A transparent interception proxy for HTTP and HTTPS traffic on Linux. It redirects traffic with iptables NAT, intercepts it locally for inspection, logging, and optional content modification.
- Transparent HTTP/HTTPS interception with iptables NAT
- TLS MITM with dynamically generated per-host certificates
- SNI-only mode — passive observation without decryption
- SQLite traffic logging with full request/response capture
- Web dashboard with realtime traffic view, policy management, and runtime controls
- WireGuard and Tor egress (runtime toggleable, mutually exclusive)
- JSON-driven response rewrites
- PCAP export of decrypted traffic for Wireshark
- Drop / bypass lists by FQDN, IP, or CIDR; allowlist mode for source IPs
⚠️ Security: This tool performs TLS interception by default. Use it only on networks you own and control, and change the defaultadmin / admin123credentials before exposing the dashboard.
# Ubuntu / Debian
sudo apt install iptables iproute2 golang
# 1. Clone
git clone https://github.com/dmitryporotnikov/SSLInspectingRouter.git
cd SSLInspectingRouter
# 2. Build (no host changes yet)
go build -o sslinspectingrouter ./cmd/router
# 3. Run (root required for iptables, forwarding, interception)
sudo ./sslinspectingrouter -web :3000
# 4. Open the dashboard
# http://<router-ip>:3000 · default admin / admin123For first-time setup with full dependency checks, use sudo ./scripts/setup.sh.
| Topic | Where |
|---|---|
| Architecture, iptables chains, MITM flow, shutdown | documentation/how-it-works.md |
| Every CLI flag and env var | documentation/cli.md |
| Dashboard auth, control center, runtime toggles | documentation/dashboard.md |
| SNI-only mode (no-MITM passive observation) | documentation/snionly.md |
| WireGuard and Tor egress | documentation/egress.md |
| Logging modes, body artifacts, PCAP, DB schema | documentation/logging.md |
| API reference, status payload, error codes | documentation/api.md |
| Security checklist and limitations | documentation/security.md |
| Troubleshooting recipes | documentation/troubleshooting.md |
| Response rewrites | rewrites/README.md |
| Localization | LOCALIZATION_CONTRIBUTING.md |
| Contributing | documentation/contributing.md |
| Mode | What happens | Where it's enabled |
|---|---|---|
| Full inspection | MITM HTTPS, log every request/response, apply rewrites. | Default. |
| Bypass | Tunnel specific hosts untouched; log BYPASSED marker. |
-bypass or dashboard policy. |
| Drop | Close the connection on a match. | -drop or dashboard policy. |
| Inspection paused | Tunnel everything untouched while you're working on something else. | Inspection toggle in dashboard. |
| SNI-only | Forward HTTPS unmodified; log only SNI and ClientHello metadata (TLS version, ciphers, ALPN, extensions). | -snionly flag or SNI-only Mode toggle. |
| Allowlist (inspect-only) | Only inspect traffic from the listed source IPs. | -inspectonly. |
See documentation/snionly.md for a sample log row and the full list of metadata captured.
See LICENSE.
Thanks to @ankit20012006 and @Anand-240 for localization contributions.