flokli · January 8, 2025 19:25
diff --git a/mitm_nixbld.sh b/mitm_nixbld.sh
 #! /usr/bin/env nix-shell
 #! nix-shell -i bash -p minica -p mitmproxy

 set -e

 echo "Creating CA key and certificate, as well as wildcard cert"
 minica -domains '*' || true

 echo "Assembling chain.pem"
 (openssl x509 -text <./_/cert.pem && openssl x509 -text <./minica.pem && cat ./_/key.pem) > chain.pem

 echo "Redirecting traffic"
 sudo iptables -t nat -A OUTPUT -p tcp -m owner --gid-owner nixbld --dport 80 -j REDIRECT --to-port 8080
 sudo iptables -t nat -A OUTPUT -p tcp -m owner --gid-owner nixbld --dport 443 -j REDIRECT --to-port 8080
 sudo ip6tables -t nat -A OUTPUT -p tcp -m owner --gid-owner nixbld --dport 80 -j REDIRECT --to-port 8080
 sudo ip6tables -t nat -A OUTPUT -p tcp -m owner --gid-owner nixbld --dport 443 -j REDIRECT --to-port 8080

 echo "Running mitm proxy"
 sudo systemd-run --collect --wait --unit mitmproxy --pipe -p DynamicUser=yes -p User=mitmproxy -p Environment=HOME=/tmp -p BindReadOnlyPaths=$PWD/chain.pem:/tmp/chain.pem -p KillSignal=SIGKILL --working-directory=/tmp -- $(which mitmproxy) -m transparent --certs '*=/tmp/chain.pem' --showhost

 echo "Disabling traffic redirection"
 sudo iptables -t nat -D OUTPUT -p tcp -m owner --gid-owner nixbld --dport 80 -j REDIRECT --to-port 8080
 sudo iptables -t nat -D OUTPUT -p tcp -m owner --gid-owner nixbld --dport 443 -j REDIRECT --to-port 8080
 sudo ip6tables -t nat -D OUTPUT -p tcp -m owner --gid-owner nixbld --dport 80 -j REDIRECT --to-port 8080
 sudo ip6tables -t nat -D OUTPUT -p tcp -m owner --gid-owner nixbld --dport 443 -j REDIRECT --to-port 8080
	#! /usr/bin/env nix-shell
	#! nix-shell -i bash -p minica -p mitmproxy

	set -e

	echo "Creating CA key and certificate, as well as wildcard cert"
	minica -domains '*' \|\| true

	echo "Assembling chain.pem"
	(openssl x509 -text <./_/cert.pem && openssl x509 -text <./minica.pem && cat ./_/key.pem) > chain.pem

	echo "Redirecting traffic"
	sudo iptables -t nat -A OUTPUT -p tcp -m owner --gid-owner nixbld --dport 80 -j REDIRECT --to-port 8080
	sudo iptables -t nat -A OUTPUT -p tcp -m owner --gid-owner nixbld --dport 443 -j REDIRECT --to-port 8080
	sudo ip6tables -t nat -A OUTPUT -p tcp -m owner --gid-owner nixbld --dport 80 -j REDIRECT --to-port 8080
	sudo ip6tables -t nat -A OUTPUT -p tcp -m owner --gid-owner nixbld --dport 443 -j REDIRECT --to-port 8080

	echo "Running mitm proxy"
	sudo systemd-run --collect --wait --unit mitmproxy --pipe -p DynamicUser=yes -p User=mitmproxy -p Environment=HOME=/tmp -p BindReadOnlyPaths=$PWD/chain.pem:/tmp/chain.pem -p KillSignal=SIGKILL --working-directory=/tmp -- $(which mitmproxy) -m transparent --certs '*=/tmp/chain.pem' --showhost

	echo "Disabling traffic redirection"
	sudo iptables -t nat -D OUTPUT -p tcp -m owner --gid-owner nixbld --dport 80 -j REDIRECT --to-port 8080
	sudo iptables -t nat -D OUTPUT -p tcp -m owner --gid-owner nixbld --dport 443 -j REDIRECT --to-port 8080
	sudo ip6tables -t nat -D OUTPUT -p tcp -m owner --gid-owner nixbld --dport 80 -j REDIRECT --to-port 8080
	sudo ip6tables -t nat -D OUTPUT -p tcp -m owner --gid-owner nixbld --dport 443 -j REDIRECT --to-port 8080