►
Description
A
Hello,
everyone
I'm
David
from
the
package
registry
team
and
today
with
us,
we
have
Rod
mowers
and
Dima
and
we
are
going
to
discuss
how
to
use
a
local
proxy
to
inspect
the
traffic
from
any
client
could
be
a
package
industry.
Current
could
be
the
docker
client
for
container
images
yeah,
it's
really
a
tool
that
can
be
applied
on
a
bunch
of
situations.
A
So
the
idea
is
to
have
a
small
server
running
that
will
act
as
a
proxy
and
that
server
will
allow
you
to
see
all
the
requests
and
all
the
response
bodies
which
sometimes
can
be
super
useful
in
the
package
registry.
We
have
a
bunch
of
clients
to
support
and
we
don't
always
have
a
press
back
on
what
to
expect
on
requests,
what
to
expect
on
parameters
and
and
yeah
what
to
expect
on,
for
example,
file,
uploads,
that's
another
subject,
so
I'm
going
to
share
my
screen.
A
There
are
many
many
tools
to
do
this,
but
the
one
I
use
mainly,
is
this
one
mitm
proxy.org,
so
yeah,
that's
the
contraction
of
man
in
the
middle.
But
this
time
around
is
it's
a
tool.
It's
not
a
vulnerability!
A
So
it's
yeah
very
simple
tool.
You
can
install
it
with
blue
and
it
has
a
command
line
interface
or
a
web
interface.
Whatever
works
for
you.
So
what
I
wanted
to
go
through
is
simply
use
npm
to
pull
the
package
and
configure
this
proxy
so
that
we
see
the
traffic
I'm
using
npm.
But
again
you
can
use
this
with
Maven
and
nougat
Conan.
Well,
any
any
client,
even
even
Docker,
as
long
as
the
client
has
a
proxy
option,
which
is
usually
pretty
well
supported,
so
it
should
be
there.
A
You
can
use
this
okay,
so
I
will
have
a
new
folder
here,
it's
a
bit
small,
so
I
will
make
it
bigger
right.
So
this
one
is
I'm
going
to
yeah.
Just
have
an
adobe
npm
package,
skeleton
or
structure.
A
And
that's
it:
we
are
going
to
add
the
npmrc
file
and
for
the
package
yeah,
given
that
this
is
to
check
the
interactions.
I
don't
want
to
pull
a
private
package
and
set
up
authentication.
So
what
I'm
using?
Is
this
thing?
We
do
have
this
project.
That
is
public.
You
can
see
it
here
and
it
has
a
bunch
of
dummy
npm
packages.
So
we
are
going
to
use
that,
given
it's
public,
you
don't
need
to
set
up
authentication
at
all.
So
that's
that's!
Okay,
so
the
npm
RC
file
super
quick.
A
A
Is
am
I
going
to
check
if
that
works,
or
not?
No
I'm,
pretty
sure
it's
working
I'm
going
to
clear
the
cache.
So
you've
got
this
thing:
yeah,
okay,
so
the
proxy!
Now
so
you
will
have
a
bunch
of
commands
at
your
disposal
I'm
going
to
use
the
web
one,
which
is
the
web
interface
and
usually
I,
use
the
Dash
a
option
which
means
that
there
is
always
SSL
in
the
way.
A
So
you
can
have
a
bunch
of
checks
if
the
proxy
has
to
check
for
the
validity
the
the
SSL
certificate
validity
on
the
target
server,
and
so
this
option
allows
to
disable
that
because
well
we
don't
care
about
SSL
errors
for
now,
so
this
will
open
a
new,
a
new
page
here.
So
now
it's
running
and
it's
basically
how
this
is
organized,
it's
that
you
will
see
one
row
per
request
and
that's
it.
A
A
Now.
This
is
the
the
part
where
you
need
to
configure
the
the
client
that
is
connecting
you
need
to
configure
the
proxy
aspect
so
for
npm,
that
is
done
with
the
config,
the
config
config
command.
You
set
a
proxy
and
we
are
going
to
say:
hey.
The
proxy
is
on
yeah.
This
address
zero,
zero,
zero,
zero.
Eighty
eighty
and
this
way
npm
will
redirect
all
the
traffic
there
this
works,
but,
given
that
we
in
the
npm
RC
file
here,
we
we
are
using
a
https
server.
A
Npm
can
complain
that
the
proxy
is
not
using
a
valid
certificate.
So
the
proxy
comes
with
support
with
those
with
both.
You
can
support
the
HTTP
and
https,
but
for
https.
A
If
I'm
not
wrong,
it
generates
a
local
certificate
and
well
you
would
need
to
update
the
the
client
to
accept
or
configure
to
say,
hey.
