CA_BUNDLE'] = '/usr/local/share/ca-certificates/mitmproxy-ca-cert.crt'

Shell Commands

export http_proxy="http://proxy:8080"
export https_proxy="http://proxy:8080"

Configuration Options

proxy:
  enabled: true
  host: "proxy"
  port: 8080
  cert_path: "~/.mitmproxy/mitmproxy-ca-cert.pem"
  applications:
    - firefox
    - python
    - shell
  bypass:
    - "localhost"
    - "127.0.0.1"

Implementation Steps

1. Proxy Detection

   • Check for proxy environment variables
   • Verify proxy connectivity
   • Locate MITM certificate

2. Certificate Installation

   • Copy certificate to system store
   • Update certificate databases
   • Configure application-specific stores

3. Environment Setup

   • Set proxy variables
   • Configure certificate paths
   • Set up application-specific proxy settings

4. Validation

   • Verify certificate installation
   • Test proxy connectivity
   • Confirm HTTPS interception

Security Considerations

1. Certificate Validation

   • Verify certificate authenticity
   • Prevent unauthorized certificate installation
   • Maintain chain of trust

2. Proxy Access Control

   • Restrict proxy access to authorized users
   • Implement bypass rules for sensitive traffic
   • Log proxy usage

Backwards Compatibility

• Maintain support for non-proxied connections
• Provide fallback mechanisms
• Allow manual configuration override

Testing Requirements

1. Certificate Installation

   # Verify system certificate
   sudo update-ca-certificates --verbose
   # Check Firefox certificate
   certutil -d sql:$HOME/.mozilla/firefox-esr/*/default-esr*/ -L | grep mitmproxy

2. Proxy Connectivity

   # Test HTTPS request
   curl -v https://example.com
   # Verify Python requests
   python3 -c "import requests; print(requests.get('https://example.com').status_code)"

Open Questions

1. How should certificate expiration be handled?
2. What is the preferred method for handling proxy authentication?
3. Should there be a UI for proxy configuration?

Future Work

• Support for additional browsers (Chrome, Safari)
• Custom certificate management UI
• Proxy authentication handling
• Traffic filtering rules
• Performance optimization

Timeline

• Phase 1: Basic proxy support (1 week)
• Phase 2: Certificate management (1 week)
• Phase 3: Application integration (2 weeks)
• Phase 4: Testing and validation (1 week)

References

1. MITM Proxy documentation
2. Mozilla NSS tools documentation
3. Python requests library documentation
4. Ubuntu certificate management guides

[jwalsh]

npm config set cafile /usr/local/share/ca-certificates/mitmproxy-ca-cert.crt

[jwalsh]

# Install and validate certs with minimal tools
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-arm64
sudo keytool -importcert -alias mitmproxy -keystore $JAVA_HOME/lib/security/cacerts -file /usr/local/share/ca-certificates/mitmproxy-ca-cert.crt -storepass changeit
mkdir -p /home/computeruse/.deps.clj/1.12.0.1479/ClojureTools/
curl -k -L https://github.com/clojure/brew-install/releases/download/1.12.0.1479/clojure-tools.zip -o /home/computeruse/.deps.clj/1.12.0.1479/ClojureTools/clojure-tools.zip
bb -e '(try (babashka.http-client/get "https://github.com") (println "OK") (catch Exception e (println "Error:" (ex-message e))))'