在子网网关机器上配置
# 配置
PROXY_HOST=192.168.0.100
PROXY_HTTP_PORT=8080
PROXY_HTTPS_PORT=8083
NET_INTERFACE=eth0
IPTABLES_PARAMS="-i ${NET_INTERFACE}"
# 可选,ip过滤
ipset create http_redirect_ips hash:ip
ipset add http_redirect_ips 11.22.33.44 # example.com
IPTABLES_PARAMS="${IPTABLES_PARAMS} -m set --match-set http_redirect_ips dst"
# 设置重定向
iptables -t nat -N HTTPS_REDIRECT
iptables -t nat -A PREROUTING -j HTTPS_REDIRECT
iptables -t nat -A HTTPS_REDIRECT -p tcp --dport 443 -j DNAT --to-destination ${PROXY_HOST}:${PROXY_HTTPS_PORT} ${IPTABLES_PARAMS}
iptables -t nat -A HTTPS_REDIRECT -p tcp --dport 80 -j DNAT --to-destination ${PROXY_HOST}:${PROXY_HTTP_PORT} ${IPTABLES_PARAMS}
iptables -t nat -A POSTROUTING -o "$NET_INTERFACE" -j MASQUERADE
# 删除重定向
iptables -t nat -D POSTROUTING -o "$NET_INTERFACE" -j MASQUERADE
iptables -t nat -D PREROUTING -j HTTPS_REDIRECT
iptables -t nat -F HTTPS_REDIRECT
iptables -t nat -X HTTPS_REDIRECT
ipset destroy http_redirect_ips
脚本格式:
function onLoad() {
log_info("loaded");
}
function onRequest(req, res) {
log_info("onRequest");
return req;
}
function onResponse(req, res) {
log_info("onResponse");
return res;
}
proxy.js: 打印req/resp, 并可输出日志到文件。
不使用 https.proxy.redirect来重定向连接,已经在上面自己手动配置了iptables
set https.proxy.script proxy.js
set https.proxy.sslstrip true
set https.proxy.redirect false
set https.proxy.port 8083
set https.proxy.address 0.0.0.0
set https.proxy.certificate ./cert/ca.crt
set https.proxy.key ./cert/ca.key
set http.proxy.script proxy.js
set http.proxy.redirect false
set http.proxy.port 8080
set http.proxy.address 0.0.0.0
# set http.proxy.blacklist *
# set http.proxy.whitelist xxx.com
# set https.proxy.blacklist *
# set https.proxy.whitelist xxx.com
https.proxy on
http.proxy on
请求和响应将会流经proxy.js的回调代码。 需要权限运行bettercap
bettercap -caplet proxy.cap