Merge branch 'master' of ssh.github.com:mitmproxy/mitmproxy

Using uppercase C to 'clear' display mode, because lowercase 'c' is used for css

.coveragerc

@@ -0,0 +1,6 @@
+[rum]
+branch = True
+
+[report]
+omit = *contrib*, *tnetstring*, *platform*, *console*
+include = *libmproxy*

.gitattributes

@@ -0,0 +1 @@
+libmproxy/web/static/**/* -diff

.gitignore

@@ -1,12 +1,27 @@
+.DS_Store
 MANIFEST
 /build
 /dist
 /tmp
 /doc
-*.py[cd]
+/venv
+/libmproxy/gui
+/release/build
+*.py[cdo]
 *.swp
 *.swo
+mitmproxy.egg-info/
 mitmproxyc
 mitmdumpc
-mitmplaybackc
-mitmrecordc
+.coverage
+.idea
+netlib
+pathod
+libpathod
+
+# UI
+
+node_modules
+bower_components
+*.compiled.js
+*.map

.travis.yml

@@ -0,0 +1,18 @@
+language: python
+python:
+  - "2.7"
+# command to install dependencies, e.g. pip install -r requirements.txt --use-mirrors
+install:
+  - "pip install --src . -r requirements.txt"
+# command to run tests, e.g. python setup.py test
+script: 
+  - "nosetests --with-cov --cov-report term-missing"
+after_success: 
+  - coveralls
+notifications:
+  irc:
+    channels:
+      - "irc.oftc.net#mitmproxy"
+    on_success: change
+    on_failure: always
+

CHANGELOG

@@ -1,3 +1,202 @@
+
+23 October 2014: mitmproxy 0.11:
+    
+    * Performance improvements for mitmproxy console
+
+    * SOCKS5 proxy mode allows mitmproxy to act as a SOCKS5 proxy server
+
+    * Data streaming for response bodies exceeding a threshold
+      (bradpeabody@gmail.com)
+
+    * Ignore hosts or IP addresses, forwarding both HTTP and HTTPS traffic
+      untouched
+
+    * Finer-grained control of traffic replay, including options to ignore
+      contents or parameters when matching flows (marcelo.glezer@gmail.com)
+
+    * Pass arguments to inline scripts 
+
+    * Configurable size limit on HTTP request and response bodies
+
+    * Per-domain specification of interception certificates and keys (see
+      --cert option)
+
+    * Certificate forwarding, relaying upstream SSL certificates verbatim (see
+      --cert-forward)
+
+    * Search and highlighting for HTTP request and response bodies in
+      mitmproxy console (pedro@worcel.com)
+
+    * Transparent proxy support on Windows
+
+    * Improved error messages and logging
+
+    * Support for FreeBSD in transparent mode, using pf (zbrdge@gmail.com)
+
+    * Content view mode for WBXML (davidshaw835@air-watch.com)
+
+    * Better documentation, with a new section on proxy modes
+
+    * Generic TCP proxy mode
+
+    * Countless bugfixes and other small improvements
+
+
+
+28 January 2014: mitmproxy 0.10:
+	
+    * Support for multiple scripts and multiple script arguments
+
+    * Easy certificate install through the in-proxy web app, which is now
+      enabled by default
+
+    * Forward proxy mode, that forwards proxy requests to an upstream HTTP server
+
+    * Reverse proxy now works with SSL
+
+    * Search within a request/response using the "/" and "n" shortcut keys
+
+    * A view that beatifies CSS files if cssutils is available
+
+    * Bug fix, documentation improvements, and more.
+
+
+25 August 2013: mitmproxy 0.9.2:
+
+    * Improvements to the mitmproxywrapper.py helper script for OSX.
+    
+    * Don't take minor version into account when checking for serialized file
+      compatibility.
+
+    * Fix a bug causing resource exhaustion under some circumstances for SSL
+      connections.
+
+    * Revamp the way we store interception certificates. We used to store these
+      on disk, they're now in-memory. This fixes a race condition related to
+      cert handling, and improves compatibility with Windows, where the rules
+      governing permitted file names are weird, resulting in errors for some
+      valid IDNA-encoded names.
+
+    * Display transfer rates for responses in the flow list.
+    
+    * Many other small bugfixes and improvements.
+    
+
+
+
+16 June 2013: mitmproxy 0.9.1:
+
+    * Use "correct" case for Content-Type headers added by mitmproxy.
+    
+    * Make UTF environment detection more robust. 
+
+    * Improved MIME-type detection for viewers.
+    
+    * Always read files in binary mode (Windows compatibility fix).
+    
+    * Some developer documentation.
+    
+
+15 May 2013: mitmproxy 0.9:
+
+    * Upstream certs mode is now the default.
+
+    * Add a WSGI container that lets you host in-proxy web applications.
+    
+    * Full transparent proxy support for Linux and OSX.
+    
+    * Introduce netlib, a common codebase for mitmproxy and pathod
+      (http://github.com/cortesi/netlib).
+
+    * Full support for SNI.
+    
+    * Color palettes for mitmproxy, tailored for light and dark terminal
+      backgrounds.
+
+    * Stream flows to file as responses arrive with the "W" shortcut in
+      mitmproxy.
+
+    * Extend the filter language, including ~d domain match operator, ~a to
+      match asset flows (js, images, css).
+
+    * Follow mode in mitmproxy ("F" shortcut) to "tail" flows as they arrive.
+    
+    * --dummy-certs option to specify and preserve the dummy certificate
+      directory.
+
+    * Server replay from the current captured buffer.
+    
+    * Huge improvements in content views. We now have viewers for AMF, HTML,
+      JSON, Javascript, images, XML, URL-encoded forms, as well as hexadecimal
+      and raw views.
+
+    * Add Set Headers, analagous to replacement hooks. Defines headers that are set
+      on flows, based on a matching pattern.
+
+    * A graphical editor for path components in mitmproxy.
+    
+    * A small set of standard user-agent strings, which can be used easily in
+      the header editor.
+
+    * Proxy authentication to limit access to mitmproxy
+
+
+5 April 2012: mitmproxy 0.8:
+
+    * Detailed tutorial for Android interception. Some features that land in
+      this release have finally made reliable Android interception possible.
+
+    * Upstream-cert mode, which uses information from the upstream server to
+      generate interception certificates.
+
+    * Replacement patterns that let you easily do global replacements in flows
+      matching filter patterns. Can be specified on the command-line, or edited
+      interactively.
+
+    * Much more sophisticated and usable pretty printing of request bodies.
+      Support for auto-indentation of Javascript, inspection of image EXIF
+      data, and more.
+
+    * Details view for flows, showing connection and SSL cert information (X
+      keyboard shortcut).
+
+    * Server certificates are now stored and serialized in saved traffic for
+      later analysis. This means that the 0.8 serialization format is NOT
+      compatible with 0.7.
+
+    * Many other improvements, including bugfixes, and expanded scripting API,
+      and more sophisticated certificate handling.
+
+
+20 February 2012: mitmproxy 0.7:
+
+    * New built-in key/value editor. This lets you interactively edit URL query
+      strings, headers and URL-encoded form data.
+
+    * Extend script API to allow duplication and replay of flows.
+
+    * API for easy manipulation of URL-encoded forms and query strings.
+
+    * Add "D" shortcut in mitmproxy to duplicate a flow.
+
+    * Reverse proxy mode. In this mode mitmproxy acts as an HTTP server,
+      forwarding all traffic to a specified upstream server.
+
+    * UI improvements - use unicode characters to make GUI more compact,
+      improve spacing and layout throughout.
+
+    * Add support for filtering by HTTP method.
+
+    * Add the ability to specify an HTTP body size limit.
+
+    * Move to typed netstrings for serialization format - this makes 0.7
+      backwards-incompatible with serialized data from 0.6!
+
+    * Significant improvements in speed and responsiveness of UI.
+
+    * Many minor bugfixes and improvements.
+
+
 7 August 2011: mitmproxy 0.6:
 
     * New scripting API that allows much more flexible and fine-grained
@@ -58,14 +257,14 @@
       100% of CPU.
 
 
-30 March 2011: mitmproxy 0.4 
+30 March 2011: mitmproxy 0.4
 
     * Full serialization of HTTP conversations
-    
+
     * Client and server replay
-    
+
     * On-the-fly generation of dummy SSL certificates
-   
+
     * mitmdump has "grown up" into a powerful tcpdump-like tool for HTTP/S
 
     * Dozens of improvements to the mitmproxy console interface
@@ -73,25 +272,22 @@
     * Python scripting hooks for programmatic modification of traffic
 
 
-1 March 2010: mitmproxy 0.2 
+1 March 2010: mitmproxy 0.2
 
     * Big speed and responsiveness improvements, thanks to Thomas Roth
-    
+
     * Support urwid 0.9.9
-    
+
     * Terminal beeping based on filter expressions
-    
+
     * Filter expressions for terminal beeps, limits, interceptions and sticky
       cookies can now be passed on the command line.
 
     * Save requests and responses to file
-    
+
     * Split off non-interactive dump functionality into a new tool called
       mitmdump
-    
+
     * "A" will now accept all intercepted connections
-    
+
     * Lots of bugfixes
-
-    
-

CONTRIBUTORS

@@ -1,8 +1,65 @@
-    278 Aldo Cortesi
-     18 Henrik Nordstrom
-     13 Thomas Roth
-     10 Stephen Altamirano
-      2 alts
-      1 Yuangxuan Wang
-      1 Henrik Nordström
-      1 Felix Wolfsteller
+   902	Aldo Cortesi
+   323	Maximilian Hils
+    18	Henrik Nordstrom
+    13	Thomas Roth
+    12	Pedro Worcel
+    11	Stephen Altamirano
+    10	András Veres-Szentkirályi
+     8	Rouli
+     8	Jason A. Novak
+     7	Alexis Hildebrandt
+     5	Tomaz Muraus
+     5	Brad Peabody
+     5	Matthias Urlichs
+     4	root
+     4	Marc Liyanage
+     4	Valtteri Virtanen
+     4	Bryan Bishop
+     3	Chris Neasbitt
+     3	Zack B
+     3	Eli Shvartsman
+     3	Kyle Manna
+     2	Michael Frister
+     2	Bennett Blodinger
+     2	Jim Lloyd
+     2	Rob Wills
+     2	israel
+     2	Jaime Soriano Pastor
+     2	Heikki Hannikainen
+     2	Mark E. Haase
+     2	alts
+     1	davidpshaw
+     1	deployable
+     1	joebowbeer
+     1	meeee
+     1	phil plante
+     1	Michael Bisbjerg
+     1	Andy Smith
+     1	Dan Wilbraham
+     1	David Shaw
+     1	Eric Entzel
+     1	Felix Wolfsteller
+     1	Henrik Nordström
+     1	Ivaylo Popov
+     1	JC
+     1	Jakub Nawalaniec
+     1	James Billingham
+     1	Jean Regisser
+     1	Kit Randel
+     1	Marcelo Glezer
+     1	Mathieu Mitchell
+     1	Mikhail Korobov
+     1	Nicolas Esteves
+     1	Oleksandr Sheremet
+     1	Paul
+     1	Rich Somerfield
+     1	Rory McCann
+     1	Rune Halvorsen
+     1	Sahn Lam
+     1	Seppo Yli-Olli
+     1	Sergey Chipiga
+     1	Steven Van Acker
+     1	Ulrich Petri
+     1	Vyacheslav Bakhmutov
+     1	Yuangxuan Wang
+     1	capt8bit

LICENSE

@@ -1,690 +1,19 @@
-mitmproxy is licensed under the terms of the GNU General Public
-License version 3, with the following addition:
-
-  In addition, as a special exception, the copyright holders give
-permission to link the code of this program or portions of this
-program with the OpenSSL project's "OpenSSL" library (or with modified
-versions of it that use the same license as the "OpenSSL" library),
-and distribute linked combinations including the two. 
-
-  You must obey the GNU General Public License in all respects for all
-of the code used other than "OpenSSL".  If you modify file(s) provided
-under this license, you may extend this exception to your version of
-the file, but you are not obligated to do so. If you do not wish to do
-so, delete this exception statement from your version.
-
-
-                    GNU GENERAL PUBLIC LICENSE
-                       Version 3, 29 June 2007
-
- Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The GNU General Public License is a free, copyleft license for
-software and other kinds of works.
-
-  The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-the GNU General Public License is intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.  We, the Free Software Foundation, use the
-GNU General Public License for most of our software; it applies also to
-any other work released this way by its authors.  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-  To protect your rights, we need to prevent others from denying you
-these rights or asking you to surrender the rights.  Therefore, you have
-certain responsibilities if you distribute copies of the software, or if
-you modify it: responsibilities to respect the freedom of others.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must pass on to the recipients the same
-freedoms that you received.  You must make sure that they, too, receive
-or can get the source code.  And you must show them these terms so they
-know their rights.
-
-  Developers that use the GNU GPL protect your rights with two steps:
-(1) assert copyright on the software, and (2) offer you this License
-giving you legal permission to copy, distribute and/or modify it.
-
-  For the developers' and authors' protection, the GPL clearly explains
-that there is no warranty for this free software.  For both users' and
-authors' sake, the GPL requires that modified versions be marked as
-changed, so that their problems will not be attributed erroneously to
-authors of previous versions.
-
-  Some devices are designed to deny users access to install or run
-modified versions of the software inside them, although the manufacturer
-can do so.  This is fundamentally incompatible with the aim of
-protecting users' freedom to change the software.  The systematic
-pattern of such abuse occurs in the area of products for individuals to
-use, which is precisely where it is most unacceptable.  Therefore, we
-have designed this version of the GPL to prohibit the practice for those
-products.  If such problems arise substantially in other domains, we
-stand ready to extend this provision to those domains in future versions
-of the GPL, as needed to protect the freedom of users.
-
-  Finally, every program is threatened constantly by software patents.
-States should not allow patents to restrict development and use of
-software on general-purpose computers, but in those that do, we wish to
-avoid the special danger that patents applied to a free program could
-make it effectively proprietary.  To prevent this, the GPL assures that
-patents cannot be used to render the program non-free.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                       TERMS AND CONDITIONS
-
-  0. Definitions.
-
-  "This License" refers to version 3 of the GNU General Public License.
-
-  "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
-  "The Program" refers to any copyrightable work licensed under this
-License.  Each licensee is addressed as "you".  "Licensees" and
-"recipients" may be individuals or organizations.
-
-  To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy.  The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
-  A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-  To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy.  Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-  To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies.  Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
-  An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License.  If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-  1. Source Code.
-
-  The "source code" for a work means the preferred form of the work
-for making modifications to it.  "Object code" means any non-source
-form of a work.
-
-  A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-  The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form.  A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-  The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities.  However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work.  For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-  The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
-  The Corresponding Source for a work in source code form is that
-same work.
-
-  2. Basic Permissions.
-
-  All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met.  This License explicitly affirms your unlimited
-permission to run the unmodified Program.  The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work.  This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-  You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force.  You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright.  Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
-  Conveying under any other circumstances is permitted solely under
-the conditions stated below.  Sublicensing is not allowed; section 10
-makes it unnecessary.
-
-  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-  No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-  When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
-  4. Conveying Verbatim Copies.
-
-  You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-  You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-  5. Conveying Modified Source Versions.
-
-  You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
-    a) The work must carry prominent notices stating that you modified
-    it, and giving a relevant date.
-
-    b) The work must carry prominent notices stating that it is
-    released under this License and any conditions added under section
-    7.  This requirement modifies the requirement in section 4 to
-    "keep intact all notices".
-
-    c) You must license the entire work, as a whole, under this
-    License to anyone who comes into possession of a copy.  This
-    License will therefore apply, along with any applicable section 7
-    additional terms, to the whole of the work, and all its parts,
-    regardless of how they are packaged.  This License gives no
-    permission to license the work in any other way, but it does not
-    invalidate such permission if you have separately received it.
-
-    d) If the work has interactive user interfaces, each must display
-    Appropriate Legal Notices; however, if the Program has interactive
-    interfaces that do not display Appropriate Legal Notices, your
-    work need not make them do so.
-
-  A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit.  Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-  6. Conveying Non-Source Forms.
-
-  You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
-    a) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by the
-    Corresponding Source fixed on a durable physical medium
-    customarily used for software interchange.
-
-    b) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by a
-    written offer, valid for at least three years and valid for as
-    long as you offer spare parts or customer support for that product
-    model, to give anyone who possesses the object code either (1) a
-    copy of the Corresponding Source for all the software in the
-    product that is covered by this License, on a durable physical
-    medium customarily used for software interchange, for a price no
-    more than your reasonable cost of physically performing this
-    conveying of source, or (2) access to copy the
-    Corresponding Source from a network server at no charge.
-
-    c) Convey individual copies of the object code with a copy of the
-    written offer to provide the Corresponding Source.  This
-    alternative is allowed only occasionally and noncommercially, and
-    only if you received the object code with such an offer, in accord
-    with subsection 6b.
-
-    d) Convey the object code by offering access from a designated
-    place (gratis or for a charge), and offer equivalent access to the
-    Corresponding Source in the same way through the same place at no
-    further charge.  You need not require recipients to copy the
-    Corresponding Source along with the object code.  If the place to
-    copy the object code is a network server, the Corresponding Source
-    may be on a different server (operated by you or a third party)
-    that supports equivalent copying facilities, provided you maintain
-    clear directions next to the object code saying where to find the
-    Corresponding Source.  Regardless of what server hosts the
-    Corresponding Source, you remain obligated to ensure that it is
-    available for as long as needed to satisfy these requirements.
-
-    e) Convey the object code using peer-to-peer transmission, provided
-    you inform other peers where the object code and Corresponding
-    Source of the work are being offered to the general public at no
-    charge under subsection 6d.
-
-  A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-  A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling.  In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage.  For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product.  A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
-  "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source.  The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
-  If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information.  But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-  The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed.  Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
-  Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-  7. Additional Terms.
-
-  "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law.  If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-  When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it.  (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.)  You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-  Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
-    a) Disclaiming warranty or limiting liability differently from the
-    terms of sections 15 and 16 of this License; or
-
-    b) Requiring preservation of specified reasonable legal notices or
-    author attributions in that material or in the Appropriate Legal
-    Notices displayed by works containing it; or
-
-    c) Prohibiting misrepresentation of the origin of that material, or
-    requiring that modified versions of such material be marked in
-    reasonable ways as different from the original version; or
-
-    d) Limiting the use for publicity purposes of names of licensors or
-    authors of the material; or
-
-    e) Declining to grant rights under trademark law for use of some
-    trade names, trademarks, or service marks; or
-
-    f) Requiring indemnification of licensors and authors of that
-    material by anyone who conveys the material (or modified versions of
-    it) with contractual assumptions of liability to the recipient, for
-    any liability that these contractual assumptions directly impose on
-    those licensors and authors.
-
-  All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10.  If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term.  If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-  If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-  Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
-  8. Termination.
-
-  You may not propagate or modify a covered work except as expressly
-provided under this License.  Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-  However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
-  Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-  Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License.  If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-  9. Acceptance Not Required for Having Copies.
-
-  You are not required to accept this License in order to receive or
-run a copy of the Program.  Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance.  However,
-nothing other than this License grants you permission to propagate or
-modify any covered work.  These actions infringe copyright if you do
-not accept this License.  Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-  10. Automatic Licensing of Downstream Recipients.
-
-  Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License.  You are not responsible
-for enforcing compliance by third parties with this License.
-
-  An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations.  If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-  You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License.  For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-  11. Patents.
-
-  A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based.  The
-work thus licensed is called the contributor's "contributor version".
-
-  A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version.  For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-  Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-  In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement).  To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-  If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients.  "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-  If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-  A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License.  You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
-  Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-  12. No Surrender of Others' Freedom.
-
-  If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all.  For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
-  13. Use with the GNU Affero General Public License.
-
-  Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU Affero General Public License into a single
-combined work, and to convey the resulting work.  The terms of this
-License will continue to apply to the part which is the covered work,
-but the special requirements of the GNU Affero General Public License,
-section 13, concerning interaction through a network will apply to the
-combination as such.
-
-  14. Revised Versions of this License.
-
-  The Free Software Foundation may publish revised and/or new versions of
-the GNU General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation.  If the Program does not specify a version number of the
-GNU General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
-  If the Program specifies that a proxy can decide which future
-versions of the GNU General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-  Later license versions may give you additional or different
-permissions.  However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-  15. Disclaimer of Warranty.
-
-  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-  16. Limitation of Liability.
-
-  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
-  17. Interpretation of Sections 15 and 16.
-
-  If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-  If the program does terminal interaction, make it output a short
-notice like this when it starts in an interactive mode:
-
-    <program>  Copyright (C) <year>  <name of author>
-    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, your program's commands
-might be different; for a GUI interface, you would use an "about box".
-
-  You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU GPL, see
-<http://www.gnu.org/licenses/>.
-
-  The GNU General Public License does not permit incorporating your program
-into proprietary programs.  If your program is a subroutine library, you
-may consider it more useful to permit linking proprietary applications with
-the library.  If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.  But first, please read
-<http://www.gnu.org/philosophy/why-not-lgpl.html>.
+Copyright (c) 2013, Aldo Cortesi. All rights reserved.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

