Transparent mode starts mitmdump --mode transparent inside the sidecar and redirects local outbound TCP 80/443 traffic to the mitmproxy listener via iptables. Its core benefits are:
- No application changes: no need to set
HTTP_PROXY; app traffic is intercepted transparently. - Observability and extensibility: use mitm scripts for header injection, auditing, and debugging.
- Controlled bypass: use
ignore_hostsfor pass-through TLS (forward only, no decryption).
Typical use case: add L7 visibility/processing at the egress boundary without changing the application networking stack.
- Linux network namespace with
CAP_NET_ADMINin the container. mitmdumpinstalled andmitmproxyuser present in the image (included in official egress image).- Client/system trusts the mitm root CA; otherwise HTTPS handshakes will fail.
export OPENSANDBOX_EGRESS_MITMPROXY_TRANSPARENT=trueBy default, mitmproxy listens on 18081 and transparent redirect rules are set automatically.
# Optional: change listening port (default: 18081)
export OPENSANDBOX_EGRESS_MITMPROXY_PORT=18081
# Optional: enable mitm addon script (e.g., inject request headers)
export OPENSANDBOX_EGRESS_MITMPROXY_SCRIPT=/opt/opensandbox/mitmscripts/add_header.py
# Optional: bypass decryption for selected domains (semicolon-separated regex list)
export OPENSANDBOX_EGRESS_MITMPROXY_IGNORE_HOSTS='.*\.log\.aliyuncs\.com;.*\.example\.internal'| Variable | Required | Purpose | Default |
|---|---|---|---|
OPENSANDBOX_EGRESS_MITMPROXY_TRANSPARENT |
Yes | Enable transparent mitmproxy (1/true/on, etc.) |
Disabled |
OPENSANDBOX_EGRESS_MITMPROXY_PORT |
No | mitmdump listen port; iptables redirects 80/443 here |
18081 |
OPENSANDBOX_EGRESS_MITMPROXY_SCRIPT |
No | mitm addon script path (-s) |
Empty |
OPENSANDBOX_EGRESS_MITMPROXY_IGNORE_HOSTS |
No | Host/IP regex list for TLS pass-through (; separated) |
Empty |
OPENSANDBOX_EGRESS_MITMPROXY_CONFDIR |
No | mitm config and CA directory (passed as --set confdir=, also used as HOME) |
Default directory under /var/lib/mitmproxy |
OPENSANDBOX_EGRESS_MITMPROXY_UPSTREAM_TRUST_DIR |
No | Trust directory for upstream TLS verification (OpenSSL style) | /etc/ssl/certs |
Notes:
OPENSANDBOX_EGRESS_MITMPROXY_IGNORE_HOSTSmeans no decryption, not “completely bypass mitm process”.- In transparent mode, mitmproxy generally recommends matching by IP/range; verify SNI/resolve behavior if using domain regex only.
- Before mitm,
iptables, and CA export are ready,GET /healthzreturns503 (mitm not ready)to prevent premature readiness.
export OPENSANDBOX_EGRESS_MITMPROXY_TRANSPARENT=trueexport OPENSANDBOX_EGRESS_MITMPROXY_TRANSPARENT=true
export OPENSANDBOX_EGRESS_MITMPROXY_SCRIPT=/opt/opensandbox/mitmscripts/add_header.pyBuilt-in example script: /opt/opensandbox/mitmscripts/add_header.py (adds X-OpenSandbox-Egress: 1).
export OPENSANDBOX_EGRESS_MITMPROXY_TRANSPARENT=true
export OPENSANDBOX_EGRESS_MITMPROXY_IGNORE_HOSTS='.*\.log\.aliyuncs\.com'If CA files already exist in confdir, mitmproxy reuses them instead of regenerating on each startup. Typical paths:
/var/lib/mitmproxy/.mitmproxy/mitmproxy-ca.pem(private key)/var/lib/mitmproxy/.mitmproxy/mitmproxy-ca-cert.pem(public cert)
Ensure correct permissions (for example mitmproxy:mitmproxy, private key mode 600).
Transparent mitmproxy does not automatically consume egress NetworkPolicy. Domain allow/deny behavior is still determined by DNS + (optional) nft rules. If L7 policy enforcement is needed, implement it in mitm scripts.
Startup flow (high level):
- Start mitmdump as user
mitmproxy, listening on127.0.0.1:<port>. - Wait until the local listener is reachable.
- Apply IPv4
iptablesredirect rules: except loopback and mitmproxy-owned traffic, redirect outbound80/443to mitm port.
Limits:
- Currently IPv4
iptablesonly; IPv6 is not automatically handled. - Non-Linux environments (for example local macOS runtime) are not supported for transparent mode.
- Full HTTPS decryption introduces CPU/memory and certificate trust overhead; benchmark before production rollout.