1. Fiddler
1.1 Fiddler captures HTTPS settings
1.1.1 Configure certificate
Tools menu —> Options —> HTTPS —> check the Decrypt HTTPS traffic option.
- illustrate:
勾选Decrypt HTTPS traffic选项:
Decrypt HTTPS traffic:意思是解密HTTPS流量(请求)。
Then a dialog box will pop up, as shown below:
Meaning: In order to be able to intercept HITTPS traffic, Fiddler generates a unique root certificate. You can configure Windows to trust this root certificate to suppress security warnings. Click Yes to reconfigure Windows' list of trusted CAs.
Then a dialog box pops up as follows: Click Yes to confirm the installation of this certificate.
Are you sure to add the certificate to the computer root directory list? Click Yes .
Final tip: Fiddler's root certificate was successfully added to the computer root list.
1.1.2 Check the settings
When you check the Decrypt HTTPS traffic option, you will be prompted to install the certificate. After installing the certificate, the HTTPS option interface is as follows:
Continue to check the Ignore server certificate errors (unsafe) option: Ignore server certificate errors (unsafe).
Then click OK to grab the HTTPS request.
1.2 HTTPS option interface description
| Fiddler Classic can decrypt HITTPS sessions by re-signing traffic using self-generated certificates. |
Fiddler can decrypt HITTPS sessions by re-signing traffic with a self-generated certificate. |
| Capture HTTPS CONNECTs |
Establish HTTPS connection communication. (This is why we often see tunnel to...443 requests before, which are requests sent when HTTPS establishes communication. We use the Rules menu -> Hide CONNECTs operation to hide these requests.) |
| Decrypt HTTPS traffic |
Decrypt HTTPS requests. |
- drop-down list
| from all processes |
Crawl all HTTPS programs, including local machines and mobile phones. |
| from browsers only |
Only grab HTTPS requests in the browser. |
| from non-browsers only |
Only grab all HTTPS requests except browsers. |
| from remote clients only |
Capture the HTTPS of the remote client, which can represent the mobile phone. |
| Ignore server certificate errors (unsafe) |
Ignore server certificate errors (insecure). Generally ticked. |
| check for certificate reyocation |
Check for certificate revocation. |
| Certificates generated by CertEnroll engine |
A certificate generated by the CertEnroll engine. |
| Skip decryption for the following hosts |
Skip decryption for the following hosts. |
- Actions
| Trust Root Certificate |
Trust the root certificate. |
| Export Root Certificate to Desktop |
Export the root certificate to the desktop. |
| Open Windows Certificate Manager |
Open Windows Certificate Manager. |
| Learn More about HTTPS Decryption |
Learn more about HTTPS decryption. |
| Remove Interception Certificates |
Delete the interception certificate. |
| Reset All Certificates |
Reset all certificates. |
1.4 Principle of secondary agency
1.4.1 Agent process (probably like this)
- Client sends request: The client initiates a network request.
- The request reaches Fiddler: The client's proxy settings have set Fiddler as the proxy server, and the request is sent to Fiddler.
- Fiddler receives the request: Fiddler receives the client's request.
- The request is sent to the upstream proxy: According to the upstream proxy (Clash) you set in Fiddler, Fiddler forwards the request to the Clash upstream proxy.
- Clash upstream proxy processing request: Clash upstream proxy receives the request from Fiddler, processes it according to its configuration and rules, and sends the request to the actual target server.
- Request sent to target server: The Clash upstream proxy forwards the request to the actual target server.
- The target server processes the request: The target server receives the request and processes it according to the content of the request.
- Response back to Clash upstream proxy: The target server generates a response and sends it back to the Clash upstream proxy.
- Clash upstream proxy sends response to Fiddler: Clash upstream proxy sends response to Fiddler.
- Fiddler receives the response: Fiddler receives the response from the Clash upstream proxy.
- Response sent to client: Fiddler sends the response back to the client as a response to the original request.
1.4.2 Gateway settings
After fiddler is set to capture HTTP and HTTPS, configure the network management settings.
The Gateway submenu provides options for configuring the efficient way Fiddler Classic accesses the network.
By default, Fiddler Everywhere "links" to the system's default proxy. Gateway settings allow you to override this behavior.
- (Recommended) Use system proxy -- selected by default. Fiddler uses OS system proxies. Some browsers and many applications use the system proxy by default and are notified when it changes.
- Manual Proxy Configuration - Specify the upstream proxy string (first text box) and proxy bypass list (second text box).
Proxy String — To manually set the gateway proxy, enter a proxy string. To enter the proxy configuration string directly, use the following line.
proxyserver:8080
To enter a proxy in protocol-specific form, use the following line.
http=httpproxy:8080;https=httpsproxy:8080
Bypass List - The proxy bypass list supports the following values:
- wildcard. For example, *.``extranet.example.com``;.
- The special <local> tag, which represents any hostname that does not contain a period.
- Special token which removes the default bypass for hostname and hostname<-loopback>. The following example shows how to list multiple bypass entries separated by semicolons ( ). 127.0.0.1``localhost``;
*.extranet.example.com;<local>;<-loopback>;
- Proxyless - Sends all traffic directly to the root servers.
Then restart charles.
3. Modify the agent on the mobile phone
Manually modify the proxy settings, change to the corresponding IP and port, download the relevant certificate and install it.
4. What to do if you can’t catch the package
In some cases, the packets cannot be captured by life or death. In this case, we can use charles+clash+Proxifier to force capture packets. How to force capture packets will be a tutorial in the next post.