MANIFEST.in

@@ -1,9 +1,8 @@
-include LICENSE
-include CHANGELOG
-include CONTRIBUTORS
-include README.mkd
+include mitmproxy mitmdump
+include LICENSE CHANGELOG CONTRIBUTORS README.txt
+exclude README.mkd
 recursive-include examples *
 recursive-include doc *
 recursive-include test *
-recursive-include libmproxy/resources *
-recursive-exclude test *.swo *.swp *.pyc
+recursive-include libmproxy *
+recursive-exclude * *.pyc *.pyo *.swo *.swp

README.mkd

@@ -1,66 +1,92 @@
+[![Build Status](https://travis-ci.org/mitmproxy/mitmproxy.png?branch=master)](https://travis-ci.org/mitmproxy/mitmproxy) [![Coverage Status](https://coveralls.io/repos/mitmproxy/mitmproxy/badge.png?branch=master)](https://coveralls.io/r/mitmproxy/mitmproxy)
 
-__mitmproxy__ is an SSL-capable man-in-the-middle proxy for HTTP. It provides a
-console interface that allows traffic flows to be inspected and edited on the
-fly.
+__mitmproxy__ is an interactive, SSL-capable man-in-the-middle proxy for HTTP
+with a console interface.
 
-__mitmdump__ is the command-line version of mitmproxy, with the same
-functionality but without the frills. Think tcpdump for HTTP.
+__mitmdump__ is the command-line version of mitmproxy. Think tcpdump for HTTP.
 
-Both tools are fully documentented in the commandline _--help_ flag, and, in
-the case of __mitmproxy__, a built-in help page accessible through the _?_
-keyboard shortcut.
+__libmproxy__ is the library that mitmproxy and mitmdump are built on.
+
+Documentation, tutorials and distribution packages can be found on the
+mitmproxy.org website:
+
+[mitmproxy.org](http://mitmproxy.org).
 
 
-Capabilities
-------------
+You can find complete directions for installing mitmproxy [here](http://mitmproxy.org/doc/install.html). 
+
+
+Features
+--------
 
 - Intercept HTTP requests and responses and modify them on the fly.
 - Save complete HTTP conversations for later replay and analysis.
 - Replay the client-side of an HTTP conversations.
 - Replay HTTP responses of a previously recorded server.
-- Make scripted changes to HTTP traffic using Python. 
+- Reverse proxy mode to forward traffic to a specified server.
+- Transparent proxy mode on OSX and Linux.
+- Make scripted changes to HTTP traffic using Python.
 - SSL certificates for interception are generated on the fly.
+- And much, much more.
+
+__mitmproxy__ is tested and developed on OSX, Linux and OpenBSD. On Windows,
+only mitmdump is supported, which does not have a graphical user interface.
 
 
-Download
---------
 
-Releases and rendered documentation can be found on the mitmproxy website:
-
-[mitmproxy.org](http://mitmproxy.org)
-
-Source is hosted on github: 
-
-[github.com/cortesi/mitmproxy](http://github.com/cortesi/mitmproxy)
+Hacking
+-------
 
 
-Community
----------
-
-Come join us in the #mitmproxy channel on the OFTC IRC network
-(irc://irc.oftc.net:6667).
-
-We also have a mailing list, hosted here:
-
-    http://groups.google.com/group/mitmproxy
+### Requirements
+
+
+* [Python](http://www.python.org) 2.7.x.
+* [netlib](http://pypi.python.org/pypi/netlib), version matching mitmproxy.
+* Third-party packages listed in [setup.py](https://github.com/mitmproxy/mitmproxy/blob/master/setup.py)
+
+Optional packages for extended content decoding:
+
+* [PyAMF](http://www.pyamf.org/) version 0.6.1 or newer.
+* [protobuf](https://code.google.com/p/protobuf/) version 2.5.0 or newer.
+* [cssutils](http://cthedot.de/cssutils/) version 1.0 or newer.
+
+For convenience, all optional dependencies can be installed with 
+
+`pip install "mitmproxy[contentviews]"`
+
+### Setting up a dev environment
+
+The following procedure is recommended to set up your dev environment:
+
+```
+$ git clone https://github.com/mitmproxy/mitmproxy.git
+$ cd mitmproxy
+$ pip install --src . -r requirements.txt
+```
+
+This installs the latest GitHub versions of mitmproxy, netlib and pathod into `mitmproxy/`. All other development dependencies save countershape are installed into their usual locations. 
+
+
+### Testing
+
+The test suite requires the `dev` extra requirements listed in [setup.py](https://github.com/mitmproxy/mitmproxy/blob/master/setup.py) and [pathod](http://pathod.net), version matching mitmproxy. Install these with:
+
+`
+pip install "mitmproxy[dev]""`
+
+
+Please ensure that all patches are accompanied by matching changes in the test
+suite. The project maintains 100% test coverage.
+
+
+### Docs
+
+Rendering the documentation requires [countershape](http://github.com/cortesi/countershape). After installation, you can render the documentation to the doc like this:
+
+`cshape doc-src doc`
 
 
-Requirements
-------------
 
-* [Python](http://www.python.org) 2.6.x or 2.7.x.
-* [openssl](http://www.openssl.org/) - installed by default on most systems.
-* [urwid](http://excess.org/urwid/) version 0.9.8 or newer.
-* The test suite uses the [pry](http://github.com/cortesi/pry) unit testing
-  library.
-* Rendering the documentation requires [countershape](http://github.com/cortesi/countershape).
 
-__mitmproxy__ is tested and developed on OSX, Linux and OpenBSD. 
 
-You should also make sure that your console environment is set up with the
-following: 
-    
-* EDITOR environment variable to determine the external editor.
-* PAGER environment variable to determine the external pager.
-* Appropriate entries in your mailcap files to determine external
-  viewers for request and response contents.

README.txt

@@ -0,0 +1,11 @@
+**mitmproxy** is an interactive, SSL-capable man-in-the-middle proxy for HTTP
+with a console interface.
+
+**mitmdump** is the command-line version of mitmproxy. Think tcpdump for HTTP.
+
+**libmproxy** is the library that mitmproxy and mitmdump are built on.
+
+Complete documentation and a set of practical tutorials is included in the
+distribution package, and is also available at mitmproxy.org_.
+
+.. _mitmproxy.org: http://mitmproxy.org

doc-src/02-docstyle.css

@@ -1,137 +1,20 @@
-
-a {
-    color: #3F8ED8;
-    text-decoration: none;
+body {
+    padding-top: 60px;
+    padding-bottom: 40px;
 }
 
-
-#hd.doc {
-    -x-system-font:none;
-    font-family: Helvetica,Arial,Tahoma,Verdana,Sans-Serif;
-    color: #444444;
-    margin: 0;
-    margin-bottom: 1em;
-}
-
-#hd.doc h1 {
-    letter-spacing: 3px;
-    font-size: 2.5em;
-    margin: 0.3em 0;
-    font-weight: normal;
-}
-
-#nav {
-    float: right;
-}
-
-
-#bd {
-    font: 16px/21px "HelveticaNeue","Helvetica Neue",Helvetica,Arial,sans-serif;
-    line-height: 1.5;
-    color: #444444;
-}
-
-#bd h1, #bd h2, #bd h3 {
-    font-family: "Georgia","Times New Roman",Helvetica,Arial,sans-serif;
-    font-weight: normal;
-    color: #181818;
-}
-
-#bd h1 {
-    font-size: 1.9em;
-    border-bottom: 2px solid #ff7033;
-    margin-top: 5px;
-    margin-bottom: 5px;
-}
-
-#bd h2 {
-    font-size: 1.4em;
-    border-bottom: 1px solid #cccccc;
-    margin-top: 5px;
-    margin-bottom: 5px;
-}
-
-
-#bd h3 {
-    margin-bottom: 0px;
-}
-
-#bd p {
-    margin: 1em 0;
-    margin-top: 0.5em;
-}
-
-/* Keyboard shortcuts */
-#bd em {
+.tablenum {
     font-weight: bold;
-    color: #00A700; 
-    font-style: normal;
+} 
+
+.nowrap {
+     white-space: nowrap;
 }
 
-#ft.doc {
-    color: #aaa;
-    border-top: 1px solid #aaa;
-    clear: both;
-    margin-top: 2em;
-    font-size: 0.8em;
-    letter-spacing: 0.5px;
+h1 {
+    line-height: 1.1;
 }
 
-.faq .question {
-    font-size: 1.1em;
-    font-weight: bold;
+.page-header {
+    margin: 0px 0 22px;
 }
-
-pre {
-    font-size: 0.9em;
-    line-height: 1.4;
-    padding: 10px;
-    background-color: #dddddd;
-    margin: 1em 0;
-}
-
-.terminal {
-    color: #c0c0c0;
-    font-size: 1em;
-    background: #000000;
-}
-
-.docindex {
-    font-size: 1.3em;
-    line-height: 1.3;
-    margin-top: 0.1em;
-    margin-bottom: 0;
-    margin-left: 0px;
-}
-
-.docindex li {
-    list-style-position: inside;
-    margin-left: 0;
-}
-
-.docindex ul {
-    margin-left: 2em;
-    margin-top: 0.1em;
-    margin-bottom: 0.1em;
-}
-
-li a {
-    text-decoration: none;
-}
-
-.highlight {
-    font-size: 14px;
-}
-.example_legend{
-    line-height: 1;
-    font-size: 12px;
-}
-.example pre {
-    margin: 0;
-}
-
-.kvtable th {
-    text-align: left;
-    white-space: nowrap;
-}
-

