Setup mitmproxy to Intercept HTTP Traffic on Windows

Learn how to use mitmproxy to inspect and debug outbound HTTP traffic from an ASP.NET Core application - useful for troubleshooting API calls, webhook payloads, and third-party integrations.

What is mitmproxy?

mitmproxy is a free, open-source interactive HTTPS proxy. It lets you intercept, inspect, modify, and replay HTTP/HTTPS traffic between your application and external services. This is extremely useful when debugging API calls made by your ASP.NET Core app.

Prerequisites

Windows 10/11
Administrator access (needed to trust the CA certificate)
.NET SDK installed (dotnet --version to verify)
Only if you're proxying a .NET app; mitmproxy itself works with any client

Step 1 - Install mitmproxy

Download and install mitmproxy from the official site: https://mitmproxy.org/

On Windows you can also install via winget, Chocolatey, or Scoop:
```
# winget
winget install mitmproxy

# Chocolatey
choco install mitmproxy

# Scoop
scoop install mitmproxy
```
Verify the installation:
```
mitmproxy --version
```

Step 2 - Trust the mitmproxy CA certificate

mitmproxy generates its own Certificate Authority (CA) on first run so it can decrypt HTTPS traffic. Your machine - and any app that should trust the proxy, such as a .NET app - needs to trust this CA.

Run mitmproxy once so it generates the CA certificate files:
```
mitmproxy
```
Then close it (q → y). The certificate files are now at:
```
C:\Users\<your-username>\.mitmproxy\
```
Import the certificate into the Windows certificate store:

Open certlm.msc (Manage Computer Certificates) as Administrator, then:
- Navigate to Trusted Root Certification Authorities → Certificates
- Right-click → All Tasks → Import…
- Browse to the certificate file:
```
C:\Users\<your-username>\.mitmproxy\mitmproxy-ca-cert.cer
```
- Complete the wizard, placing it in Trusted Root Certification Authorities
Why? Without this step, HTTPS connections through the proxy will fail with certificate validation errors.

Step 3 - Start mitmproxy

mitmproxy ships with three UIs - choose whichever you prefer:

Command	Description
`mitmproxy`	Terminal-based interactive UI
`mitmweb`	Browser-based UI (opens on `:8081`)
`mitmdump`	Non-interactive, good for scripting

Basic start (intercept everything)

mitmweb --mode regular

Filter to specific hosts

Use --allow-hosts to only intercept traffic to certain domains (regex-based). This avoids noise from unrelated requests:

mitmweb --allow-hosts ".*\.azurestaticapps\.net" --allow-hosts ".*\.blob\.core\.windows\.net" --allow-hosts ".*\.episerver\.net" --mode regular

By default mitmproxy listens on port 8080 for proxy traffic and port 8081 for the web UI.

Step 4 - Configure your ASP.NET Core app to use the proxy

.NET respects the standard HTTP_PROXY / HTTPS_PROXY environment variables. There are several ways to set them.

Option A - Set environment variables before running

Bash (Linux / macOS / WSL):

export HTTP_PROXY=http://localhost:8080
export HTTPS_PROXY=http://localhost:8080
dotnet run

Command Prompt (Windows):

set HTTP_PROXY=http://localhost:8080
set HTTPS_PROXY=http://localhost:8080
dotnet run

PowerShell:

$env:HTTP_PROXY="http://localhost:8080"
$env:HTTPS_PROXY="http://localhost:8080"
dotnet run

Option B - Set in `launchSettings.json`

This keeps the proxy config with your project so you don't have to set it every time. Edit Properties/launchSettings.json:

{
  "profiles": {
    "MyApp": {
      "commandName": "Project",
      "environmentVariables": {
        "HTTP_PROXY": "http://localhost:8080",
        "HTTPS_PROXY": "http://localhost:8080"
      }
    }
  }
}

Tip: Add launchSettings.json to .gitignore or use a separate profile so you don't accidentally commit proxy settings.

Option C - Configure the proxy in code

If you need fine-grained control (e.g., only certain HttpClient instances should use the proxy), configure it explicitly:

var proxy = new WebProxy
{
    Address = new Uri("http://localhost:8080")
};

var httpClientHandler = new HttpClientHandler
{
    Proxy = proxy,
};

var httpClient = new HttpClient(httpClientHandler);

// All requests made with this httpClient will go through mitmproxy
var response = await httpClient.GetAsync("https://api.example.com/data");

Note: If you skipped trusting the CA certificate (Step 2), you can bypass certificate validation in development only by adding:
httpClientHandler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
Never use this in production - it disables all certificate checks and opens you up to real man-in-the-middle attacks.

Step 5 - Verify it works

Start mitmproxy with the web UI:
```
mitmweb --mode regular
```
Run your ASP.NET Core app with the proxy environment variables set.
Trigger an outbound HTTP request in your app (e.g., call an external API).
Open http://localhost:8081 in your browser - you should see the intercepted request with full headers, body, and response.

Troubleshooting

Problem	Solution
SSL certificate problem: unable to get local issuer certificate	The CA cert is not trusted. Repeat Step 2.
No traffic appears in mitmproxy	Verify `HTTP_PROXY` / `HTTPS_PROXY` are set in the correct terminal session. Run `echo $HTTP_PROXY` to check.
Connection refused on port 8080	Make sure mitmproxy is running before your app.
Only want to inspect specific hosts	Use `--allow-hosts` with a regex pattern (see Step 3).
.NET `HttpClient` ignores proxy env vars	Some custom `HttpClientHandler` configurations or `IHttpClientFactory` setups may not respect env vars - use Option C to set the proxy explicitly.