Expand description
§soth-mitm
Rust intercepting proxy crate with deterministic handler/event contracts.
soth-mitm provides a MITM (man-in-the-middle) proxy that intercepts HTTP/1.1,
HTTP/2, WebSocket, gRPC, and SSE traffic over TLS. It exposes a trait-based
handler API that lets you inspect, allow, or block requests in real time.
§Quick Start
use bytes::Bytes;
use soth_mitm::{
HandlerDecision, InterceptHandler, MitmConfig, MitmProxyBuilder, RawRequest,
};
struct MyHandler;
impl InterceptHandler for MyHandler {
async fn on_request(&self, request: &RawRequest) -> HandlerDecision {
if request.path.contains("/blocked") {
return HandlerDecision::Block {
status: 403,
body: Bytes::from_static(b"blocked"),
};
}
HandlerDecision::Allow
}
}
fn main() -> Result<(), Box<dyn std::error::Error>> {
let mut config = MitmConfig::default();
config
.interception
.destinations
.push("api.example.com:443".to_string());
let _proxy = MitmProxyBuilder::new(config, MyHandler).build()?;
Ok(())
}§Feature Flags
| Flag | Default | Description |
|---|---|---|
openssl-backend | off | Enables OpenSSL-based CA material validation on cert load |
__internal | off | Exposes internal modules for integration tests — not stable API |
§Minimum Supported Rust Version
This crate requires Rust 1.88 or later.
§License
Licensed under the Mozilla Public License 2.0.
Structs§
- Body
Config - Bytes
- A cheaply cloneable and sliceable chunk of contiguous memory.
- Certificate
Authority - A certificate authority used for TLS interception.
- Connection
Meta - Metadata about the downstream connection (socket, TLS, process attribution).
- Connection
Pool Config - FlowId
- Newtype wrapping a
u64flow identifier for type-safe flow tracking. - Flow
Runtime Config - Handler
Config - Header
Map - A specialized multimap for header names and values.
- Interception
Scope - Mitm
Config - Top-level proxy configuration.
- Mitm
Proxy - The intercepting proxy instance, ready to run or start as a background task.
- Mitm
Proxy Builder - Builder for constructing a
MitmProxyinstance. - Mitm
Proxy Handle - Handle to a running proxy, providing shutdown, config reload, and metrics access.
- Process
Attribution Config - Process
Info - Information about the local process that owns the downstream socket.
- Proxy
Metrics - Point-in-time snapshot of proxy operational metrics.
- RawRequest
- An intercepted HTTP request passed to the handler.
- RawResponse
- An intercepted HTTP response passed to the handler.
- Stream
Chunk - A streaming data frame (SSE, NDJSON, gRPC, or WebSocket) delivered to the handler.
- TlsConfig
- TlsInfo
- TLS metadata for the downstream connection.
- Upstream
Config - Uuid
- A Universally Unique Identifier (UUID).
Enums§
- CaError
- Error returned by certificate authority operations (generate, load, trust install).
- Frame
Direction - Direction of a WebSocket frame.
- Frame
Kind - Discriminant for streaming frame types delivered via
StreamChunk. - H2Response
Overflow Mode - Handler
Decision - Decision returned by
InterceptHandler::on_request. - Intercept
Mode - Controls whether the proxy runs in observe-only or store-and-forward mode.
- Mitm
Error - Top-level error returned by proxy lifecycle operations.
- Socket
Family - Socket address family for the downstream connection.
- TlsVersion
- TLS protocol version.
Traits§
- Intercept
Handler - Trait for intercepting and inspecting proxy traffic.
Functions§
- generate_
ca - Generates a new self-signed CA keypair for TLS interception.
- install_
ca_ system_ trust - Installs the CA into the system trust store (platform-specific).
- is_
ca_ trusted - Checks whether a CA with the given fingerprint is installed in the system trust store.
- load_ca
- Loads a CA from in-memory PEM-encoded certificate and key bytes.
- load_
ca_ from_ files - Loads a CA from PEM files on disk.
- uninstall_
ca_ system_ trust - Removes the soth-mitm CA from the system trust store.