doc-src/_explicit.graffle/data.plist

@@ -0,0 +1,572 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>ActiveLayerIndex</key>
+	<integer>0</integer>
+	<key>ApplicationVersion</key>
+	<array>
+		<string>com.omnigroup.OmniGraffle.MacAppStore</string>
+		<string>139.16</string>
+	</array>
+	<key>AutoAdjust</key>
+	<true/>
+	<key>BackgroundGraphic</key>
+	<dict>
+		<key>Bounds</key>
+		<string>{{0, 0}, {559.19998741149902, 782.79998779296875}}</string>
+		<key>Class</key>
+		<string>SolidGraphic</string>
+		<key>ID</key>
+		<integer>2</integer>
+		<key>Style</key>
+		<dict>
+			<key>shadow</key>
+			<dict>
+				<key>Draws</key>
+				<string>NO</string>
+			</dict>
+			<key>stroke</key>
+			<dict>
+				<key>Draws</key>
+				<string>NO</string>
+			</dict>
+		</dict>
+	</dict>
+	<key>BaseZoom</key>
+	<integer>0</integer>
+	<key>CanvasOrigin</key>
+	<string>{0, 0}</string>
+	<key>ColumnAlign</key>
+	<integer>1</integer>
+	<key>ColumnSpacing</key>
+	<real>36</real>
+	<key>CreationDate</key>
+	<string>2013-01-02 19:31:53 +0000</string>
+	<key>Creator</key>
+	<string>Aldo Cortesi</string>
+	<key>DisplayScale</key>
+	<string>1.000 cm = 1.000 cm</string>
+	<key>GraphDocumentVersion</key>
+	<integer>8</integer>
+	<key>GraphicsList</key>
+	<array>
+		<dict>
+			<key>Class</key>
+			<string>LineGraphic</string>
+			<key>ID</key>
+			<integer>4074</integer>
+			<key>Points</key>
+			<array>
+				<string>{300.4483540852865, 420.70833897590637}</string>
+				<string>{344.88497416178387, 420.70833897590654}</string>
+				<string>{362.21830749511713, 420.04167230923986}</string>
+				<string>{413.55166625976557, 419.70833905537921}</string>
+			</array>
+			<key>Style</key>
+			<dict>
+				<key>stroke</key>
+				<dict>
+					<key>HeadArrow</key>
+					<string>FilledArrow</string>
+					<key>Legacy</key>
+					<true/>
+					<key>TailArrow</key>
+					<string>0</string>
+				</dict>
+			</dict>
+		</dict>
+		<dict>
+			<key>Class</key>
+			<string>LineGraphic</string>
+			<key>ID</key>
+			<integer>4070</integer>
+			<key>Points</key>
+			<array>
+				<string>{84.896692911783873, 420.66667453447985}</string>
+				<string>{129.33331298828122, 420.66667453448002}</string>
+				<string>{146.66664632161454, 420.00000786781334}</string>
+				<string>{198.00000508626297, 419.66667461395269}</string>
+			</array>
+			<key>Style</key>
+			<dict>
+				<key>stroke</key>
+				<dict>
+					<key>HeadArrow</key>
+					<string>FilledArrow</string>
+					<key>Legacy</key>
+					<true/>
+					<key>TailArrow</key>
+					<string>0</string>
+				</dict>
+			</dict>
+		</dict>
+		<dict>
+			<key>Bounds</key>
+			<string>{{326.00000000000023, 391.39999198913591}, {62, 24}}</string>
+			<key>Class</key>
+			<string>ShapedGraphic</string>
+			<key>FitText</key>
+			<string>YES</string>
+			<key>Flow</key>
+			<string>Resize</string>
+			<key>FontInfo</key>
+			<dict>
+				<key>Font</key>
+				<string>Helvetica</string>
+				<key>Size</key>
+				<real>12</real>
+			</dict>
+			<key>ID</key>
+			<integer>4063</integer>
+			<key>Shape</key>
+			<string>Rectangle</string>
+			<key>Style</key>
+			<dict>
+				<key>fill</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>shadow</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>stroke</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+			</dict>
+			<key>Text</key>
+			<dict>
+				<key>Pad</key>
+				<integer>0</integer>
+				<key>Text</key>
+				<string>{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf340
+\cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
+{\colortbl;\red255\green255\blue255;}
+\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
+
+\f0\fs20 \cf0 2: Forwarded \
+Request}</string>
+				<key>VerticalPad</key>
+				<integer>0</integer>
+			</dict>
+			<key>Wrap</key>
+			<string>NO</string>
+		</dict>
+		<dict>
+			<key>Bounds</key>
+			<string>{{110, 403.39997863769622}, {49, 12}}</string>
+			<key>Class</key>
+			<string>ShapedGraphic</string>
+			<key>FitText</key>
+			<string>YES</string>
+			<key>Flow</key>
+			<string>Resize</string>
+			<key>FontInfo</key>
+			<dict>
+				<key>Font</key>
+				<string>Helvetica</string>
+				<key>Size</key>
+				<real>12</real>
+			</dict>
+			<key>ID</key>
+			<integer>4061</integer>
+			<key>Shape</key>
+			<string>Rectangle</string>
+			<key>Style</key>
+			<dict>
+				<key>fill</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>shadow</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>stroke</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+			</dict>
+			<key>Text</key>
+			<dict>
+				<key>Pad</key>
+				<integer>0</integer>
+				<key>Text</key>
+				<string>{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf340
+\cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
+{\colortbl;\red255\green255\blue255;}
+\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
+
+\f0\fs20 \cf0 1: Request}</string>
+				<key>VerticalPad</key>
+				<integer>0</integer>
+			</dict>
+			<key>Wrap</key>
+			<string>NO</string>
+		</dict>
+		<dict>
+			<key>Bounds</key>
+			<string>{{430.83098347981803, 515.99999999999989}, {36, 14}}</string>
+			<key>Class</key>
+			<string>ShapedGraphic</string>
+			<key>FitText</key>
+			<string>YES</string>
+			<key>Flow</key>
+			<string>Resize</string>
+			<key>ID</key>
+			<integer>4026</integer>
+			<key>Shape</key>
+			<string>Rectangle</string>
+			<key>Style</key>
+			<dict>
+				<key>fill</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>shadow</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>stroke</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+			</dict>
+			<key>Text</key>
+			<dict>
+				<key>Pad</key>
+				<integer>0</integer>
+				<key>Text</key>
+				<string>{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf340
+\cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
+{\colortbl;\red255\green255\blue255;}
+\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
+
+\f0\fs24 \cf0 Server}</string>
+				<key>VerticalPad</key>
+				<integer>0</integer>
+			</dict>
+			<key>Wrap</key>
+			<string>NO</string>
+		</dict>
+		<dict>
+			<key>Bounds</key>
+			<string>{{40.499999999999993, 486.66666666666663}, {31, 14}}</string>
+			<key>Class</key>
+			<string>ShapedGraphic</string>
+			<key>FitText</key>
+			<string>YES</string>
+			<key>Flow</key>
+			<string>Resize</string>
+			<key>ID</key>
+			<integer>4025</integer>
+			<key>Shape</key>
+			<string>Rectangle</string>
+			<key>Style</key>
+			<dict>
+				<key>fill</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>shadow</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>stroke</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+			</dict>
+			<key>Text</key>
+			<dict>
+				<key>Pad</key>
+				<integer>0</integer>
+				<key>Text</key>
+				<string>{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf340
+\cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
+{\colortbl;\red255\green255\blue255;}
+\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
+
+\f0\fs24 \cf0 Client}</string>
+				<key>VerticalPad</key>
+				<integer>0</integer>
+			</dict>
+			<key>Wrap</key>
+			<string>NO</string>
+		</dict>
+		<dict>
+			<key>Bounds</key>
+			<string>{{417.16432189941418, 323.90565299479198}, {63.333332061767578, 185.52200317382812}}</string>
+			<key>Class</key>
+			<string>ShapedGraphic</string>
+			<key>ID</key>
+			<integer>4004</integer>
+			<key>ImageID</key>
+			<integer>6</integer>
+			<key>Shape</key>
+			<string>Rectangle</string>
+			<key>Style</key>
+			<dict>
+				<key>fill</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>shadow</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>stroke</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+			</dict>
+		</dict>
+		<dict>
+			<key>Bounds</key>
+			<string>{{205.34386889139773, 289.33333333333331}, {84, 248.66667175292969}}</string>
+			<key>Class</key>
+			<string>ShapedGraphic</string>
+			<key>ID</key>
+			<integer>4023</integer>
+			<key>Shape</key>
+			<string>Rectangle</string>
+			<key>Style</key>
+			<dict>
+				<key>fill</key>
+				<dict>
+					<key>Color</key>
+					<dict>
+						<key>b</key>
+						<string>0</string>
+						<key>g</key>
+						<string>0.463735</string>
+						<key>r</key>
+						<string>1</string>
+					</dict>
+				</dict>
+			</dict>
+			<key>Text</key>
+			<dict>
+				<key>Text</key>
+				<string>{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf340
+\cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
+{\colortbl;\red255\green255\blue255;\red37\green17\blue0;}
+\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
+
+\f0\fs24 \cf2 mitmproxy}</string>
+			</dict>
+		</dict>
+		<dict>
+			<key>Bounds</key>
+			<string>{{4.6666666467984399, 351.33332316080771}, {102.66666412353516, 130.66667175292969}}</string>
+			<key>Class</key>
+			<string>ShapedGraphic</string>
+			<key>ID</key>
+			<integer>134</integer>
+			<key>ImageID</key>
+			<integer>3</integer>
+			<key>Shape</key>
+			<string>Rectangle</string>
+			<key>Style</key>
+			<dict>
+				<key>fill</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>shadow</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>stroke</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+			</dict>
+		</dict>
+	</array>
+	<key>GridInfo</key>
+	<dict/>
+	<key>GuidesLocked</key>
+	<string>NO</string>
+	<key>GuidesVisible</key>
+	<string>YES</string>
+	<key>HPages</key>
+	<integer>1</integer>
+	<key>ImageCounter</key>
+	<integer>7</integer>
+	<key>ImageLinkBack</key>
+	<array>
+		<dict/>
+		<dict/>
+	</array>
+	<key>ImageList</key>
+	<array>
+		<string>image6.tiff</string>
+		<string>image3.icns</string>
+	</array>
+	<key>KeepToScale</key>
+	<false/>
+	<key>Layers</key>
+	<array>
+		<dict>
+			<key>Lock</key>
+			<string>NO</string>
+			<key>Name</key>
+			<string>Layer 1</string>
+			<key>Print</key>
+			<string>YES</string>
+			<key>View</key>
+			<string>YES</string>
+		</dict>
+	</array>
+	<key>LayoutInfo</key>
+	<dict>
+		<key>Animate</key>
+		<string>NO</string>
+		<key>circoMinDist</key>
+		<real>18</real>
+		<key>circoSeparation</key>
+		<real>0.0</real>
+		<key>layoutEngine</key>
+		<string>dot</string>
+		<key>neatoSeparation</key>
+		<real>0.0</real>
+		<key>twopiSeparation</key>
+		<real>0.0</real>
+	</dict>
+	<key>LinksVisible</key>
+	<string>NO</string>
+	<key>MagnetsVisible</key>
+	<string>NO</string>
+	<key>MasterSheets</key>
+	<array/>
+	<key>ModificationDate</key>
+	<string>2013-01-03 02:27:49 +0000</string>
+	<key>Modifier</key>
+	<string>Aldo Cortesi</string>
+	<key>NotesVisible</key>
+	<string>NO</string>
+	<key>Orientation</key>
+	<integer>2</integer>
+	<key>OriginVisible</key>
+	<string>NO</string>
+	<key>PageBreaks</key>
+	<string>YES</string>
+	<key>PrintInfo</key>
+	<dict>
+		<key>NSBottomMargin</key>
+		<array>
+			<string>float</string>
+			<string>41</string>
+		</array>
+		<key>NSHorizonalPagination</key>
+		<array>
+			<string>coded</string>
+			<string>BAtzdHJlYW10eXBlZIHoA4QBQISEhAhOU051bWJlcgCEhAdOU1ZhbHVlAISECE5TT2JqZWN0AIWEASqEhAFxlwCG</string>
+		</array>
+		<key>NSLeftMargin</key>
+		<array>
+			<string>float</string>
+			<string>18</string>
+		</array>
+		<key>NSPaperSize</key>
+		<array>
+			<string>size</string>
+			<string>{595.19998741149902, 841.79998779296875}</string>
+		</array>
+		<key>NSPrintReverseOrientation</key>
+		<array>
+			<string>int</string>
+			<string>0</string>
+		</array>
+		<key>NSRightMargin</key>
+		<array>
+			<string>float</string>
+			<string>18</string>
+		</array>
+		<key>NSTopMargin</key>
+		<array>
+			<string>float</string>
+			<string>18</string>
+		</array>
+	</dict>
+	<key>PrintOnePage</key>
+	<false/>
+	<key>ReadOnly</key>
+	<string>NO</string>
+	<key>RowAlign</key>
+	<integer>1</integer>
+	<key>RowSpacing</key>
+	<real>36</real>
+	<key>SheetTitle</key>
+	<string>Canvas 1</string>
+	<key>SmartAlignmentGuidesActive</key>
+	<string>YES</string>
+	<key>SmartDistanceGuidesActive</key>
+	<string>YES</string>
+	<key>UniqueID</key>
+	<integer>1</integer>
+	<key>UseEntirePage</key>
+	<false/>
+	<key>VPages</key>
+	<integer>1</integer>
+	<key>WindowInfo</key>
+	<dict>
+		<key>CurrentSheet</key>
+		<integer>0</integer>
+		<key>ExpandedCanvases</key>
+		<array>
+			<dict>
+				<key>name</key>
+				<string>Canvas 1</string>
+			</dict>
+		</array>
+		<key>Frame</key>
+		<string>{{300, 236}, {974, 874}}</string>
+		<key>ListView</key>
+		<true/>
+		<key>OutlineWidth</key>
+		<integer>142</integer>
+		<key>RightSidebar</key>
+		<false/>
+		<key>ShowRuler</key>
+		<true/>
+		<key>Sidebar</key>
+		<true/>
+		<key>SidebarWidth</key>
+		<integer>120</integer>
+		<key>VisibleRegion</key>
+		<string>{{0, 202}, {550, 469.33333333333337}}</string>
+		<key>Zoom</key>
+		<real>1.5</real>
+		<key>ZoomValues</key>
+		<array>
+			<array>
+				<string>Canvas 1</string>
+				<real>1.5</real>
+				<real>1</real>
+			</array>
+		</array>
+	</dict>
+</dict>
+</plist>

doc-src/_layout.html

@@ -1,30 +1,36 @@
-<div id="doc">
-    <div style="" id="hd" class="doc">
-        <!--(block nav)-->
-        <div id="nav">
-            <!--(block pb)-->
-            <a href="@!urlTo(previous)!@">prev</a>
-            <!--(end)-->
-            <!--(block nb)-->
-            <a href="@!urlTo(next)!@">next</a>
-            <!--(end)-->
-            $!pb if previous else "prev"!$ |
-            <a href="@!urlTo('/index.html')!@">index</a> |
-            $!nb if next else "next"!$
-        </div>
-        <!--(end)-->
-        $!nav if this.title!="docs" else ""!$
-        <h1><a href="@!urlTo("/index.html")!@">mitmproxy 0.6 docs</a></h1>
-    </div>
-    <div id="bd">
-        <div id="yui-main">
-            <div style="" class="yui-b">
-                $!title if this.title!="docs" else ""!$
-                $!body!$
-            </div>
-        </div>
-    </div>
-    <div style="" id="ft" class="doc">
-        <p>@!copyright!@</p>
+<div class="navbar navbar-fixed-top">
+  <div class="navbar-inner">
+    <div class="container">
+      <a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
+        <span class="icon-bar"></span>
+        <span class="icon-bar"></span>
+        <span class="icon-bar"></span>
+      </a>
+      <a class="brand" href="@!urlTo(idxpath)!@">mitmproxy $!VERSION!$ docs</a>
+      </div><!--/.nav-collapse -->
     </div>
+  </div>
+</div>
+
+<div class="container">
+  <div class="row">
+    <div class="span3">
+      <div class="well sidebar-nav">
+            $!navbar!$
+      </div>
+    </div>
+
+    <div class="span9">
+        <div class="page-header">
+        <h1>@!this.title!@</h1>
+        </div>
+        $!body!$
+    </div>
+  </div>
+
+  <hr>
+
+  <footer>
+    <p>@!copyright!@</p>
+  </footer>
 </div>

doc-src/_nav.html

@@ -0,0 +1,58 @@
+<ul class="nav nav-list">
+    $!nav(idxpath, this, state)!$
+    $!nav("install.html", this, state)!$
+    $!nav("howmitmproxy.html", this, state)!$
+    $!nav("modes.html", this, state)!$
+
+    <li class="nav-header">Tools</li>
+        $!nav("mitmproxy.html", this, state)!$
+        $!nav("mitmdump.html", this, state)!$
+
+    <li class="nav-header">Features</li>
+        $!nav("anticache.html", this, state)!$
+
+        $!nav("filters.html", this, state)!$
+        $!nav("replacements.html", this, state)!$
+        $!nav("clientreplay.html", this, state)!$
+        $!nav("serverreplay.html", this, state)!$
+        $!nav("setheaders.html", this, state)!$
+        $!nav("passthrough.html", this, state)!$
+        $!nav("proxyauth.html", this, state)!$
+        $!nav("reverseproxy.html", this, state)!$
+        $!nav("responsestreaming.html", this, state)!$
+        $!nav("socksproxy.html", this, state)!$
+        $!nav("sticky.html", this, state)!$
+        $!nav("tcpproxy.html", this, state)!$
+        $!nav("upstreamproxy.html", this, state)!$
+        $!nav("upstreamcerts.html", this, state)!$
+
+
+    <li class="nav-header">Installing Certificates</li>
+        $!nav("ssl.html", this, state)!$
+        $!nav("certinstall/webapp.html", this, state)!$
+        $!nav("certinstall/android.html", this, state)!$
+        $!nav("certinstall/firefox.html", this, state)!$
+        $!nav("certinstall/ios.html", this, state)!$
+        $!nav("certinstall/ios-simulator.html", this, state)!$
+        $!nav("certinstall/java.html", this, state)!$
+        $!nav("certinstall/osx.html", this, state)!$
+        $!nav("certinstall/windows7.html", this, state)!$
+
+    <li class="nav-header">Transparent Proxying</li>
+        $!nav("transparent.html", this, state)!$
+        $!nav("transparent/linux.html", this, state)!$
+        $!nav("transparent/osx.html", this, state)!$
+
+    <li class="nav-header">Scripting mitmproxy</li>
+        $!nav("scripting/inlinescripts.html", this, state)!$
+        $!nav("scripting/libmproxy.html", this, state)!$
+
+    <li class="nav-header">Tutorials</li>
+        $!nav("tutorials/30second.html", this, state)!$
+        $!nav("tutorials/gamecenter.html", this, state)!$
+        $!nav("tutorials/transparent-dhcp.html", this, state)!$
+
+    <li class="nav-header">Hacking</li>
+        $!nav("dev/architecture.html", this, state)!$
+        $!nav("dev/testing.html", this, state)!$
+</ul>

