HTTPS Forward Proxy in Erlang (MITM: Man In The Middle)

Hi All,

I’d like to build an Erlang HTTP Forward Proxy to mimic Python mitmproxy.
I’m not looking for anything advanced here, just the basic stuff.

The poxy server usually terminates HTTPS encrypted traffic and forwards it to the backend instance. Encryption, decryption, and authentication of HTTPS traffic occur between the client and my proxy without the client noticing anything.

I’ve full control of the client. The client obtains the self-signed certificate of the proxy in the TLS handshake process, and verification of the certificate chain is unsuccessful by default. The Root CA certificate among the proxy self-signed certificates must be trusted on the client (which is the case here). Therefore, the client is aware of the proxy in this process.

If, for example, a client wants to load, my proxy has to create a certificate for domain “” and thereby pretends to be the Google server towards the client.

Unfortunately, I have no idea how to forge such a certificate on the fly.
Can someone with good knowledge of public_key module help me with this?

Thanks a lot

You may find GitHub - corememltd/acmerl: Erlang ACME implementation useful to crib from, in particularly ranch_ssl_acme:challenge/3 and acme_client_certificate:ready/3.

This code has been extracted from an internal project so is likely to not be directly usable, but when writing it at the time I also noticed that it was hard to navigate public_key; I think I ended up just reading the OTP source until I started figuring it out.

Apologies for the roughness of the code, it was needed for a PoC and gen_statem had just appeared it was unclear at the time to me how to accomplish what I wanted with it. I recommend ignoring everything except my interaction with ssl and public_key :slight_smile:

This project exists really now for me as just a map of how to do this in the future.

Of note, you likely will need something like ranch_ssl_acme for your project as IIRC at the time ranch did not support ssl:handshake_continue in a way that was usable to me; things may have changed since, I have not looked if they have though.

Good luck in your adventures!

1 Like

If you are after generating certs from Erlang, you can have a look on *make_certs.erl files found in OTP repo. They generate certs for testing purposes and maybe could serve as some inspiration.

1 Like