Show HN: Forwarder – FOSS MITM proxy written in Go (opens in new tab)

(forwarder-proxy.io)

78 pointsmichalmatczuk2y ago17 comments

I'm working at Sauce Labs on a fast MITM proxy.

If you are using mitmproxy, Fiddler or Charles proxy in your job I believe you'll find it invaluable.

Forwarder 1.1 is now available, complete with a Grafana Dashboard for effortless monitoring. We are committed to making it great.

I welcome your feedback.

Cheers Michał

17 comments

Snawoot2y ago

Great! Here is the feedback: https://github.com/saucelabs/forwarder/issues/616

michalmatczukOP2y ago

Sent a PR to fix that https://github.com/saucelabs/forwarder/pull/617.

michalmatczukOP2y ago

Thank you, looks like we could apply some hardening here indeed.

epicfeedback2y ago

This is incredible feedback, good eye

remram2y ago

> If you are using mitmproxy, Fiddler or Charles proxy in your job I believe you'll find it invaluable.

Why? Do you have a comparison? Or even a list of your features, beyond the 6 bullet points on your homepage?

jzelinskie2y ago

For those with blocking rules around newly registered DNS: https://github.com/saucelabs/forwarder

ronsor2y ago

> blocking rules around newly registered DNS

Why is this even a thing?

tedunangst2y ago

Moderately effective anti phishing. Your real bank's domain is older than last week.

1 more reply

visualphoenix2y ago

Wish this had a caching feature… Setting up squid as a https caching forward proxy in docker is a pain.

michalmatczukOP2y ago

That's not currently on the roadmap.

Please file an issue, we'll see what we can do.

toasted-subs2y ago

I'm not too versed on these, but why not use nginx?

sakjur2y ago

Nginx is built as a reverse proxy, useful to intercept traffic coming in to a server and route it to the correct service. This is the opposite, I guess we can call it an obverse proxy: it sits near a client and allows the owner (or a malicious party) of the client to intercept the traffic as it leaves the client. A former employer of mine used something like this to gain access to the API calls being made from iPhone apps, but you could use it to say attach authentication to calls heading a certain way (think what AWS is doing to make service to service calls work transparently to the user) or tons of other stuff (blocking content, if you’re so inclined).

I haven’t tried to use nginx as an MITM proxy or this project at all, but presumably it’s easier to use this when your usecase lies closer to the client than the server and vice versa.

8organicbits2y ago

Tools like Fiddler allow traffic modification based on rules, so you can tamper traffic. Forwarder doesn't appear to allow modification (other than headers?) so I think it's about logging traffic and collecting metrics. Still looking at the docs, I could have missed something.

michalmatczukOP2y ago

Good point. We are getting stated.

Here's draft proposal for 1.3 to add this feature https://github.com/saucelabs/forwarder/issues/584.

The idea is to allow users work in JavaScript with Go http.Request and http.Request. Interop between Go and JS in Goja is very good.

sigmonsays2y ago

am i reading this correctly that it could be used as an adblock?

is the PAC format powerful enough to handle everything that current adblockers do?

michalmatczukOP2y ago

You have a lot of flexibility with PAC files, so I guess that's possible. Some PAC files can be quite complex.

Another option would be using --deny-domains it accepts a list of regular expressions, you can prefix an item with - to exclude it.

https://forwarder-proxy.io/cli/forwarder_run/#deny-domains

j / k navigate · click thread line to collapse

17 comments

Snawoot2y ago

Great! Here is the feedback: https://github.com/saucelabs/forwarder/issues/616

michalmatczukOP2y ago

Sent a PR to fix that https://github.com/saucelabs/forwarder/pull/617.

michalmatczukOP2y ago

Thank you, looks like we could apply some hardening here indeed.

epicfeedback2y ago

This is incredible feedback, good eye

remram2y ago

> If you are using mitmproxy, Fiddler or Charles proxy in your job I believe you'll find it invaluable.

Why? Do you have a comparison? Or even a list of your features, beyond the 6 bullet points on your homepage?

jzelinskie2y ago

For those with blocking rules around newly registered DNS: https://github.com/saucelabs/forwarder

ronsor2y ago

> blocking rules around newly registered DNS

Why is this even a thing?

tedunangst2y ago

Moderately effective anti phishing. Your real bank's domain is older than last week.

1 more reply

visualphoenix2y ago

Wish this had a caching feature… Setting up squid as a https caching forward proxy in docker is a pain.

michalmatczukOP2y ago

That's not currently on the roadmap.

Please file an issue, we'll see what we can do.

toasted-subs2y ago

I'm not too versed on these, but why not use nginx?

sakjur2y ago

I haven’t tried to use nginx as an MITM proxy or this project at all, but presumably it’s easier to use this when your usecase lies closer to the client than the server and vice versa.

8organicbits2y ago

michalmatczukOP2y ago

Good point. We are getting stated.

Here's draft proposal for 1.3 to add this feature https://github.com/saucelabs/forwarder/issues/584.

The idea is to allow users work in JavaScript with Go http.Request and http.Request. Interop between Go and JS in Goja is very good.

sigmonsays2y ago

am i reading this correctly that it could be used as an adblock?

is the PAC format powerful enough to handle everything that current adblockers do?

michalmatczukOP2y ago

You have a lot of flexibility with PAC files, so I guess that's possible. Some PAC files can be quite complex.

Another option would be using --deny-domains it accepts a list of regular expressions, you can prefix an item with - to exclude it.

https://forwarder-proxy.io/cli/forwarder_run/#deny-domains

j / k navigate · click thread line to collapse