doc-src/_transparent.graffle/data.plist

@@ -0,0 +1,771 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>ActiveLayerIndex</key>
+	<integer>0</integer>
+	<key>ApplicationVersion</key>
+	<array>
+		<string>com.omnigroup.OmniGraffle.MacAppStore</string>
+		<string>139.16</string>
+	</array>
+	<key>AutoAdjust</key>
+	<true/>
+	<key>BackgroundGraphic</key>
+	<dict>
+		<key>Bounds</key>
+		<string>{{0, 0}, {559.19998741149902, 782.79998779296875}}</string>
+		<key>Class</key>
+		<string>SolidGraphic</string>
+		<key>ID</key>
+		<integer>2</integer>
+		<key>Style</key>
+		<dict>
+			<key>shadow</key>
+			<dict>
+				<key>Draws</key>
+				<string>NO</string>
+			</dict>
+			<key>stroke</key>
+			<dict>
+				<key>Draws</key>
+				<string>NO</string>
+			</dict>
+		</dict>
+	</dict>
+	<key>BaseZoom</key>
+	<integer>0</integer>
+	<key>CanvasOrigin</key>
+	<string>{0, 0}</string>
+	<key>ColumnAlign</key>
+	<integer>1</integer>
+	<key>ColumnSpacing</key>
+	<real>36</real>
+	<key>CreationDate</key>
+	<string>2013-01-02 19:31:53 +0000</string>
+	<key>Creator</key>
+	<string>Aldo Cortesi</string>
+	<key>DisplayScale</key>
+	<string>1.000 cm = 1.000 cm</string>
+	<key>GraphDocumentVersion</key>
+	<integer>8</integer>
+	<key>GraphicsList</key>
+	<array>
+		<dict>
+			<key>Bounds</key>
+			<string>{{101.18773396809897, 358.41662979125977}, {62, 12}}</string>
+			<key>Class</key>
+			<string>ShapedGraphic</string>
+			<key>FitText</key>
+			<string>YES</string>
+			<key>Flow</key>
+			<string>Resize</string>
+			<key>FontInfo</key>
+			<dict>
+				<key>Font</key>
+				<string>Helvetica</string>
+				<key>Size</key>
+				<real>12</real>
+			</dict>
+			<key>ID</key>
+			<integer>4079</integer>
+			<key>Shape</key>
+			<string>Rectangle</string>
+			<key>Style</key>
+			<dict>
+				<key>fill</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>shadow</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>stroke</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+			</dict>
+			<key>Text</key>
+			<dict>
+				<key>Pad</key>
+				<integer>0</integer>
+				<key>Text</key>
+				<string>{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf340
+\cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
+{\colortbl;\red255\green255\blue255;}
+\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
+
+\f0\fs20 \cf0 2: Redirection}</string>
+				<key>VerticalPad</key>
+				<integer>0</integer>
+			</dict>
+			<key>Wrap</key>
+			<string>NO</string>
+		</dict>
+		<dict>
+			<key>Bounds</key>
+			<string>{{102.18775939941409, 405.16666666666663}, {78, 12}}</string>
+			<key>Class</key>
+			<string>ShapedGraphic</string>
+			<key>FitText</key>
+			<string>YES</string>
+			<key>Flow</key>
+			<string>Resize</string>
+			<key>FontInfo</key>
+			<dict>
+				<key>Font</key>
+				<string>Helvetica</string>
+				<key>Size</key>
+				<real>12</real>
+			</dict>
+			<key>ID</key>
+			<integer>4078</integer>
+			<key>Shape</key>
+			<string>Rectangle</string>
+			<key>Style</key>
+			<dict>
+				<key>fill</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>shadow</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>stroke</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+			</dict>
+			<key>Text</key>
+			<dict>
+				<key>Pad</key>
+				<integer>0</integer>
+				<key>Text</key>
+				<string>{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf340
+\cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
+{\colortbl;\red255\green255\blue255;}
+\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
+
+\f0\fs20 \cf0 3: HTTP Request}</string>
+				<key>VerticalPad</key>
+				<integer>0</integer>
+			</dict>
+			<key>Wrap</key>
+			<string>NO</string>
+		</dict>
+		<dict>
+			<key>Class</key>
+			<string>LineGraphic</string>
+			<key>ControlPoints</key>
+			<array>
+				<string>{-29.333333333333343, 15.666671991348267}</string>
+				<string>{-14, -7.3333333333333712}</string>
+			</array>
+			<key>ID</key>
+			<integer>37</integer>
+			<key>Points</key>
+			<array>
+				<string>{196.99999491373691, 331.83332316080725}</string>
+				<string>{198.00000508626303, 402.49998982747394}</string>
+			</array>
+			<key>Style</key>
+			<dict>
+				<key>stroke</key>
+				<dict>
+					<key>Bezier</key>
+					<true/>
+					<key>HeadArrow</key>
+					<string>FilledArrow</string>
+					<key>Legacy</key>
+					<true/>
+					<key>LineType</key>
+					<integer>1</integer>
+					<key>TailArrow</key>
+					<string>0</string>
+				</dict>
+			</dict>
+		</dict>
+		<dict>
+			<key>Bounds</key>
+			<string>{{205.34387397766082, 289.3333333333328}, {84, 52.666667938232422}}</string>
+			<key>Class</key>
+			<string>ShapedGraphic</string>
+			<key>ID</key>
+			<integer>4076</integer>
+			<key>Shape</key>
+			<string>Rectangle</string>
+			<key>Style</key>
+			<dict>
+				<key>fill</key>
+				<dict>
+					<key>Color</key>
+					<dict>
+						<key>b</key>
+						<string>0.547829</string>
+						<key>g</key>
+						<string>1</string>
+						<key>r</key>
+						<string>0.790866</string>
+					</dict>
+				</dict>
+			</dict>
+			<key>Text</key>
+			<dict>
+				<key>Text</key>
+				<string>{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf340
+\cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
+{\colortbl;\red255\green255\blue255;\red37\green17\blue0;}
+\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
+
+\f0\fs24 \cf2 router}</string>
+			</dict>
+		</dict>
+		<dict>
+			<key>Class</key>
+			<string>LineGraphic</string>
+			<key>ID</key>
+			<integer>4075</integer>
+			<key>Points</key>
+			<array>
+				<string>{304.061024983724, 422.16667167345679}</string>
+				<string>{348.49764506022132, 422.16667167345696}</string>
+				<string>{365.83097839355469, 421.50000500679027}</string>
+				<string>{417.16433715820312, 421.16667175292963}</string>
+			</array>
+			<key>Style</key>
+			<dict>
+				<key>stroke</key>
+				<dict>
+					<key>HeadArrow</key>
+					<string>FilledArrow</string>
+					<key>Legacy</key>
+					<true/>
+					<key>TailArrow</key>
+					<string>0</string>
+				</dict>
+			</dict>
+		</dict>
+		<dict>
+			<key>Bounds</key>
+			<string>{{321.11267089843761, 405.16706339518225}, {49, 12}}</string>
+			<key>Class</key>
+			<string>ShapedGraphic</string>
+			<key>FitText</key>
+			<string>YES</string>
+			<key>Flow</key>
+			<string>Resize</string>
+			<key>FontInfo</key>
+			<dict>
+				<key>Font</key>
+				<string>Helvetica</string>
+				<key>Size</key>
+				<real>12</real>
+			</dict>
+			<key>ID</key>
+			<integer>4067</integer>
+			<key>Shape</key>
+			<string>Rectangle</string>
+			<key>Style</key>
+			<dict>
+				<key>fill</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>shadow</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>stroke</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+			</dict>
+			<key>Text</key>
+			<dict>
+				<key>Pad</key>
+				<integer>0</integer>
+				<key>Text</key>
+				<string>{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf340
+\cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
+{\colortbl;\red255\green255\blue255;}
+\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
+
+\f0\fs20 \cf0 4: Request}</string>
+				<key>VerticalPad</key>
+				<integer>0</integer>
+			</dict>
+			<key>Wrap</key>
+			<string>NO</string>
+		</dict>
+		<dict>
+			<key>Bounds</key>
+			<string>{{101.18773682912195, 295.66660690307623}, {62, 12}}</string>
+			<key>Class</key>
+			<string>ShapedGraphic</string>
+			<key>FitText</key>
+			<string>YES</string>
+			<key>Flow</key>
+			<string>Resize</string>
+			<key>FontInfo</key>
+			<dict>
+				<key>Font</key>
+				<string>Helvetica</string>
+				<key>Size</key>
+				<real>12</real>
+			</dict>
+			<key>ID</key>
+			<integer>4058</integer>
+			<key>Shape</key>
+			<string>Rectangle</string>
+			<key>Style</key>
+			<dict>
+				<key>fill</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>shadow</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>stroke</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+			</dict>
+			<key>Text</key>
+			<dict>
+				<key>Pad</key>
+				<integer>0</integer>
+				<key>Text</key>
+				<string>{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf340
+\cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
+{\colortbl;\red255\green255\blue255;}
+\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
+
+\f0\fs20 \cf0 1: Connection}</string>
+				<key>VerticalPad</key>
+				<integer>0</integer>
+			</dict>
+			<key>Wrap</key>
+			<string>NO</string>
+		</dict>
+		<dict>
+			<key>Class</key>
+			<string>LineGraphic</string>
+			<key>ID</key>
+			<integer>4041</integer>
+			<key>Points</key>
+			<array>
+				<string>{85.896713256836037, 421.41666793823208}</string>
+				<string>{199.00002034505209, 421.16666666666669}</string>
+			</array>
+			<key>Style</key>
+			<dict>
+				<key>stroke</key>
+				<dict>
+					<key>HeadArrow</key>
+					<string>FilledArrow</string>
+					<key>Legacy</key>
+					<true/>
+					<key>TailArrow</key>
+					<string>0</string>
+				</dict>
+			</dict>
+		</dict>
+		<dict>
+			<key>Class</key>
+			<string>LineGraphic</string>
+			<key>ID</key>
+			<integer>31</integer>
+			<key>Points</key>
+			<array>
+				<string>{84.896687825520857, 314.66666126251221}</string>
+				<string>{129.33330790201822, 314.66666126251238}</string>
+				<string>{146.66664123535153, 313.99999459584569}</string>
+				<string>{198, 313.66666134198505}</string>
+			</array>
+			<key>Style</key>
+			<dict>
+				<key>stroke</key>
+				<dict>
+					<key>HeadArrow</key>
+					<string>FilledArrow</string>
+					<key>Legacy</key>
+					<true/>
+					<key>TailArrow</key>
+					<string>0</string>
+				</dict>
+			</dict>
+		</dict>
+		<dict>
+			<key>Bounds</key>
+			<string>{{430.83098347981803, 515.99999999999989}, {36, 14}}</string>
+			<key>Class</key>
+			<string>ShapedGraphic</string>
+			<key>FitText</key>
+			<string>YES</string>
+			<key>Flow</key>
+			<string>Resize</string>
+			<key>ID</key>
+			<integer>4026</integer>
+			<key>Shape</key>
+			<string>Rectangle</string>
+			<key>Style</key>
+			<dict>
+				<key>fill</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>shadow</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>stroke</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+			</dict>
+			<key>Text</key>
+			<dict>
+				<key>Pad</key>
+				<integer>0</integer>
+				<key>Text</key>
+				<string>{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf340
+\cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
+{\colortbl;\red255\green255\blue255;}
+\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
+
+\f0\fs24 \cf0 Server}</string>
+				<key>VerticalPad</key>
+				<integer>0</integer>
+			</dict>
+			<key>Wrap</key>
+			<string>NO</string>
+		</dict>
+		<dict>
+			<key>Bounds</key>
+			<string>{{40.499999999999993, 486.66666666666663}, {31, 14}}</string>
+			<key>Class</key>
+			<string>ShapedGraphic</string>
+			<key>FitText</key>
+			<string>YES</string>
+			<key>Flow</key>
+			<string>Resize</string>
+			<key>ID</key>
+			<integer>4025</integer>
+			<key>Shape</key>
+			<string>Rectangle</string>
+			<key>Style</key>
+			<dict>
+				<key>fill</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>shadow</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>stroke</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+			</dict>
+			<key>Text</key>
+			<dict>
+				<key>Pad</key>
+				<integer>0</integer>
+				<key>Text</key>
+				<string>{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf340
+\cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
+{\colortbl;\red255\green255\blue255;}
+\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
+
+\f0\fs24 \cf0 Client}</string>
+				<key>VerticalPad</key>
+				<integer>0</integer>
+			</dict>
+			<key>Wrap</key>
+			<string>NO</string>
+		</dict>
+		<dict>
+			<key>Bounds</key>
+			<string>{{417.16432189941418, 323.90565299479198}, {63.333332061767578, 185.52200317382812}}</string>
+			<key>Class</key>
+			<string>ShapedGraphic</string>
+			<key>ID</key>
+			<integer>4004</integer>
+			<key>ImageID</key>
+			<integer>6</integer>
+			<key>Shape</key>
+			<string>Rectangle</string>
+			<key>Style</key>
+			<dict>
+				<key>fill</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>shadow</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>stroke</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+			</dict>
+		</dict>
+		<dict>
+			<key>Bounds</key>
+			<string>{{205.34386889139773, 289.33333333333331}, {84, 248.66667175292969}}</string>
+			<key>Class</key>
+			<string>ShapedGraphic</string>
+			<key>ID</key>
+			<integer>4023</integer>
+			<key>Shape</key>
+			<string>Rectangle</string>
+			<key>Style</key>
+			<dict>
+				<key>fill</key>
+				<dict>
+					<key>Color</key>
+					<dict>
+						<key>b</key>
+						<string>0</string>
+						<key>g</key>
+						<string>0.463735</string>
+						<key>r</key>
+						<string>1</string>
+					</dict>
+				</dict>
+			</dict>
+			<key>Text</key>
+			<dict>
+				<key>Text</key>
+				<string>{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf340
+\cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
+{\colortbl;\red255\green255\blue255;\red37\green17\blue0;}
+\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
+
+\f0\fs24 \cf2 mitmproxy}</string>
+			</dict>
+		</dict>
+		<dict>
+			<key>Bounds</key>
+			<string>{{4.6666666467984399, 351.33332316080771}, {102.66666412353516, 130.66667175292969}}</string>
+			<key>Class</key>
+			<string>ShapedGraphic</string>
+			<key>ID</key>
+			<integer>134</integer>
+			<key>ImageID</key>
+			<integer>3</integer>
+			<key>Shape</key>
+			<string>Rectangle</string>
+			<key>Style</key>
+			<dict>
+				<key>fill</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>shadow</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+				<key>stroke</key>
+				<dict>
+					<key>Draws</key>
+					<string>NO</string>
+				</dict>
+			</dict>
+		</dict>
+	</array>
+	<key>GridInfo</key>
+	<dict/>
+	<key>GuidesLocked</key>
+	<string>NO</string>
+	<key>GuidesVisible</key>
+	<string>YES</string>
+	<key>HPages</key>
+	<integer>1</integer>
+	<key>ImageCounter</key>
+	<integer>7</integer>
+	<key>ImageLinkBack</key>
+	<array>
+		<dict/>
+		<dict/>
+	</array>
+	<key>ImageList</key>
+	<array>
+		<string>image6.tiff</string>
+		<string>image3.icns</string>
+	</array>
+	<key>KeepToScale</key>
+	<false/>
+	<key>Layers</key>
+	<array>
+		<dict>
+			<key>Lock</key>
+			<string>NO</string>
+			<key>Name</key>
+			<string>Layer 1</string>
+			<key>Print</key>
+			<string>YES</string>
+			<key>View</key>
+			<string>YES</string>
+		</dict>
+	</array>
+	<key>LayoutInfo</key>
+	<dict>
+		<key>Animate</key>
+		<string>NO</string>
+		<key>circoMinDist</key>
+		<real>18</real>
+		<key>circoSeparation</key>
+		<real>0.0</real>
+		<key>layoutEngine</key>
+		<string>dot</string>
+		<key>neatoSeparation</key>
+		<real>0.0</real>
+		<key>twopiSeparation</key>
+		<real>0.0</real>
+	</dict>
+	<key>LinksVisible</key>
+	<string>NO</string>
+	<key>MagnetsVisible</key>
+	<string>NO</string>
+	<key>MasterSheets</key>
+	<array/>
+	<key>ModificationDate</key>
+	<string>2013-01-03 04:13:10 +0000</string>
+	<key>Modifier</key>
+	<string>Aldo Cortesi</string>
+	<key>NotesVisible</key>
+	<string>NO</string>
+	<key>Orientation</key>
+	<integer>2</integer>
+	<key>OriginVisible</key>
+	<string>NO</string>
+	<key>PageBreaks</key>
+	<string>YES</string>
+	<key>PrintInfo</key>
+	<dict>
+		<key>NSBottomMargin</key>
+		<array>
+			<string>float</string>
+			<string>41</string>
+		</array>
+		<key>NSHorizonalPagination</key>
+		<array>
+			<string>coded</string>
+			<string>BAtzdHJlYW10eXBlZIHoA4QBQISEhAhOU051bWJlcgCEhAdOU1ZhbHVlAISECE5TT2JqZWN0AIWEASqEhAFxlwCG</string>
+		</array>
+		<key>NSLeftMargin</key>
+		<array>
+			<string>float</string>
+			<string>18</string>
+		</array>
+		<key>NSPaperSize</key>
+		<array>
+			<string>size</string>
+			<string>{595.19998741149902, 841.79998779296875}</string>
+		</array>
+		<key>NSPrintReverseOrientation</key>
+		<array>
+			<string>int</string>
+			<string>0</string>
+		</array>
+		<key>NSRightMargin</key>
+		<array>
+			<string>float</string>
+			<string>18</string>
+		</array>
+		<key>NSTopMargin</key>
+		<array>
+			<string>float</string>
+			<string>18</string>
+		</array>
+	</dict>
+	<key>PrintOnePage</key>
+	<false/>
+	<key>ReadOnly</key>
+	<string>NO</string>
+	<key>RowAlign</key>
+	<integer>1</integer>
+	<key>RowSpacing</key>
+	<real>36</real>
+	<key>SheetTitle</key>
+	<string>Canvas 1</string>
+	<key>SmartAlignmentGuidesActive</key>
+	<string>YES</string>
+	<key>SmartDistanceGuidesActive</key>
+	<string>YES</string>
+	<key>UniqueID</key>
+	<integer>1</integer>
+	<key>UseEntirePage</key>
+	<false/>
+	<key>VPages</key>
+	<integer>1</integer>
+	<key>WindowInfo</key>
+	<dict>
+		<key>CurrentSheet</key>
+		<integer>0</integer>
+		<key>ExpandedCanvases</key>
+		<array>
+			<dict>
+				<key>name</key>
+				<string>Canvas 1</string>
+			</dict>
+		</array>
+		<key>Frame</key>
+		<string>{{295, 141}, {974, 874}}</string>
+		<key>ListView</key>
+		<true/>
+		<key>OutlineWidth</key>
+		<integer>142</integer>
+		<key>RightSidebar</key>
+		<false/>
+		<key>ShowRuler</key>
+		<true/>
+		<key>Sidebar</key>
+		<true/>
+		<key>SidebarWidth</key>
+		<integer>120</integer>
+		<key>VisibleRegion</key>
+		<string>{{0, 208}, {550, 469.33333333333337}}</string>
+		<key>Zoom</key>
+		<real>1.5</real>
+		<key>ZoomValues</key>
+		<array>
+			<array>
+				<string>Canvas 1</string>
+				<real>1.5</real>
+				<real>1</real>
+			</array>
+		</array>
+	</dict>
+</dict>
+</plist>

doc-src/_websitelayout.html

@@ -1,42 +1,42 @@
-<a href="http://github.com/cortesi/mitmproxy"><img style="position: absolute; top: 0; right: 0; border: 0;" src="https://d3nwyuy0nl342s.cloudfront.net/img/e6bef7a091f5f3138b8cd40bc3e114258dd68ddf/687474703a2f2f73332e616d617a6f6e6177732e636f6d2f6769746875622f726962626f6e732f666f726b6d655f72696768745f7265645f6161303030302e706e67" alt="Fork me on GitHub"></a>
-<div class="yui-t7" id="doc">
-    <div style="" id="hd">
-        <h1><a href="@!urlTo("/index.html")!@">mitmproxy</a> </h1>
-        <div class="HorizontalNavBar">
-            <ul>
-                <li class="inactive"><a href="@!urlTo("/index.html")!@">home</a></li>
-                <li class="active"><a href="@!urlTo("doc/index.html")!@">docs</a></li>
-                <li class="inactive"><a href="@!urlTo("/about.html")!@">about</a></li>
-            </ul>
-        </div>
-        <br>
-        <p>an SSL-capable man-in-the-middle proxy</p>
-    </div>
-    <div id="bd">
-        <div id="yui-main">
-            <div style="" class="yui-b">
-                <!--(block nav)-->
-                <div id="nav">
-                    <!--(block pb)-->
-                    <a href="@!urlTo(previous)!@">prev</a>
-                    <!--(end)-->
-                    <!--(block nb)-->
-                    <a href="@!urlTo(next)!@">next</a>
-                    <!--(end)-->
-                    $!pb if previous and not previous.parent.root else "prev"!$ |
-                    <a href="@!urlTo('doc/index.html')!@">index</a> |
-                    $!nb if next and not next.parent.root else "next"!$
-                </div>
-                <!--(end)-->
-                $!nav if this.title!="docs" else ""!$
-                $!title if this.title!="docs" else "<h1>mitmproxy 0.6 docs</h1>"!$
-                $!body!$
-            </div>
-        </div>
-    </div>
-    <div style="" id="ft">
-        <p>Copyright 2011 Aldo Cortesi</p>
+<div class="navbar navbar-fixed-top">
+  <div class="navbar-inner">
+    <div class="container">
+      <a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
+        <span class="icon-bar"></span>
+        <span class="icon-bar"></span>
+        <span class="icon-bar"></span>
+      </a>
+      <a class="brand" href="@!urlTo(idxpath)!@">mitmproxy</a>
+      <div class="nav">
+        <ul class="nav">
+          <li $!'class="active"' if this.match("/index.html", True) else ""!$> <a href="@!top!@/index.html">home</a> </li>
+          <li $!'class="active"' if this.under("/doc") else ""!$><a href="@!top!@/doc/index.html">docs</a></li>
+          <li $!'class="active"' if this.under("/about.html") else ""!$><a href="@!top!@/about.html">about</a></li>
+        </ul>
+      </div>
     </div>
+  </div>
 </div>
 
-$!ga!$
+<div class="container">
+  <div class="row">
+
+    <div class="span3">
+      <div class="well sidebar-nav">
+            $!navbar!$
+      </div>
+    </div>
+    <div class="span9">
+        <div class="page-header">
+        <h1>@!this.title!@</h1>
+        </div>
+        $!body!$
+    </div>
+  </div>
+
+  <hr>
+
+  <footer>
+    <p>@!copyright!@</p>
+  </footer>
+</div>

doc-src/admin.html

@@ -1,7 +0,0 @@
-
-Please send any comments, suggestions and bug reports to <a href="mailto:$!docMaintainerEmail!$">$!docMaintainerEmail!$</a>.
-
-__mitmproxy__ is licensed under Version 3 of the Gnu General Public License,
-the full text of which can be found in the LICENSE file in the source
-distribution.
-

doc-src/anticache.html

@@ -1,10 +0,0 @@
-
-- command-line: _--anticache_ 
-- mitmproxy shortcut: _o_, then _a_
-
-When the __anticache__ option is passed to mitmproxy, it removes headers
-(__if-none-match__ and __if-modified-since__) that might elicit a
-304-not-modified response from the server. This is useful when you want to make
-sure you capture an HTTP exchange in its totality, and during [client
-replay](@!urlTo("clientreplay.html")!@).
-

doc-src/certinstall/android.html

@@ -0,0 +1,53 @@
+The proxy situation on Android is [an
+embarrasment](http://code.google.com/p/android/issues/detail?id=1273).  It's
+scarcely credible, but Android didn't have a global proxy setting at all until
+quite recently, and it's still not supported on many common Android versions.
+In the meantime the app ecosystem has grown used to life without this basic
+necessity, and many apps merrily ignore it even if it's there. This situation
+is improving, but in many circumstances using [transparent
+mode](@!urlTo("transparent.html")!@) is mandatory for testing Android apps.
+
+We used both an Asus Transformer Prime TF201 (Android 4.0.3) and a Nexus 4
+(Android 4.4.4) in the examples below - your device may differ, but the broad
+process should be similar.  On **emulated devices**, there are some [additional
+quirks](https://github.com/mitmproxy/mitmproxy/issues/204#issuecomment-32837093)
+to consider.
+
+
+## Getting the certificate onto the device
+
+The easiest way to get the certificate to the device is to use [the web
+app](@!urlTo("webapp.html")!@). In the rare cases where the web app doesn't
+work, you will need to get the __mitmproxy-ca-cert.cer__ file into the
+__/sdcard__ folder on the device (/sdcard/Download on older devices). This can
+be accomplished in a number of ways:
+
+- If you have the Android Developer Tools installed, you can use [__adb
+push__](http://developer.android.com/tools/help/adb.html).
+- Using a file transfer program like wget (installed on the Android device) to
+copy the file over.
+- Transfer the file using external media like an SD Card. 
+
+Once we have the certificate on the local disk, we need to import it into the
+list of trusted CAs. Go to Settings -> Security -> Credential Storage,
+and select "Install from storage":
+
+<img src="android-settingssecuritymenu.png"/>
+
+The certificate in /sdcard is automatically located and offered for
+installation. Installing the cert will delete the download file from the local
+disk.
+
+
+## Installing the certificate
+
+You should now see something like this (you may have to explicitly name the
+certificate):
+
+<img src="android-settingssecurityinstallca.png"/>
+
+Click OK, and you should then see the certificate listed in the Trusted
+Credentials store:
+
+<img src="android-settingssecurityuserinstalledca.png"/>
+

doc-src/certinstall/firefox.html

@@ -1,19 +1,31 @@
+## Get the certificate to the browser
 
-How to install the __mitmproxy__ certificate authority in Firefox:
+The easiest way to get the certificate to the browser is to use [the web
+app](@!urlTo("webapp.html")!@). If this fails, do the following:
 
-### 1. If needed, copy the ~/.mitmproxy/mitmproxy-ca-cert.pem file to the target.
 
