Table of Contents
Defined in /modules/blocks/mitmdump.nix.
This block sets up an Mitmdump service in reverse proxy mode. In other words, you can put this block between a client and a server to inspect all the network traffic.
Multiple instances of mitmdump all listening on different ports and proxying to different upstream servers can be created.
The systemd service is made so it is started only when the mitmdump instance has started listening on the expected port.
Put mitmdump in front of a HTTP server listening on port 8000 on the same machine:
shb.mitmdump.instances."my-instance" = {
listenPort = 8001;
upstreamHost = "http://127.0.0.1";
upstreamPort = 8000;
after = [ "server.service" ];
};
upstreamHost has its default value here and can be left out.
Put mitmdump in front of a HTTP server listening on port 8000 on another machine:
shb.mitmdump.instances."my-instance" = {
listenPort = 8001;
upstreamHost = "http://otherhost";
upstreamPort = 8000;
after = [ "server.service" ];
};
Replace http with https if the server expects an HTTPS connection.
Let’s assume a server is listening on port 8000
which responds a plain text response test1
and its related systemd service is named test1.service.
Sorry, creative naming is not my forte.
Let’s put an mitmdump instance in front of it, like so:
shb.mitmdump.instances."test1" = {
listenPort = 8001;
upstreamPort = 8000;
after = [ "test1.service" ];
};
This creates an mitmdump-test1.service systemd service.
We can then use journalctl -u mitmdump-test1.service to see the output.
If we make a curl request to it: curl -v http://127.0.0.1:8001,
we will get the following output:
mitmdump-test1[971]: 127.0.0.1:40878: GET http://127.0.0.1:8000/ HTTP/1.1
mitmdump-test1[971]: Host: 127.0.0.1:8000
mitmdump-test1[971]: User-Agent: curl/8.14.1
mitmdump-test1[971]: Accept: */*
mitmdump-test1[971]: << HTTP/1.0 200 OK 5b
mitmdump-test1[971]: Server: BaseHTTP/0.6 Python/3.13.4
mitmdump-test1[971]: Date: Thu, 31 Jul 2025 20:55:16 GMT
mitmdump-test1[971]: Content-Type: text/plain
mitmdump-test1[971]: Content-Length: 5
mitmdump-test1[971]: test1
Specific integration tests are defined in /test/blocks/mitmdump.nix.
shb.mitmdump.instances
Mitmdump instance.
Type: attribute set of (submodule)
Default:
{ }
Declared by:
<selfhostblocks/modules/blocks/mitmdump.nix>
|
shb.mitmdump.instances.<name>.after
Systemd services that must be started before this mitmdump proxy instance.
You are guaranteed the mitmdump is listening on the listenPort
when its systemd service has started.
Type: list of string
Default:
[ ]
Declared by:
<selfhostblocks/modules/blocks/mitmdump.nix>
|
shb.mitmdump.instances.<name>.listenPort
Port the mitmdump instance will listen to.
The upstream port from the client’s perspective.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Declared by:
<selfhostblocks/modules/blocks/mitmdump.nix>
|
shb.mitmdump.instances.<name>.upstreamHost
Host the mitmdump instance will connect to.
If only an IP or domain is provided, mitmdump will default to connect using HTTPS. If this is not wanted, prefix the IP or domain with the ‘http://’ protocol.
Type: string
Default:
"http://127.0.0.1"
Declared by:
<selfhostblocks/modules/blocks/mitmdump.nix>
|
shb.mitmdump.instances.<name>.upstreamPort
Port the mitmdump instance will connect to.
The port the server is listening on.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Declared by:
<selfhostblocks/modules/blocks/mitmdump.nix>
|