/enterprise-proxy-toolbox

Tools to simulate enterprise MITM proxy services

Primary LanguageNix

MITM Proxy Testing Setup

This directory contains a test setup to simulate Zscaler's MITM behavior for defensive security testing.

Overview

Zscaler performs Man-in-the-Middle (MITM) attacks by installing a custom SSL certificate to intercept and inspect network traffic. This setup allows you to simulate that behavior for testing how applications like Nix handle custom certificates.

Setup Instructions

1. Generate CA Certificate and Key

Create a self-signed Certificate Authority (CA):

# Generate CA private key
openssl genrsa -out ca-key.pem 2048

# Create self-signed CA certificate
openssl req -new -x509 -key ca-key.pem -out ca-cert.pem -days 365 -subj "/CN=Test MITM CA/O=Test Organization/C=US"

2. Install CA Certificate in macOS Keychain

Install the CA certificate as a trusted root certificate:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca-cert.pem

3. Install mitmproxy

Add mitmproxy to your development environment by updating flake.nix:

{
  languages.rust.enable = true;
  packages = [ pkgs.mitmproxy ];
}

Then reload your environment:

direnv reload

4. Create Combined Certificate File

Mitmproxy requires a single file containing both the certificate and private key:

cat ca-cert.pem ca-key.pem > ca-combined.pem

5. Start MITM Proxy

--mode local configures the proxy to intercept all outbound traffic on the OS level. This is useful to test programs that cannot be configured to use a proxy.

sudo mitmproxy --mode local --set confdir=. --set cert=ca-combined.pem

This will start a proxy on port 8080 by default.

6. Configure Nix to Use the Proxy

Set environment variables to route Nix traffic through the proxy:

export http_proxy=http://127.0.0.1:8080
export https_proxy=http://127.0.0.1:8080
export HTTP_PROXY=http://127.0.0.1:8080
export HTTPS_PROXY=http://127.0.0.1:8080

7. Configure Nix for Impure Environment Variables

Add the following to your nix.conf file (usually at ~/.config/nix/nix.conf):

experimental-features = nix-command flakes configurable-impure-env
impure-envs = http_proxy=http://127.0.0.1:8080 https_proxy=http://127.0.0.1:8080

This allows Nix to access the proxy environment variables during builds and fetches.

8. Export Certificate Bundle from Keychain

Export all trusted certificates from the macOS keychain to create a bundle that includes your custom CA:

# Export all trusted certificates from System keychain
security find-certificate -a -p /Library/Keychains/System.keychain > system-certs.pem

# Export all trusted certificates from user keychain  
security find-certificate -a -p ~/Library/Keychains/login.keychain >> system-certs.pem

9. Configure Nix to Use Certificate Bundle

Update your nix.conf to include the certificate bundle path:

experimental-features = nix-command flakes configurable-impure-env
impure-envs = http_proxy=http://127.0.0.1:8080 https_proxy=http://127.0.0.1:8080 NIX_SSL_CERT_FILE=/path/to/your/test-ca/system-certs.pem

Replace /path/to/your/test-ca/ with the actual path to this directory.

10. Test Certificate Usage

Run a Nix command that makes network requests to verify the custom certificate is being used:

nix-shell -p hello --run "echo 'Testing certificate usage'"

Monitor the mitmproxy interface to see intercepted requests and verify that your custom CA certificate is being used for SSL/TLS connections.

Cleanup

To remove the test CA certificate from your system:

sudo security delete-certificate -c "Test MITM CA" /Library/Keychains/System.keychain

Security Note

This setup is for defensive security testing purposes only. The CA certificate should only be used in controlled testing environments and should be removed after testing is complete.