-### 2: Open preferences, click on "Advanced", then select"Encryption":
+<ol class="tlist">
+    <li> If needed, copy the ~/.mitmproxy/mitmproxy-ca-cert.pem file to the target. </li>
 
-<img src="@!urlTo('firefox3.jpg')!@"/>
+    <li>Open preferences, click on "Advanced", then select"Certificates":
+        <img src="@!urlTo('firefox3.jpg')!@"/>
+    </li>
 
-### 3: Click "View Certificates", "Import", and select the certificate file: 
+    <li> Click "View Certificates", "Import", and select the certificate file: 
+        <img src="@!urlTo('firefox3-import.jpg')!@"/>
+    </li>
 
-<img src="@!urlTo('firefox3-import.jpg')!@"/>
+</ol>
 
-### 4: Tick "Trust this CS to identify web sites", and click "Ok":
 
-<img src="@!urlTo('firefox3-trust.jpg')!@"/>
+## Installing the certificate
 
-You should now see the mitmproxy certificate listed in the Authorities tab.
+<ol class="tlist">
+    <li>Tick "Trust this CA to identify web sites", and click "Ok":
+        <img src="@!urlTo('firefox3-trust.jpg')!@"/>
+    </li>
+
+    <li> You should now see the mitmproxy certificate listed in the Authorities
+    tab.</li>
+</ol>
 

doc-src/certinstall/index.py

@@ -1,8 +1,13 @@
 from countershape import Page
 
 pages = [
+    Page("webapp.html", "Using the Web App"),
     Page("firefox.html", "Firefox"),
     Page("osx.html", "OSX"),
     Page("windows7.html", "Windows 7"),
     Page("ios.html", "IOS"),
+    Page("ios-simulator.html", "IOS Simulator"),
+    Page("android.html", "Android"),
+    Page("java.html", "Java"),
+    Page("mitm.it-error.html", "Error: No proxy configured"),
 ]

doc-src/certinstall/ios-simulator.html

@@ -0,0 +1,23 @@
+
+How to install the __mitmproxy__ certificate authority in the IOS simulator:
+
+<ol class="tlist">
+
+    <li> First, check out the <a
+    href="https://github.com/ADVTOOLS/ADVTrustStore">ADVTrustStore</a> tool
+    from github.</li>
+
+    <li> Now, run the following command:
+
+    <pre class="terminal">./iosCertTrustManager.py -a ~/.mitmproxy/mitmproxy-ca-cert.pem</pre>
+
+    </li>
+
+</ol>
+
+
+Note that although the IOS simulator has its own certificate store, it shares
+the proxy settings of the host operating system. You will therefore to have
+configure your OSX host's proxy settings to use the mitmproxy instance you want
+to test with.
+

doc-src/certinstall/ios.html

@@ -1,18 +1,27 @@
 
-How to install the __mitmproxy__ certificate authority on IOS devices:
+## Getting the certificate onto the device
 
-### 1: Set up the Mail app on the device to receive email.
+The easiest way to get the certificate to the device is to use [the web
+app](@!urlTo("webapp.html")!@). In the rare cases where the web app doesn't
+work, you will need to get the __mitmproxy-ca-cert.pem__ file to the device to
+install it. The easiest way to accomplish this is to set up the Mail app on the
+device, and to email it over as an attachment. Open the email, tap on the
+attachment, then proceed with the install.
 
-### 2: Mail the mitmproxy-ca-cert.pem file to the device, and tap on the attachment.
 
-### 3: You will be prompted to install a profile. Click "Install":
+## Installing the certificate
 
-<img src="@!urlTo('ios-profile.png')!@"/>
+<ol class="tlist">
+    <li>You will be prompted to install a profile. Click "Install":
 
-### 4: Accept the warning by clicking "Install" again:
+    <img src="@!urlTo('ios-profile.png')!@"/></li>
 
-<img src="@!urlTo('ios-warning.png')!@"/>
+    <li>Accept the warning by clicking "Install" again:
 
-### 5: The certificate should now be trusted:
+    <img src="@!urlTo('ios-warning.png')!@"/></li>
 
-<img src="@!urlTo('ios-installed.png')!@"/>
+    <li>The certificate should now be trusted:
+
+    <img src="@!urlTo('ios-installed.png')!@"/></li>
+
+</ol>

doc-src/certinstall/java.html

@@ -0,0 +1,13 @@
+
+You can add the mitmproxy certificates to the Java trust store using
+[keytool](http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html).
+On OSX, the required command looks like this:
+
+<pre class="terminal">
+sudo keytool -importcert -alias mitmproxy -storepass "password" \
+-keystore /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts \
+-trustcacerts -file ~/.mitmproxy/mitmproxy-ca-cert.pem
+</pre>
+
+Note that your store password will (hopefully) be different from the one above.
+

doc-src/certinstall/mitm.it-error.html

@@ -0,0 +1,5 @@
+**Looks like you wanted to install the mitmproxy CA using the web app?**
+
+Unfortunately, there's been no mitmproxy instance on the wire that could have intercepted your request.
+Please configure your client to use mitmproxy and try again.<br>
+The request to <a href="http://mitm.it/">http://mitm.it/</a> must go through your mitmproxy instance.

doc-src/certinstall/osx.html

@@ -1,13 +1,16 @@
 
 How to install the __mitmproxy__ certificate authority in OSX:
 
-### 1: Open Finder, and double-click on the mitmproxy-ca-cert.pem file.
+<ol class="tlist">
 
+    <li>Open Finder, and double-click on the mitmproxy-ca-cert.pem file.</li>
 
-### 2: You will be prompted to add the certificate. Click "Always Trust": 
+    <li>You will be prompted to add the certificate. Click "Always Trust": 
 
-<img src="@!urlTo('osx-addcert-alwaystrust.png')!@"/>
+        <img src="@!urlTo('osx-addcert-alwaystrust.png')!@"/>
+    </li>
 
-You may be prompted for your password. You should now see the mitmproxy cert
-listed under "Certificates".
+    <li> You may be prompted for your password. You should now see the
+    mitmproxy cert listed under "Certificates".</li>
+</ol>
 

doc-src/certinstall/webapp.html

@@ -0,0 +1,13 @@
+
+By far the easiest way to install the mitmproxy certs is to use the built-in
+web app. To do this, start mitmproxy and configure your target device with the
+correct proxy settings. Now start a browser on the device, and visit the magic
+domain **mitm.it**. You should see something like this:
+
+<img src="@!urlTo("webapp.png")!@"></img>
+
+Just click on the relevant icon, and then follow the setup instructions
+for the platform you're on.
+
+Make sure you aren't using a bandwith optimizer (like Google's Data Compression
+Proxy on Chrome for Android) or the page will not load.

doc-src/certinstall/windows7.html

@@ -1,19 +1,35 @@
 
 How to install the __mitmproxy__ certificate authority in Windows 7:
 
-### 1: Copy the ~/.mitmproxy/mitmproxy-ca-cert.p12 file to the target system.
+<ol class="tlist">
 
-### 2: Double-click the certificate file. You should see a certificate import wizard:
+    <li> The easiest way to get the certificate to the device is to use <a
+        href="@!urlTo("webapp.html")!@">the web app</a>. If this fails for some
+    reason, simply copy the ~/.mitmproxy/mitmproxy-ca-cert.p12 file to the
+    target system and double-click it.  </li>
 
-<img src="@!urlTo('win7-wizard.png')!@"/>
+    <li> 
+        You should see a certificate import wizard: 
 
-### 3: Click "Next" until you're prompted for the certificate store:
+        <img src="@!urlTo('win7-wizard.png')!@"/>
+    </li>
 
-<img src="@!urlTo('win7-certstore.png')!@"/>
+    <li> 
+        Click "Next" until you're prompted for the certificate store:
 
-### 4: Select "Place all certificates in the following store", and select "Trusted Root Certification Authorities":
+        <img src="@!urlTo('win7-certstore.png')!@"/>
 
-<img src="@!urlTo('win7-certstore-trustedroot.png')!@"/>
+    </li>
 
-### 5: Click "Next" and "Finish". 
+
+    <li> 
+        <p>Select "Place all certificates in the following store", and select "Trusted Root Certification Authorities":</p>
+
+        <img src="@!urlTo('win7-certstore-trustedroot.png')!@"/>
+
+    </li>
+
+    <li> Click "Next" and "Finish". </li>
+
+</ol>
 

doc-src/custom-routing.txt

@@ -0,0 +1,24 @@
+# Adapted from http://tldp.org/HOWTO/TransparentProxy-6.html (6.2 Second method)
+# Note that the choice of firewall mark (3) and routing table (2) was fairly arbitrary.
+# If you are already using policy routing or firewall marking for some other purpose,
+# make sure you choose unique numbers here. Otherwise, don't worry about it.
+
+
+
+# On the router, run
+
+PROXY_IP=192.168.1.100
+TARGET_IP=192.168.1.110
+
+iptables -t mangle -A PREROUTING -j ACCEPT -p tcp -m multiport --dports 80,443 -s ! $TARGET_IP
+# Alternative to MITM the whole network:
+# iptables -t mangle -A PREROUTING -j ACCEPT -p tcp -m multiport --dports 80,443 -s  $PROXY_IP
+iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp -m multiport --dports 80,443
+ip rule add fwmark 3 table 2
+ip route add default via $PROXY_IP dev br0 table 2
+
+
+
+# On the proxy machine, run
+
+iptables -A PREROUTING -t nat -i eth0 -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 8080

doc-src/dev/addingviews.html

@@ -0,0 +1,52 @@
+As discussed in [the Flow View section of the mitmproxy
+overview](@!urlTo("mitmproxy.html")!@), mitmproxy allows you to inspect and
+manipulate flows.  When inspecting a single flow, mitmproxy uses a number of
+heuristics to show a friendly view of various content types; if mitmproxy
+cannot show a friendly view, mitmproxy defaults to a __raw__ view.
+
+Each content type invokes a different flow viewer to parse the data and display
+the friendly view. Users can add custom content viewers by adding a view class
+to contentview.py, discussed below.
+
+## Adding a new View class to contentview.py
+
+The content viewers used by mitmproxy to present a friendly view of various
+content types are stored in contentview.py.  Reviewing this file shows a number
+of classes named ViewSomeDataType, each with the properties: __name__,
+__prompt__, and __content\_types__ and a function named __\_\_call\_\___.
+
+Adding a new content viewer to parse a data type is as simple as writing a new
+View class.  Your new content viewer View class should have the same properties
+as the other View classes: __name__, __prompt__, and __content\_types__ and a
+__\_\_call\_\___ function to parse the content of the request/response. 
+
+* The __name__ property should be a string describing the contents and new content viewer; 
+* The __prompt__ property should be a two item tuple:
+
+  - __1__: A string that will be used to display the new content viewer's type; and
+  - __2__: A one character string that will be the hotkey used to select the new content viewer from the Flow View screen; 
+
+* The __content\_types__ property should be a list of strings of HTTP Content\-Types that the new content viewer can parse.  
+  * Note that mitmproxy will use the content\_types to try and heuristically show a friendly view of content and that you can override the built-in views by populating content\_types with values for content\_types that are already parsed -- e.g. "image/png".
+
+After defining the __name__, __prompt__, and __content\_types__ properties of
+the class, you should write the __\_\_call\_\___ function, which will parse the
+request/response data and provide a friendly view of the data.  The
+__\_\_call\_\___ function should take the following arguments: __self__,
+__hdrs__, __content__, __limit__; __hdrs__ is a ODictCaseless object containing
+the headers of the request/response; __content__ is the content of the
+request/response, and __limit__ is an integer representing the amount of data
+to display in the view window.
+
+The __\_\_call\_\___ function returns two values: (1) a string describing the
+parsed data; and (2) the parsed data for friendly display.  The parsed data to
+be displayed should be a list of strings formatted for display.  You can use
+the __\_view\_text__ function in contentview.py to format text for display.
+Alternatively, you can display content as a series of key-value pairs; to do
+so, prepare a list of lists, where each list item is a two item list -- a key
+that describes the data, and then the data itself; after preparing the list of
+lists, use the __common.format\_keyvals__ function on it to prepare it as text
+for display.  
+
+If the new content viewer fails or throws an exception, mitmproxy will default
+to a __raw__ view.

doc-src/dev/architecture.html

@@ -0,0 +1,8 @@
+To give you a better understanding of how mitmproxy works, mitmproxy's high-level architecture is detailed
+in the following graphic:
+
+<img src="@!urlTo('schematics/architecture.png')!@">
+
+<a href="@!urlTo('schematics/architecture.pdf')!@">(architecture.pdf)</a>
+<p>Please don't refrain from asking any further
+questions on the mailing list, the IRC channel or the GitHub issue tracker.</p>

doc-src/dev/index.py

@@ -0,0 +1,7 @@
+from countershape import Page
+
+pages = [
+     Page("testing.html", "Testing"),
+     Page("architecture.html", "Architecture"),
+#    Page("addingviews.html", "Writing Content Views"),
+]

doc-src/dev/testing.html

@@ -0,0 +1,43 @@
+
+All the mitmproxy projects strive to maintain 100% code coverage. In general,
+patches and pull requests will be declined unless they're accompanied by a
+suitable extension to the test suite. 
+
+Our tests are written for the [nose](https://nose.readthedocs.org/en/latest/).
+At the point where you send your pull request, a command like this:
+
+<pre class="terminal">
+> nosetests --with-cov --cov-report term-missing ./test
+</pre>
+
+Should give output something like this:
+
+<pre class="terminal">
+> ---------- coverage: platform darwin, python 2.7.2-final-0 --
+> Name                   Stmts   Miss  Cover   Missing
+> ----------------------------------------------------
+> libmproxy/__init__         0      0   100%
+> libmproxy/app              4      0   100%
+> libmproxy/cmdline        100      0   100%
+> libmproxy/controller      69      0   100%
+> libmproxy/dump           150      0   100%
+> libmproxy/encoding        39      0   100%
+> libmproxy/filt           201      0   100%
+> libmproxy/flow           891      0   100%
+> libmproxy/proxy          427      0   100%
+> libmproxy/script          27      0   100%
+> libmproxy/utils          133      0   100%
+> libmproxy/version          4      0   100%
+> ----------------------------------------------------
+> TOTAL                   2045      0   100%
+> ----------------------------------------------------
+> Ran 251 tests in 11.864s
+</pre>
+
+
+There are exceptions to the coverage requirement - for instance, much of the
+console interface code can't sensibly be unit tested. These portions are
+excluded from coverage analysis either in the **.coveragerc** file, or using
+**#pragma no-cover** directives. To keep our coverage analysis relevant, we use
+these measures as sparingly as possible.
+

doc-src/faq.html

@@ -1,19 +0,0 @@
-
-### Any tips for running mitmproxy on OSX?
-
-You can use the OSX <b>open</b> program to create a simple and effective
-<b>~/.mailcap</b> file to view HTTP bodies:
-
-<pre>
-application/*; /usr/bin/open -Wn %s
-audio/*; /usr/bin/open -Wn %s
-image/*; /usr/bin/open -Wn %s
-video/*; /usr/bin/open -Wn %s
-</pre>
-
-
-### I'd like to hack on mitmproxy. What should I work on?
-
-There's a __todo__ file at the top of the source tree that outlines a variety
-of tasks, from simple to complex. If you don't have your own itch, feel free to
-scratch one of those!

doc-src/features/anticache.html

@@ -0,0 +1,18 @@
+
+When the __anticache__ option is passed to mitmproxy, it removes headers
+(__if-none-match__ and __if-modified-since__) that might elicit a
+304-not-modified response from the server. This is useful when you want to make
+sure you capture an HTTP exchange in its totality. It's also often used during
+[client replay](@!urlTo("clientreplay.html")!@), when you want to make sure the
+server responds with complete data.
+
+<table class="table">
+    <tbody>
+        <tr>
+            <th width="20%">command-line</th> <td>--anticache</td>
+        </tr>
+        <tr>
+            <th>mitmproxy shortcut</th> <td><b>o</b> then <b>a</b></td>
+        </tr>
+    </tbody>
+</table>

doc-src/features/clientreplay.html

@@ -1,7 +1,4 @@
 
-- command-line: _-c path_ 
-- mitmproxy shortcut: _c_
-
 Client-side replay does what it says on the tin: you provide a previously saved
 HTTP conversation, and mitmproxy replays the client requests one by one. Note
 that mitmproxy serializes the requests, waiting for a response from the server
@@ -9,6 +6,17 @@ before starting the next request. This might differ from the recorded
 conversation, where requests may have been made concurrently.
 
 You may want to use client-side replay in conjunction with the
-[anticache](@!urlTo("anticache.html")!@) option. 
+[anticache](@!urlTo("anticache.html")!@) option, to make sure the server
+responds with complete data. 
 
 
+<table class="table">
+    <tbody>
+        <tr>
+            <th width="20%">command-line</th> <td>-c path</td>
+        </tr>
+        <tr>
+            <th>mitmproxy shortcut</th> <td><b>c</b></td>
+        </tr>
+    </tbody>
+</table>

doc-src/features/filters.html

@@ -2,13 +2,15 @@
 Many commands in __mitmproxy__ and __mitmdump__ take a filter expression.
 Filter expressions consist of the following operators:
 
-<table>
+<table class="table">
+    <tbody>
     <!--(for i in filt_help)-->
         <tr>
             <td class="filt_cmd">@!i[0]!@</td>
             <td class="filt_help">@!i[1]!@</td>
         </tr>
     <!--(end)-->
+    </tbody>
 </table>
 
 - Regexes are Python-style
@@ -26,9 +28,9 @@ URL containing "google.com":
 
 Requests whose body contains the string "test":
 
-    ~r ~b test
+    ~q ~b test
 
 Anything but requests with a text/html content type:
 
-    !(~r & ~t \"text/html\")
+    !(~q & ~t \"text/html\")
 

doc-src/features/index.py

@@ -0,0 +1,19 @@
+from countershape import Page
+
+pages = [
+    Page("anticache.html", "Anticache"),
+    Page("clientreplay.html", "Client-side replay"),
+    Page("filters.html", "Filter expressions"),
+    Page("passthrough.html", "Ignore Domains"),
+    Page("proxyauth.html", "Proxy Authentication"),
+    Page("replacements.html", "Replacements"),
+    Page("responsestreaming.html", "Response Streaming"),
+    Page("reverseproxy.html", "Reverse proxy mode"),
+    Page("socksproxy.html", "SOCKS Mode"),
+    Page("setheaders.html", "Set Headers"),
+    Page("serverreplay.html", "Server-side replay"),
+    Page("sticky.html", "Sticky cookies and auth"),
+    Page("tcpproxy.html", "TCP Proxy"),
+    Page("upstreamcerts.html", "Upstream Certs"),
+    Page("upstreamproxy.html", "Upstream proxy mode"),
+]

doc-src/features/passthrough.html

@@ -0,0 +1,81 @@
+There are two main reasons why you may want to exempt some traffic from mitmproxy's interception mechanism:
+
+- **Certificate pinning:** Some traffic is is protected using
+  [certificate pinning](https://security.stackexchange.com/questions/29988/what-is-certificate-pinning) and mitmproxy's
+  interception leads to errors. For example, Windows Update or the Apple App Store fail to work if mitmproxy is active.
+- **Convenience:** You really don't care about some parts of the traffic and just want them to go away.
+
+If you want to peek into (SSL-protected) non-HTTP connections, check out the [tcp proxy](@!urlTo("tcpproxy.html")!@) feature.
+If you want to ignore traffic from mitmproxy's processing because of large response bodies, take a look at the
+[response streaming](@!urlTo("responsestreaming.html")!@) feature.
+
+## How it works
+
+
+<table class="table">
+    <tbody>
+        <tr>
+            <th width="20%">command-line</th> <td>--ignore regex</td>
+        </tr>
+        <tr>
+            <th>mitmproxy shortcut</th> <td><b>I</b></td>
+        </tr>
+    </tbody>
+</table>
+
+
+mitmproxy allows you to specify a regex which is matched against a <code>host:port</code> string (e.g. "example.com:443")
+to determine hosts that should be excluded. 
+
+There are two important quirks to consider:
+
+- **In transparent mode, the ignore pattern is matched against the IP.** While we usually infer the hostname from the 
+  Host header if the --host argument is passed to mitmproxy, we do not have access to this information before the SSL
+  handshake.
+- In regular mode, explicit HTTP requests are never ignored.[^explicithttp] The ignore pattern is applied on CONNECT
+  requests, which initiate HTTPS or clear-text WebSocket connections.
+
+
+### Tutorial
+
+If you just want to ignore one specific domain, there's usually a bulletproof method to do so:
+
+1. Run mitmproxy or mitmdump in verbose mode (-v) and observe the host:port information in the serverconnect 
+messages. mitmproxy will filter on these.
+2. Take the host:port string, surround it with ^ and $, escape all dots (. becomes \\.) 
+and use this as your ignore pattern:
+
+<pre class="terminal">
+$ mitmdump -v
+127.0.0.1:50588: clientconnect
+127.0.0.1:50588: request
+  -> CONNECT example.com:443 HTTP/1.1
+127.0.0.1:50588: Set new server address: example.com:443
+<span style="color: white">127.0.0.1:50588: serverconnect
+  -> example.com:443</span>
+^C
+$ <span style="color: white">mitmproxy --ignore ^example\.com:443$</span>    
+</pre>
+
+Here are some other examples for ignore patterns:
+<pre>
+# Exempt traffic from the iOS App Store (usually just works):
+--ignore apple.com:443  
+# "Correct" version without false-positives:
+--ignore ^(.+\.)?apple\.com:443$ 
+    
+# Ignore example.com on all ports, but no subdomains:
+--ignore ^example.com:
+    
+# Transparent mode:
+--ignore 17\.178\.96\.59:443
+# IP address range:
+--ignore 17\.178\.\d+\.\d+:443
+</pre>
+
+### See Also
+
+- [TCP Proxy](@!urlTo("tcpproxy.html")!@)
+- [Response Streaming](@!urlTo("responsestreaming.html")!@)
+
+[^explicithttp]: This stems from an limitation of explicit HTTP proxying: A single connection can be re-used for multiple target domains - a <code>GET http://example.com/</code> request may be followed by a <code>GET http://evil.com/</code> request on the same connection. If we start to ignore the connection after the first request, we would miss the relevant second one.

doc-src/features/proxyauth.html

@@ -0,0 +1,26 @@
+
+Asks the user for authentication before they are permitted to use the proxy.
+Authentication headers are stripped from the flows, so they are not passed to
+upstream servers. For now, only HTTP Basic authentication is supported. The
+proxy auth options are ignored if the proxy is in transparent or reverse proxy
+mode.
+
+<table class="table">
+    <tbody>
+        <tr>
+            <th width="20%">command-line</th>
+            <td>
+                <ul>
+                    <li>--nonanonymous</li>
+
+                    <li>--singleuser USER</li>
+
+                    <li>--htpasswd PATH</li>
+                </ul>
+            </td>
+        </tr>
+    </tbody>
+</table>
+
+
+

doc-src/features/replacements.html

@@ -0,0 +1,74 @@
+Mitmproxy lets you specify an arbitrary number of patterns that define text
+replacements within flows. Each pattern has 3 components: a filter that defines
+which flows a replacement applies to, a regular expression that defines what
+gets replaced, and a target value that defines what is substituted in.
+
+Replace hooks fire when either a client request or a server response is
+received. Only the matching flow component is affected: so, for example, if a
+replace hook is triggered on server response, the replacement is only run on
+the Response object leaving the Request intact. You control whether the hook
+triggers on the request, response or both using the filter pattern. If you need
+finer-grained control than this, it's simple to create a script using the
+replacement API on Flow components. 
+
+Replacement hooks are extremely handy in interactive testing of applications.
+For instance you can use a replace hook to replace the text "XSS" with a
+complicated XSS exploit, and then "inject" the exploit simply by interacting
+with the application through the browser. When used with tools like Firebug and
+mitmproxy's own interception abilities, replacement hooks can be an amazingly
+flexible and powerful feature. 
+
+
+## On the command-line
+
+The replacement hook command-line options use a compact syntax to make it easy
+to specify all three components at once. The general form is as follows:
+
+    /patt/regex/replacement
+
+Here, __patt__ is a mitmproxy filter expression, __regex__ is a valid Python
+regular expression, and __replacement__ is a string literal. The first
+character in the expression (__/__ in this case) defines what the separation
+character is. Here's an example of a valid expression that replaces "foo" with
+"bar" in all requests:
+
+    :~q:foo:bar
+
+In practice, it's pretty common for the replacement literal to be long and
+complex. For instance, it might be an XSS exploit that weighs in at hundreds or
+thousands of characters. To cope with this, there's a variation of the
+replacement hook specifier that lets you load the replacement text from a file.
+So, you might start __mitmdump__ as follows:
+
+<pre class="terminal">
+mitmdump --replace-from-file :~q:foo:~/xss-exploit
+</pre>
+
+This will load the replacement text from the file __~/xss-exploit__.
+
+Both the _--replace_ and _--replace-from-file_ flags can be passed multiple
+times.
+
+
+## Interactively
+
+The _R_ shortcut key in mitmproxy lets you add and edit replacement hooks using
+a built-in editor. The context-sensitive help (_h_) has complete usage
+information.
+
+<table class="table">
+    <tbody>
+        <tr>
+            <th width="20%">command-line</th>
+            <td>
+                <ul>
+                    <li>--replace</li>
+                    <li>--replace-from-file</li>
+                </ul>
+            </td>
+        </tr>
+        <tr>
+            <th>mitmproxy shortcut</th> <td><b>R</b></td>
+        </tr>
+    </tbody>
+</table>

doc-src/features/responsestreaming.html

@@ -0,0 +1,54 @@
+By using mitmproxy's streaming feature, response contents can be passed to the client incrementally before they have been fully received by the proxy.
+This is especially useful for large binary files such as videos, where buffering the whole file slows down the client's browser.
+
+By default, mitmproxy will read the entire response, perform any indicated
+manipulations on it and then send the (possibly modified) response to
+the client. In some cases this is undesirable and you may wish to "stream"
+the reponse back to the client. When streaming is enabled, the response is
+not buffered on the proxy but directly sent back to the client instead.
+
+<h2>On the command-line</h2>
+
+Streaming can be enabled on the command line for all response bodies exceeding a certain size.  The SIZE argument understands
+k/m/g suffixes, e.g. 3m for 3 megabytes.
+
+<table class="table">
+    <tbody>
+    <tr>
+        <th width="20%">command-line</th>
+        <td>
+            --stream SIZE
+        </td>
+    </tr>
+    </tbody>
+</table>
+
+
+<h2>Caveats</h2>
+
+When response streaming is enabled, <strong>streamed response contents will not be
+    recorded or preserved in any way.</strong>
+
+When response streaming is enabled, the response body cannot be modified.
+
+<h2>Customizing Response Streaming</h2>
+
+You can also use an <a href="@!urlTo("scripting/inlinescripts.html")!@">inline script</a> to customize exactly
+which responses are streamed.
+
+Responses that should be tagged for streaming by setting their respective .stream attribute to True:
+
+$!example("examples/stream.py")!$
+
+
+<h2>Implementation Details</h2>
+
+When response streaming is enabled, portions of the code which would have otherwise performed changes
+on the response body will see an empty response body instead (<code>libmproxy.protocol.http.CONTENT_MISSING</code>). Any modifications will be ignored.
+
+Streamed responses are usually sent in chunks of 4096 bytes. If the response is sent with a <code>Transfer-Encoding:
+    chunked</code> header, the response will be streamed one chunk at a time.
+
+### See Also
+
+- [Ignore Domains](@!urlTo("passthrough.html")!@)

doc-src/features/reverseproxy.html

@@ -0,0 +1,28 @@
+
+In reverse proxy mode, mitmproxy accepts standard HTTP requests and forwards
+them to the specified upstream server. This is in contrast to
+<a href="@!urlTo("upstreamproxy.html")!@">upstream proxy mode</a>, in which
+mitmproxy forwards HTTP proxy requests to an upstream proxy server.
+
+<table class="table">
+    <tbody>
+        <tr>
+            <th width="20%">command-line</th> <td>-R <i>schema</i>://hostname[:port]</td>
+        </tr>
+    </tbody>
+</table>
+
+Here, **schema** is one of http, https, http2https or https2http. The latter
+two extended schema specifications control the use of HTTP and HTTPS on
+mitmproxy and the upstream server. You can indicate that mitmproxy should use
+HTTP, and the upstream server uses HTTPS like this:
+
+	http2https://hostname:port
+
+And you can indicate that mitmproxy should use HTTPS while the upstream
+service uses HTTP like this:
+
+	https2http://hostname:port
+
+
+

doc-src/features/setheaders.html

@@ -0,0 +1,18 @@
+
+This feature lets you specify a set of headers to be added to requests or
+responses, based on a filter pattern. You can specify these either on the
+command-line, or through an interactive editor in mitmproxy.
+
+<table class="table">
+    <tbody>
+        <tr>
+            <th width="20%">command-line</th>
+            <td>
+                --setheader PATTERN
+            </td>
+        </tr>
+        <tr>
+            <th>mitmproxy shortcut</th> <td><b>H</b></td>
+        </tr>
+    </tbody>
+</table>

doc-src/features/socksproxy.html

@@ -0,0 +1,10 @@
+
+In this mode, mitmproxy acts as a SOCKS5 proxy server.
+
+<table class="table">
+    <tbody>
+        <tr>
+            <th width="20%">command-line</th> <td>--socks</td>
+        </tr>
+    </tbody>
+</table>

doc-src/features/sticky.html

@@ -1,10 +1,6 @@
 
 ## Sticky cookies
 
-- command-line: _-t_ (sticky cookies on all requests)
-- command-line: _-T filt_ (sticky cookies on requests matching filt)
-- mitmproxy shortcut: _t_
-
 When the sticky cookie option is set, __mitmproxy__ will add the cookie most
 recently set by the server to any cookie-less request. Consider a service that
 sets a cookie to track the session after authentication. Using sticky cookies,
@@ -20,15 +16,45 @@ replay](@!urlTo("clientreplay.html")!@) - you can record the authentication
 process once, and simply replay it on startup every time you need to interact
 with the secured resources.
 
+<table class="table">
+    <tbody>
+        <tr>
+            <th width="20%">command-line</th>
+            <td>
+                <ul>
+                    <li>-t FILTER</li>
+                </ul>
+            </td>
+        </tr>
+        <tr>
+            <th>mitmproxy shortcut</th> <td><b>t</b></td>
+        </tr>
+    </tbody>
+</table>
+
 
 ## Sticky auth
 
-- command-line: _-u_ (sticky auth on all requests)
-- command-line: _-U filt_ (sticky auth on requests matching filt)
-- mitmproxy shortcut: _u_
-
 The sticky auth option is analogous to the sticky cookie option, in that HTTP
 __Authorization__ headers are simply replayed to the server once they have been
 seen. This is enough to allow you to access a server resource using HTTP Basic
 authentication through the proxy. Note that __mitmproxy__ doesn't (yet) support
 replay of HTTP Digest authentication. 
+
+<table class="table">
+    <tbody>
+        <tr>
+            <th width="20%">command-line</th>
+            <td>
+                <ul>
+                    <li>-u FILTER</li>
+                </ul>
+            </td>
+        </tr>
+        <tr>
+            <th>mitmproxy shortcut</th> <td><b>u</b></td>
+        </tr>
+    </tbody>
+</table>
+
+

doc-src/features/tcpproxy.html

@@ -0,0 +1,30 @@
+WebSockets or other non-HTTP protocols are not supported by mitmproxy yet. However, you can exempt hostnames from
+processing, so that mitmproxy acts as a generic TCP forwarder. This feature is closely related to the
+[ignore domains](@!urlTo("passthrough.html")!@) functionality, but differs in two important aspects:
+
+- The raw TCP messages are printed to the event log.
+- SSL connections will be intercepted.
+
+Please note that message interception or modification are not possible yet.
+If you are not interested in the raw TCP messages, you should use the ignore domains feature.
+
+## How it works
+
+
+<table class="table">
+    <tbody>
+        <tr>
+            <th width="20%">command-line</th> <td>--tcp HOST</td>
+        </tr>
+        <tr>
+            <th>mitmproxy shortcut</th> <td><b>T</b></td>
+        </tr>
+    </tbody>
+</table>
+
+For a detailed description on the structure of the hostname pattern, please refer to the [Ignore Domains](@!urlTo("passthrough.html")!@) feature.
+
+### See Also
+
+- [Ignore Domains](@!urlTo("passthrough.html")!@)
+- [Response Streaming](@!urlTo("responsestreaming.html")!@)

doc-src/features/upstreamcerts.html

@@ -0,0 +1,21 @@
+When mitmproxy receives a connection destined for an SSL-protected service, it
+freezes the connection before reading its request data, and makes a connection
+to the upstream server to "sniff" the contents of its SSL certificate. The
+information gained - the __Common Name__ and __Subject Alternative Names__ - is
+then used to generate the interception certificate, which is sent to the client
+so the connection can continue.
+
+This rather intricate little dance lets us seamlessly generate correct
+certificates even if the client has specifed only an IP address rather than the
+hostname. It also means that we don't need to sniff additional data to generate
+certs in transparent mode.
+
+Upstream cert sniffing is on by default, and can optionally be turned off.
+
+<table class="table">
+    <tbody>
+        <tr>
+            <th width="20%">command-line</th> <td>--no-upstream-cert</td>
+        </tr>
+    </tbody>
+</table>

doc-src/features/upstreamproxy.html

@@ -0,0 +1,27 @@
+
+In this mode, mitmproxy accepts proxy requests and unconditionally forwards all
+requests to a specified upstream proxy server. This is in contrast to <a
+href="@!urlTo("reverseproxy.html")!@">reverse proxy mode</a>, in which
+mitmproxy forwards ordinary HTTP requests to an upstream server.
+
+<table class="table">
+    <tbody>
+        <tr>
+            <th width="20%">command-line</th> <td>-U http://hostname[:port]</td>
+        </tr>
+    </tbody>
+</table>
+
+Here, **schema** is one of http, https, http2https or https2http. The latter
+two extended schema specifications control the use of HTTP and HTTPS on
+mitmproxy and the upstream server. You can indicate that mitmproxy should use
+HTTP, and the upstream server uses HTTPS like this:
+
+	http2https://hostname:port
+
+And you can indicate that mitmproxy should use HTTPS while the upstream
+service uses HTTP like this:
+
+	https2http://hostname:port
+
+

doc-src/howmitmproxy.html

@@ -0,0 +1,360 @@
+
+
+Mitmproxy is an enormously flexible tool. Knowing exactly how the proxying
+process works will help you deploy it creatively, and take into account its
+fundamental assumptions and how to work around them. This document explains
+mitmproxy's proxy mechanism in detail, starting with the simplest unencrypted
+explicit proxying, and working up to the most complicated interaction -
+transparent proxying of SSL-protected traffic[^ssl] in the presence of
+[SNI](http://en.wikipedia.org/wiki/Server_Name_Indication).
+
+
+<div class="page-header">
+    <h1>Explicit HTTP</h1>
+</div>
+
+Configuring the client to use mitmproxy as an explicit proxy is the simplest
+and most reliable way to intercept traffic. The proxy protocol is codified in
+the [HTTP RFC](http://www.ietf.org/rfc/rfc2068.txt), so the behaviour of both
+the client and the server is well defined, and usually reliable. In the
+simplest possible interaction with mitmproxy, a client connects directly to the
+proxy, and makes a request that looks like this:
+
+<pre>GET http://example.com/index.html HTTP/1.1</pre>
+
+This is a proxy GET request - an extended form of the vanilla HTTP GET request
+that includes a schema and host specification, and it includes all the
+information mitmproxy needs to proceed.
+
+<img src="explicit.png"/>
+
+<table class="table">
+    <tbody>
+        <tr>
+
+            <td><b>1</b></td>
+
+            <td>The client connects to the proxy and makes a request.</td>
+
+        </tr>
+
+        <tr>
+
+            <td><b>2</b></td>
+
+            <td>Mitmproxy connects to the upstream server and simply forwards
+            the request on.</td>
+
+        </tr>
+    </tbody>
+</table>
+
+
+<div class="page-header">
+    <h1>Explicit HTTPS</h1>
+</div>
+
+The process for an explicitly proxied HTTPS connection is quite different. The
+client connects to the proxy and makes a request that looks like this:
+
+<pre>CONNECT example.com:443 HTTP/1.1</pre>
+
+A conventional proxy can neither view nor manipulate an SSL-encrypted data
+stream, so a CONNECT request simply asks the proxy to open a pipe between the
+client and server. The proxy here is just a facilitator - it blindly forwards
+data in both directions without knowing anything about the contents. The
+negotiation of the SSL connection happens over this pipe, and the subsequent
+flow of requests and responses are completely opaque to the proxy.
+
+## The MITM in mitmproxy
+
+This is where mitmproxy's fundamental trick comes into play. The MITM in its
+name stands for Man-In-The-Middle - a reference to the process we use to
+intercept and interfere with these theoretically opaque data streams. The basic
+idea is to pretend to be the server to the client, and pretend to be the client
+to the server, while we sit in the middle decoding traffic from both sides. The
+tricky part is that the [Certificate
+Authority](http://en.wikipedia.org/wiki/Certificate_authority) system is
+designed to prevent exactly this attack, by allowing a trusted third-party to
+cryptographically sign a server's SSL certificates to verify that they are
+legit. If this signature doesn't match or is from a non-trusted party, a secure
+client will simply drop the connection and refuse to proceed. Despite the many
+shortcomings of the CA system as it exists today, this is usually fatal to
+attempts to MITM an SSL connection for analysis. Our answer to this conundrum
+is to become a trusted Certificate Authority ourselves. Mitmproxy includes a
+full CA implementation that generates interception certificates on the fly. To
+get the client to trust these certificates, we [register mitmproxy as a trusted
+CA with the device manually](@!urlTo("ssl.html")!@).
+
+## Complication 1: What's the remote hostname?
+
+To proceed with this plan, we need to know the domain name to use in the
+interception certificate - the client will verify that the certificate is for
+the domain it's connecting to, and abort if this is not the case. At first
+blush, it seems that the CONNECT request above gives us all we need - in this
+example, both of these values are "example.com".  But what if the client had
+initiated the connection as follows:
+
+<pre>CONNECT 10.1.1.1:443 HTTP/1.1</pre>
+
+Using the IP address is perfectly legitimate because it gives us enough
+information to initiate the pipe, even though it doesn't reveal the remote
+hostname.
+
+Mitmproxy has a cunning mechanism that smooths this over - [upstream
+certificate sniffing](@!urlTo("features/upstreamcerts.html")!@). As soon as we
+see the CONNECT request, we pause the client part of the conversation, and
+initiate a simultaneous connection to the server. We complete the SSL handshake
+with the server, and inspect the certificates it used. Now, we use the Common
+Name in the upstream SSL certificates to generate the dummy certificate for the
+client. Voila, we have the correct hostname to present to the client, even if
+it was never specified.
+
+
+## Complication 2: Subject Alternative Name
+
+Enter the next complication. Sometimes, the certificate Common Name is not, in
+fact, the hostname that the client is connecting to. This is because of the
+optional [Subject Alternative
+Name](http://en.wikipedia.org/wiki/SubjectAltName) field in the SSL certificate
+that allows an arbitrary number of alternative domains to be specified. If the
+expected domain matches any of these, the client will proceed, even though the
+domain doesn't match the certificate Common Name. The answer here is simple:
+when extract the CN from the upstream cert, we also extract the SANs, and add
+them to the generated dummy certificate.
+
+
+## Complication 3: Server Name Indication
+
+One of the big limitations of vanilla SSL is that each certificate requires its
+own IP address. This means that you couldn't do virtual hosting where multiple
+domains with independent certificates share the same IP address. In a world
+with a rapidly shrinking IPv4 address pool this is a problem, and we have a
+solution in the form of the [Server Name
+Indication](http://en.wikipedia.org/wiki/Server_Name_Indication) extension to
+the SSL and TLS protocols. This lets the client specify the remote server name
+at the start of the SSL handshake, which then lets the server select the right
+certificate to complete the process.
+
+SNI breaks our upstream certificate sniffing process, because when we connect
+without using SNI, we get served a default certificate that may have nothing to
+do with the certificate expected by the client. The solution is another tricky
+complication to the client connection process. After the client connects, we
+allow the SSL handshake to continue until just _after_ the SNI value has been
+passed to us. Now we can pause the conversation, and initiate an upstream
+connection using the correct SNI value, which then serves us the correct
+upstream certificate, from which we can extract the expected CN and SANs.
+
+There's another wrinkle here. Due to a limitation of the SSL library mitmproxy
+uses, we can't detect that a connection _hasn't_ sent an SNI request until it's
+too late for upstream certificate sniffing. In practice, we therefore make a
+vanilla SSL connection upstream to sniff non-SNI certificates, and then discard
+the connection if the client sends an SNI notification. If you're watching your
+traffic with a packet sniffer, you'll see two connections to the server when an
+SNI request is made, the first of which is immediately closed after the SSL
+handshake. Luckily, this is almost never an issue in practice.
+
+## Putting it all together
+
+Lets put all of this together into the complete explicitly proxied HTTPS flow.
+
+<img src="explicit_https.png"/>
+
+<table class="table">
+    <tbody>
+        <tr>
+            <td><b>1</b></td>
+            <td>The client makes a connection to mitmproxy, and issues an HTTP
+            CONNECT request.</td>
+        </tr>
+        <tr>
+            <td><b>2</b></td>
+
+            <td>Mitmproxy responds with a 200 Connection Established, as if it
+            has set up the CONNECT pipe.</td>
+        </tr>
+        <tr>
+            <td><b>3</b></td>
+
+            <td>The client believes it's talking to the remote server, and
+            initiates the SSL connection. It uses SNI to indicate the hostname
+            it is connecting to.</td>
+        </tr>
+
+        <tr>
+            <td><b>4</b></td>
+
+            <td>Mitmproxy connects to the server, and establishes an SSL
+            connection using the SNI hostname indicated by the client.</td>
+
+        </tr>
+        <tr>
+            <td><b>5</b></td>
+
+            <td>The server responds with the matching SSL certificate, which
+            contains the CN and SAN values needed to generate the interception
+            certificate.</td>
+        </tr>
+        <tr>
+            <td><b>6</b></td>
+
+            <td>Mitmproxy generates the interception cert, and continues the
+            client SSL handshake paused in step 3.</td>
+        </tr>
+        <tr>
+            <td><b>7</b></td>
+
+            <td>The client sends the request over the established SSL
+            connection.</td>
+        </tr>
+        <tr>
+            <td><b>7</b></td>
+
+            <td>Mitmproxy passes the request on to the server over the SSL
+            connection initiated in step 4.</td>
+        </tr>
+    </tbody>
+</table>
+
+
+<div class="page-header">
+    <h1>Transparent HTTP</h1>
+</div>
+
+When a transparent proxy is used, the HTTP/S connection is redirected into a
+proxy at the network layer, without any client configuration being required.
+This makes transparent proxying ideal for those situations where you can't
+change client behaviour - proxy-oblivious Android applications being a common
+example.
+
+To achieve this, we need to introduce two extra components. The first is a
+redirection mechanism that transparently reroutes a TCP connection destined for
+a server on the Internet to a listening proxy server. This usually takes the
+form of a firewall on the same host as the proxy server -
+[iptables](http://www.netfilter.org/) on Linux or
+[pf](http://en.wikipedia.org/wiki/PF_\(firewall\)) on OSX. Once the client has
+initiated the connection, it makes a vanilla HTTP request, which might look
+something like this:
+
+<pre>GET /index.html HTTP/1.1</pre>
+
+Note that this request differs from the explicit proxy variation, in that it
+omits the scheme and hostname. How, then, do we know which upstream host to
+forward the request to? The routing mechanism that has performed the
+redirection keeps track of the original destination for us.  Each routing
+mechanism has a different way of exposing this data, so this introduces the
+second component required for working transparent proxying: a host module that
+knows how to retrieve the original destination address from the router. In
+mitmproxy, this takes the form of a built-in set of
+[modules](https://github.com/mitmproxy/mitmproxy/tree/master/libmproxy/platform)
+that know how to talk to each platform's redirection mechanism.  Once we have
+this information, the process is fairly straight-forward.
+
+<img src="transparent.png"/>
+
+
+<table class="table">
+    <tbody>
+        <tr>
+            <td><b>1</b></td>
+            <td>The client makes a connection to the server.</td>
+        </tr>
+        <tr>
+            <td><b>2</b></td>
+
+            <td>The router redirects the connection to mitmproxy, which is
+            typically listening on a local port of the same host. Mitmproxy
+            then consults the routing mechanism to establish what the original
+            destination was.</td>
+        </tr>
+        <tr>
+            <td><b>3</b></td>
+
+            <td>Now, we simply read the client's request...</td>
+        </tr>
+
+        <tr>
+            <td><b>4</b></td>
+
+            <td>... and forward it upstream.</td>
+
+        </tr>
+    </tbody>
+</table>
+
+<div class="page-header">
+    <h1>Transparent HTTPS</h1>
+</div>
+
+The first step is to determine whether we should treat an incoming connection
+as HTTPS. The mechanism for doing this is simple - we use the routing mechanism
+to find out what the original destination port is. By default, we treat all
+traffic destined for ports 443 and 8443 as SSL.
+
+From here, the process is a merger of the methods we've described for
+transparently proxying HTTP, and explicitly proxying HTTPS. We use the routing
+mechanism to establish the upstream server address, and then proceed as for
+explicit HTTPS connections to establish the CN and SANs, and cope with SNI.
+
+<img src="transparent_https.png"/>
+
+
+<table class="table">
+    <tbody>
+        <tr>
+            <td><b>1</b></td>
+            <td>The client makes a connection to the server.</td>
+        </tr>
+        <tr>
+            <td><b>2</b></td>
+
+            <td>The router redirects the connection to mitmproxy, which is
+            typically listening on a local port of the same host. Mitmproxy
+            then consults the routing mechanism to establish what the original
+            destination was.</td>
+        </tr>
+        <tr>
+            <td><b>3</b></td>
+
+            <td>The client believes it's talking to the remote server, and
+            initiates the SSL connection. It uses SNI to indicate the hostname
+            it is connecting to.</td>
+        </tr>
+
+        <tr>
+            <td><b>4</b></td>
+
+            <td>Mitmproxy connects to the server, and establishes an SSL
+            connection using the SNI hostname indicated by the client.</td>
+
+        </tr>
+        <tr>
+            <td><b>5</b></td>
+
+            <td>The server responds with the matching SSL certificate, which
+            contains the CN and SAN values needed to generate the interception
+            certificate.</td>
+        </tr>
+        <tr>
+            <td><b>6</b></td>
+
+            <td>Mitmproxy generates the interception cert, and continues the
+            client SSL handshake paused in step 3.</td>
+        </tr>
+        <tr>
+            <td><b>7</b></td>
+
+            <td>The client sends the request over the established SSL
+            connection.</td>
+        </tr>
+        <tr>
+            <td><b>7</b></td>
+
+            <td>Mitmproxy passes the request on to the server over the SSL
+            connection initiated in step 4.</td>
+        </tr>
+    </tbody>
+</table>
+
+
+[^ssl]: I use "SSL" to refer to both SSL and TLS in the generic sense, unless otherwise specified.

doc-src/index.html

@@ -1,32 +1,27 @@
 
-<ul class="docindex">
-    <li><a href="@!urlTo("intro.html")!@">Introduction</a></li>
-    <li><a href="@!urlTo("mitmproxy.html")!@">mitmproxy</a></li>
-    <li><a href="@!urlTo("mitmdump.html")!@">mitmdump</a></li>
-    <li>Concepts</li>
-    <ul>
-        <li><a href="@!urlTo("clientreplay.html")!@">Client-side replay</a></li>
-        <li><a href="@!urlTo("serverreplay.html")!@">Server-side replay</a></li>
-        <li><a href="@!urlTo("sticky.html")!@">Sticky cookies and auth</a></li>
-        <li><a href="@!urlTo("anticache.html")!@">Anticache</a></li>
-        <li><a href="@!urlTo("filters.html")!@">Filter expressions</a></li>
-    </ul>
-    <li><a href="@!urlTo("scripts.html")!@">Scripts</a></li>
-    <li><a href="@!urlTo("ssl.html")!@">SSL interception</a></li>
-        <ul>
-            <li><a href="@!urlTo("certinstall/firefox.html")!@">Firefox</a></li>
-            <li><a href="@!urlTo("certinstall/osx.html")!@">OSX</a></li>
-            <li><a href="@!urlTo("certinstall/windows7.html")!@">Windows 7</a></li>
-            <li><a href="@!urlTo("certinstall/ios.html")!@">iPhone/iPad</a></li>
-        </ul>
-     <li><a href="@!urlTo("library.html")!@">libmproxy</a></li>
-     <li>Tutorials</li>
-        <ul>
-            <li> <a href="@!urlTo("tutorials/30second.html")!@">Client replay: a 30 second example</a> </li>
-            <li> <a href="@!urlTo("tutorials/gamecenter.html")!@">Setting highscores on Apple's GameCenter</a> </li>
-        </ul>
-     <li><a href="@!urlTo("faq.html")!@">FAQ</a></li>
-     <li><a href="@!urlTo("admin.html")!@">Administrivia</a></li>
-</ul>
+__mitmproxy__ is an interactive, SSL-capable man-in-the-middle proxy for HTTP
+with a console interface.
+
+__mitmdump__ is the command-line version of mitmproxy. Think tcpdump for HTTP.
+
+__libmproxy__ is the library that mitmproxy and mitmdump are built on.
+
+Documentation, tutorials and distribution packages can be found on the
+mitmproxy.org website:
+
+[mitmproxy.org](http://mitmproxy.org).
 
 
+Features
+--------
+
+- Intercept HTTP requests and responses and modify them on the fly.
+- Save complete HTTP conversations for later replay and analysis.
+- Replay the client-side of an HTTP conversations.
+- Replay HTTP responses of a previously recorded server.
+- Reverse proxy mode to forward traffic to a specified server.
+- Transparent proxy mode on OSX and Linux.
+- Make scripted changes to HTTP traffic using Python.
+- SSL certificates for interception are generated on the fly.
+- And much, much more.
+

doc-src/index.py

@@ -1,44 +1,45 @@
-import os, sys
+import os
+import sys
+import datetime
 import countershape
-from countershape import Page, Directory, PythonModule, markup
+from countershape import Page, Directory, markup, model
 import countershape.template
 sys.path.insert(0, "..")
-from libmproxy import filt
+from libmproxy import filt, version
 
-MITMPROXY_SRC = "~/git/public/mitmproxy"
+MITMPROXY_SRC = os.environ.get("MITMPROXY_SRC", os.path.abspath(".."))
+ns.VERSION = version.VERSION
 
 if ns.options.website:
-    ns.title = countershape.template.Template(None, "<h1>@!this.title!@</h1>")
+    ns.idxpath = "doc/index.html"
     this.layout = countershape.Layout("_websitelayout.html")
 else:
-    ns.title = countershape.template.Template(None, "<h1>@!this.title!@</h1>")
+    ns.idxpath = "index.html"
     this.layout = countershape.Layout("_layout.html")
 
-this.markup = markup.Markdown()
+ns.title = countershape.template.Template(None, "<h1>@!this.title!@</h1>")
+this.titlePrefix = "%s - " % version.NAMEVERSION
+this.markup = markup.Markdown(extras=["footnotes"])
+
 ns.docMaintainer = "Aldo Cortesi"
 ns.docMaintainerEmail = "aldo@corte.si"
-ns.copyright = u"\u00a9 mitmproxy project, 2011"
+ns.copyright = u"\u00a9 mitmproxy project, %s" % datetime.date.today().year
 
-ns.index = countershape.widgets.SiblingPageIndex('/index.html', divclass="pageindex")
 
 def mpath(p):
     p = os.path.join(MITMPROXY_SRC, p)
     return os.path.expanduser(p)
 
-ns.license = file(mpath("LICENSE")).read()
-ns.index_contents = file(mpath("README.mkd")).read()
 
-
-
-top = os.path.abspath(os.getcwd())
 def example(s):
-    d = file(mpath(s)).read()
+    d = file(mpath(s)).read().rstrip()
     extemp = """<div class="example">%s<div class="example_legend">(%s)</div></div>"""
     return extemp%(countershape.template.Syntax("py")(d), s)
 
 
 ns.example = example
 
+
 filt_help = []
 for i in filt.filt_unary:
     filt_help.append(
@@ -62,24 +63,31 @@ filt_help.extend(
     ]
 )
 ns.filt_help = filt_help
- 
+
+
+def nav(page, current, state):
+    if current.match(page, False):
+        pre = '<li class="active">'
+    else:
+        pre = "<li>"
+    p = state.application.getPage(page)
+    return pre + '<a href="%s">%s</a></li>'%(model.UrlTo(page), p.title)
+ns.nav = nav
+ns.navbar = countershape.template.File(None, "_nav.html")
 
 
 pages = [
-    Page("index.html", "docs"),
-    Page("intro.html", "Introduction"),
+    Page("index.html", "Introduction"),
+    Page("install.html", "Installation"),
     Page("mitmproxy.html", "mitmproxy"),
     Page("mitmdump.html", "mitmdump"),
-    Page("clientreplay.html", "Client-side replay"),
-    Page("serverreplay.html", "Server-side replay"),
-    Page("sticky.html", "Sticky cookies and auth"),
-    Page("anticache.html", "Anticache"),
-    Page("filters.html", "Filter expressions"),
-    Page("scripts.html", "Scripts"),
-    Page("ssl.html", "SSL interception"),
+    Page("howmitmproxy.html", "How mitmproxy works"),
+    Page("modes.html", "Modes of Operation"),
+
+    Page("ssl.html", "Overview"),
     Directory("certinstall"),
-    Page("library.html", "libmproxy: mitmproxy as a library"),
+    Directory("scripting"),
     Directory("tutorials"),
-    Page("faq.html", "FAQ"),
-    Page("admin.html", "Administrivia")
+    Page("transparent.html", "Overview"),
+    Directory("transparent"),
 ]

doc-src/install.html

@@ -0,0 +1,59 @@
+
+## Installing from source
+
+The preferred way to install mitmproxy - whether you're installing the latest
+release or from source - is to use [pip](http://www.pip-installer.org/). If you
+don't already have pip on your system, you can find installation instructions
+[here](http://www.pip-installer.org/en/latest/installing.html).
+
+<pre class="terminal">
+pip install mitmproxy
+</pre>
+
+If you also want to install the optional packages AMF, protobuf and CSS
+content views, do this:
+
+<pre class="terminal">
+pip install "mitmproxy[contentviews]"
+</pre>
+
+
+## OSX
+
+The easiest way to get up and running on OSX is to download the pre-built
+binary packages from [mitmproxy.org](http://mitmproxy.org). If you still want
+to install using pip, there are a few things to keep in mind:
+
+- If you're running a Python interpreter installed with homebrew (or similar),
+you may have to install some dependencies by hand. 
+- Make sure that XCode is installed from the App Store, and that the
+command-line tools have been downloaded (XCode/Preferences/Downloads).
+
+There are a few bits of customization you might want to do to make mitmproxy
+comfortable to use on OSX. The default color scheme is optimized for a dark
+background terminal, but you can select a palette for a light terminal
+background with the --palette option. You can use the OSX <b>open</b> program
+to create a simple and effective <b>~/.mailcap</b> file to view request and
+response bodies:
+
+<pre class="terminal">
+application/*; /usr/bin/open -Wn %s
+audio/*; /usr/bin/open -Wn %s
+image/*; /usr/bin/open -Wn %s
+video/*; /usr/bin/open -Wn %s
+</pre>
+
+
+## Ubuntu
+
+On Ubuntu, you will need the following native packages to install mitmproxy
+from source:
+
+- build-essential
+- python-dev
+- libffi-dev
+- libssl-dev
+- libxml2-dev
+- libxslt1-dev
+
+

doc-src/intro.html

@@ -1,4 +0,0 @@
-
-@!index_contents!@
-
-

doc-src/mitmdump.html

@@ -1,12 +1,15 @@
 
 __mitmdump__ is the command-line companion to mitmproxy. It provides
 tcpdump-like functionality to let you view, record, and programmatically
-transform HTTP traffic. See the _--help_ flag ouptut for complete
+transform HTTP traffic. See the _--help_ flag output for complete
 documentation.
 
 
 
-## Example: saving traffic
+# Examples
+
+
+## Saving traffic
 
 <pre class="terminal">
 > mitmdump -w outfile
@@ -15,7 +18,18 @@ documentation.
 Start up mitmdump in proxy mode, and write all traffic to __outfile__. 
 
 
-## Example: client replay
+## Filtering saved traffic
+
+<pre class="terminal">
+> mitmdump -nr infile -w outfile "~m post"
+</pre>
+
+Start mitmdump without binding to the proxy port (_-n_), read all flows from
+infile, apply the specified filter expression (only match POSTs), and write to
+outfile.
+
+
+## Client replay
 
 <pre class="terminal">
 > mitmdump -nc outfile
@@ -33,7 +47,7 @@ another:
 See the [Client-side Replay](@!urlTo("clientreplay.html")!@) section for more information.
 
 
-## Example: running a script
+## Running a script
 
 <pre class="terminal">
 > mitmdump -s examples/add_header.py
@@ -43,7 +57,7 @@ This runs the __add_header.py__ example script, which simply adds a new header
 to all responses.
 
 
-## Example: scripted data transformation
+## Scripted data transformation
 
 <pre class="terminal">
 > mitmdump -ns examples/add_header.py -r srcfile -w dstfile

doc-src/mitmproxy.html

@@ -1,28 +1,85 @@
 
 __mitmproxy__ is a console tool that allows interactive examination and
-modification of HTTP traffic. The _?_ shortcut key shows complete documentation
-on __mitmproxy__'s functionality.
+modification of HTTP traffic. It differs from mitmdump in that all flows are
+kept in memory, which means that it's intended for taking and manipulating
+small-ish samples. Use the _?_ shortcut key to view, context-sensitive
+documentation from any __mitmproxy__ screen.
+
+## Flow list
+
+The flow list shows an index of captured flows in chronological order. 
+
+<img src="@!urlTo('screenshots/mitmproxy.png')!@"/>
+
+- __1__: A GET request, returning a 302 Redirect response.
+- __2__: A GET request, returning 16.75kb of text/html data.
+- __3__: A replayed request. 
+- __4__: Intercepted flows are indicated with orange text. The user may edit
+these flows, and then accept them (using the _a_ key) to continue. In this
+case, the request has been intercepted on the way to the server.
+- __5__: A response intercepted from the server on the way to the client.
+- __6__: The event log can be toggled on and off using the _e_ shortcut key. This
+pane shows events and errors that may not result in a flow that shows up in the
+flow pane.
+- __7__: Flow count.
+- __8__: Various information on mitmproxy's state. In this case, we have an
+interception pattern set to ".*".
+- __9__: Bind address indicator - mitmproxy is listening on port 8080 of all
+interfaces.
 
 
-## The interface: connection list
+## Flow view
 
-<img src="@!urlTo("screenshots/mitmproxy.png")!@"/>
+The __Flow View__ lets you inspect and manipulate a single flow:
+
+<img src="@!urlTo('screenshots/mitmproxy-flowview.png')!@"/>
+
+- __1__: Flow summary.
+- __2__: The Request/Response tabs, showing you which part of the flow you are
+currently viewing. In the example above, we're viewing the Response. Hit _tab_
+to switch between the Response and the Request.
+- __3__: Headers.
+- __4__: Body.
+- __5__: View Mode indicator. In this case, we're viewing the body in __hex__
+mode. The other available modes are __pretty__, which uses a number of
+heuristics to show you a friendly view of various content types, and __raw__,
+which shows you exactly what's there without any changes. You can change modes
+using the _m_ key.
 
 
-The connection list shows an index of captured flows in chronological order.
-So, in this case, we can we can see that we visited __gmail.com__, which then
-returned a 301 redirect to mail.google.com.
 
-The statusbar at the bottom tells us that there are 11 flows in the view, that
-we are using the "pretty" view mode (more on that below), and that the proxy is
-bound to port 8080 of all interfaces.
+## Grid Editor
 
-Also visible is the __Event log__, which can be toggled on and off with the _v_
-keyboard shortcut. This displays events like client connection information,
-errors, and script output.
+Much of the data that we'd like to interact with in mitmproxy is structured.
+For instance, headers, queries and form data can all be thought of as a list of
+key/value pairs. Mitmproxy has a built-in editor that lays this type of data
+out in a grid for easy manipulation. 
+
+At the moment, the Grid Editor is used in four parts of mitmproxy:
+
+- Editing request or response headers (_e_ for edit, then _h_ for headers in flow view) 
+- Editing a query string (_e_ for edit, then _q_ for query in flow view)
+- Editing a URL-encoded form (_e_ for edit, then _f_ for form in flow view)
+- Editing replacement patterns (_R_ globally)
+
+If there is is no data, an empty editor will be started to let you add some.
+Here is the editor showing the headers from a request:
+
+<img src="@!urlTo('screenshots/mitmproxy-kveditor.png')!@"/>
+
+To edit, navigate to the key or value you want to modify using the arrow or vi
+navigation keys, and press enter. The background color will change to show that
+you are in edit mode for the specified field:
+
+<img src="@!urlTo('screenshots/mitmproxy-kveditor-editmode.png')!@"/>
+
+Modify the field as desired, then press escape to exit edit mode when you're
+done. You can also add a row (_a_ key), delete a row (_d_ key), spawn an
+external editor on a field (_e_ key). Be sure to consult the context-sensitive
+help (_?_ key) for more.
 
 
-## Example: Interception
+# Example: Interception
 
 __mitmproxy__'s interception functionality lets you pause an HTTP request or
 response, inspect and modify it, and then accept it to send it on to the server
@@ -31,28 +88,28 @@ or client.
 
 ### 1: Set an interception pattern
 
-<img src="@!urlTo('intercept-filt.png')!@"/>
+<img src="@!urlTo('mitmproxy-intercept-filt.png')!@"/>
 
 We press _i_ to set an interception pattern. In this case, the __~q__ filter
 pattern tells __mitmproxy__ to intercept all requests. For complete filter
 syntax, see the [Filter expressions](@!urlTo("filters.html")!@) section of this
 document, or the built-in help function in __mitmproxy__.
 
-### 2: Intercepted connections are indicated with a red exclamation mark:
+### 2: Intercepted connections are indicated with orange text:
 
-<img src="@!urlTo('intercept-mid.png')!@"/>
+<img src="@!urlTo('mitmproxy-intercept-mid.png')!@"/>
 
 ### 3: You can now view and modify the request:
 
-<img src="@!urlTo('intercept-options.png')!@"/>
+<img src="@!urlTo('mitmproxy-intercept-options.png')!@"/>
 
 In this case, we viewed the request by selecting it, pressed _e_ for "edit"
 and _m_ for "method" to change the HTTP request method.
 
-### 4: Accept the intercept to continue
+### 4: Accept the intercept to continue:
 
-<img src="@!urlTo('intercept-result.png')!@"/>
+<img src="@!urlTo('mitmproxy-intercept-result.png')!@"/>
 
 Finally, we press _a_ to accept the modified request, which is then sent on to
-the server. In this case, we changed the request from an HTTP GET to to
+the server. In this case, we changed the request from an HTTP GET to
 OPTIONS, and Google's server has responded with a 405 "Method not allowed". 

doc-src/modes.html

@@ -0,0 +1,222 @@
+
+Mitmproxy has four modes of operation that allow you to use mitmproxy in a
+variety of scenarios:
+
+- **Regular** (the default)
+- **Transparent**
+- **Reverse Proxy**
+- **Upstream Proxy**
+
+Now, which one should you pick? Use this flow chart:
+
+<img src="@!urlTo('schematics/proxy-modes-flowchart.png')!@"/>
+
+<div class="page-header">
+    <h1>Regular Proxy</h1>
+</div>
+
+Mitmproxy's regular mode is the simplest and the easiest to set up.
+
+1. Start mitmproxy.
+2. Configure your client to use mitmproxy. For instance on IOS, the settings might look like <a href="@!urlTo('screenshots/ios-manual.png')!@">this</a>.
+3. Quick Check: You should already be able to visit an unencrypted HTTP site
+through the proxy.
+4. Open the magic domain <strong>mitm.it</strong> and install the certificate for your device.
+
+<div class="well">
+<strong>Heads Up:</strong> Unfortunately, some applications bypass the
+system HTTP proxy settings - Android applications are a common example. In
+these cases, you need to use mitmproxy's transparent mode.
+</div>
+
+If you are proxying an external device, your network will probably look like this:
+
+<img src="@!urlTo('schematics/proxy-modes-regular.png')!@">
+
+The square brackets signify the source and destination IP addresses. Your
+client explicitly connects to mitmproxy and mitmproxy explicitly connects
+to the target server.
+
+<div class="page-header">
+    <h1>Transparent Proxy</h1>
+</div>
+
+In transparent mode, traffic is directed into a proxy at the network layer,
+without any client configuration required. This makes transparent proxying
+ideal for situations where you can't change client behaviour. In the graphic
+below, a machine running mitmproxy has been inserted between the router and
+the internet:
+
+<a href="@!urlTo('schematics/proxy-modes-transparent-1.png')!@">
+    <img src="@!urlTo('schematics/proxy-modes-transparent-1.png')!@">
+</a>
+
+The square brackets signify the source and destination IP addresses. Round
+brackets mark the next hop on the *Ethernet/data link* layer. This distinction
+is important: when the packet arrives at the mitmproxy machine, it must still
+be addressed to the target server. This means that Network Address Translation
+should not be applied before the traffic reaches mitmproxy, since this would
+remove the target information, leaving mitmproxy unable to determine the real
+destination.
+
+<a href="@!urlTo('schematics/proxy-modes-transparent-wrong.png')!@">
+    <img src="@!urlTo('schematics/proxy-modes-transparent-wrong.png')!@"></a>
+
+<h2>Common Configurations</h2>
+
+There are many ways to configure your network for transparent proxying. We'll
+look at three common scenarios:
+
+1. Configuring the client to use a custom gateway/router/"next hop"
+2. Implementing custom routing on the router
+
+In most cases, the first option is recommended due to its ease of use.
+
+<h3>(a) Custom Gateway</h3>
+
+One simple way to get traffic to the mitmproxy machine with the destination IP
+intact, is to simply configure the client with the mitmproxy box as the
+default gateway.
+
+<a href="@!urlTo('schematics/proxy-modes-transparent-2.png')!@">
+    <img src="@!urlTo('schematics/proxy-modes-transparent-2.png')!@"></a>
+
+In this scenario, we would:
+
+- Configure the proxy machine for transparent mode. You can find instructions
+in the <em>Transparent Proxying</em> section of the mitmproxy docs.
+
+- Configure the client to use the proxy machine's IP as the default gateway.
+<a href="@!urlTo('screenshots/ios-gateway.png')!@">Here</a> is what this would
+look like on IOS.
+
+- Quick Check: At this point, you should already be able to visit an
+unencrypted HTTP site over the proxy.
+
+- Open the magic domain <strong>mitm.it</strong> and install the certificate
+for your device.
+
+Setting the custom gateway on clients can be automated by serving the settings
+out to clients over DHCP. This lets set up an interception network where all
+clients are proxied automatically, which can save time and effort. 
+
+
+<div class="well">
+    <strong style="text-align: center; display: block">Troubleshooting Transparent Mode</strong>
+
+    <p>Incorrect transparent mode configurations are a frequent source of
+    error. If it doesn't work for you, try the following things:</p>
+
+    <ul>
+        <li>
+            Open mitmproxy's event log (press `e`) - do you see clientconnect
+            messages? If not, the packets are not arriving at the proxy. One common
+            cause is the occurrence of ICMP redirects, which means that your
+            machine is telling the client that there's a faster way to the
+            internet by contacting your router directly (see the
+            <em>Transparent Proxying</em> section on how to disable them). If in
+            doubt, <a href="https://wireshark.org/">Wireshark</a> may help you
+            to see whether something arrives at your machine or not.
+        </li>
+        <li>
+            Make sure you have not explicitly configured an HTTP proxy on the
+            client. This is not needed in transparent mode.
+        </li>
+        <li>
+            Re-check the instructions in the <em>Transparent Proxying</em> section. Anything you missed?
+        </li>
+    </ul>
+
+    If you encounter any other pitfalls that should be listed here, please let us know!
+
+</div>
+
+<h3>(b) Custom Routing</h3>
+
+In some cases, you may need more fine-grained control of which traffic reaches
+the mitmproxy instance, and which doesn't. You may, for instance, choose only
+to divert traffic to some hosts into the transparent proxy. There are a huge
+number of ways to accomplish this, and much will depend on the router or
+packet filter you're using. In most cases, the configuration will look like
+this:
+
+<a href="@!urlTo('schematics/proxy-modes-transparent-3.png')!@">
+    <img src="@!urlTo('schematics/proxy-modes-transparent-3.png')!@">
+</a>
+
+
+<div class="page-header">
+    <h1>Reverse Proxy</h1>
+</div>
+
+Mitmproxy is usually used with a client that uses the proxy to access the
+Internet. Using reverse proxy mode, you can use mitmproxy to act like a normal
+HTTP server:
+
+<a href="@!urlTo('schematics/proxy-modes-reverse.png')!@">
+    <img src="@!urlTo('schematics/proxy-modes-reverse.png')!@">
+</a>
+
+There are various use-cases:
+
+- Say you have an internal API running at http://example.local/. You could now
+set up mitmproxy in reverse proxy mode at http://debug.example.local/ and
+dynamically point clients to this new API endpoint, which provides clients
+with the same data and you with debug information. Similarly, you could move
+your real server to a different IP/port and set up mitmproxy at the original
+place to debug all sessions.
+
+- Say you're a web developer working on example.com (with a development
+version running on localhost:8000). You can modify your hosts file so that
+example.com points to 127.0.0.1 and then run mitmproxy in reverse proxy mode
+on port 80. You can test your app on the example.com domain and get all
+requests recorded in mitmproxy.
+
+- Say you have some toy project that should get SSL support. Simply set up
+mitmproxy with SSL termination and you're done (<code>mitmdump -p 443 -R
+https2http://localhost:80/</code>). There are better tools for this specific
+task, but mitmproxy is very quick and simple way to set up an SSL-speaking
+server.
+
+- Want to add a non-SSL-capable compression proxy in front of your server? You
+could even spawn a mitmproxy instance that terminates SSL (https2http://...),
+point it to the compression proxy and let the compression proxy point to a
+SSL-initiating mitmproxy (http2https://...), which then points to the real
+server. As you see, it's a fairly flexible thing.
+
+Note that mitmproxy supports either an HTTP or an HTTPS upstream server, not
+both at the same time. You can work around this by spawning a second mitmproxy
+instance.
+
+<div class="well">
+    <strong style="text-align: center; display: block">Caveat: Interactive Use</strong>
+
+
+One caveat is that reverse proxy mode is often not sufficient for interactive
+browsing. Consider trying to clone Google by using:
+
+<code>mitmproxy -R http://google.com/</code>
+
+This works for the initial request, but the HTML served to the client remains
+unchanged. As soon as the user clicks on an non-relative URL (or downloads a
+non-relative image resource), traffic no longer passes through mitmproxy, and
+the client connects to Google directly again.
+
+</div>
+
+
+
+<div class="page-header">
+    <h1>Upstream Proxy</h1>
+</div>
+
+If you want to chain proxies by adding mitmproxy in front of a different proxy
+appliance, you can use mitmproxy's upstream mode. In upstream mode, all
+requests are unconditionally transferred to an upstream proxy of your choice.
+
+<a href="@!urlTo('schematics/proxy-modes-upstream.png')!@">
+    <img src="@!urlTo('schematics/proxy-modes-upstream.png')!@"></a>
+
+mitmproxy supports both explicit HTTP and explicit HTTPS in upstream proxy
+mode. You could in theory chain multiple mitmproxy instances in a row, but
+that doesn't make any sense in practice (i.e. outside of our tests).