This
certificate
is
a
valid
one,
because
it's
a
safe
sign
certificate,
I
think,
but
that's
a
bit
beyond
my
knowledge
on
the
on
the
tool.
I
think
there's
a
way
to
like
install
the
certificate
widely
on
the
system,
so
that
it's
it's
always
accepted.
A
Usually,
what
I
do
is,
there
is
usually
a
way
to
disable
SSL
checks
on
clients
and
that's
what
I
use
it's
more
faster
and
actually
I
I
use
way
more
often,
the
proxy
tool
with
my
GDK
running
so
I
use
it
locally
and
locally
I,
don't
use
https,
I
use,
HTTP
and
so
I
don't
have
these
problems.
So
well,
it's
it's
up
to
you
how
to
solve
this,
but
for
me
I,
just
disabled
the
SSL
checks
all
right.
We
can
then
install
the
package
that
is
I
think
we
have
lemons.
A
A
Yeah,
that's
this
is
for
get
request,
but
it
also
works
for
upload
requests,
delete
or
whatever
method.
Upload
requests
are
interesting
because
in
GitHub
the
file
upload
support
depends
on
how
the
files
are
sent.
So
we
need
to
have
a
very,
very,
very
good
or
accurate
idea
of
how
the
clients
will
send
the
the
file
uploads.
It's
mainly
either
a
body
upload
or
a
multi-part
file
upload.
So
we
need
to
know
which
one
is
which
one
of
these
two
things
are
using.
A
The
other
client
is
using,
and
so
this
tool
can
help
to
to
check
that.
What
else
can
you
do?
Yeah?
There
is
a
fun
thing
to
do.
If,
if
I
don't
know,
if
you
want
to
try
something,
you
can
also
intercept
and
intercept
and
modify
the
request.
So
let
me
do
this
pretty
quick.
Well,
I
guess:
I
can
just
skip
this
and
reinstall
this.
A
So
here
you
can
see
that
the
request
has
been
paused
and
you
can
actually
change
any
parameter
so
well,
in
this
case
it's
on
the
headers
HTTP
headers,
but
you,
you
would
see
query
params
if
we
had
some
of
them
or
or
a
body,
a
body
of
the
request
if
it
was
a
put
request,
for
example.
So
let's
say
that
we
change
the
version
of
the
user
agent.
A
We
can
let
go
the
request
and
then
it
will
stop
again
for
the
response
this
time
around.
So
we
can
even
change
how
the
other
things
are
presented
to
the
to
the
client
so
yeah.
What
can
we
change
here?
I,
don't
know
any
anything
can
be
changed.
So
it's
it's
really.
You
can
rewrite
the
requests
and
the
response,
and
then
you
you
can
just
let
go
and
yeah.
It
will
also
pause
on
the
second
request,
so
you
can
really
manipulate
the
request.
A
The
way
you
want
I
don't
really
update
the
the
request
that
that
often
it's
most
of
the
time
is
I.
I
do
want
to
check
how
clients
send
data
to
gitlab
and
check
how
how
they
do
things,
because
they
are
not
documented,
and
so
that's
mainly
domain
use
of
this
tool.
A
yeah
on
the
container
registry
side.
Sometimes
you
it's
it's
good
to
have
the
request
and
response
that
there
are
some
orchestration
between
the
the
requests
that
are
quite
complex
and
having
the
request
is
it's
it's
better
yeah
and
that's
that's
about
it
for
the
for
the
tool.
It's
nothing
too
magical.
A
A
B
B
A
Yeah,
you
would
need
to
change
the
port
yeah
I.
Guess
there
is
a
a
man
page.
B
A
Are
many
many
many
options?
Actually,
if
you
look
at
the
website
and
you
check
the
docs,
there
are
even
different
ways
or
modes
to
to
use
yeah
modes
of
operation.
So
yeah
you
can
do
a
lot
of
things
with
this.
I
mainly
use
it
as
as
a
regular
proxy.
A
A
So
what
I
did
is
that
you
have
in
the
Mac
OS
preferences
in
your
network.
You
can
set
up
a
proxy
for
HTTP
and
HTTP
as
traffic,
and
so
you
can
point
to
and
the
mitm
proxy
instance
the
the
address,
and
you
will
see
all
the
all
the
traffic
that
is
generated
by
your
Mac
and
that
included
the
client
I
I
wanted
to
to
check.
So
that's
another
way
to
check
how
things
are
doing.
A
A
Here
you
can
always
search
for
the
flows
or
highlight
them
so
a
flow.
It's
a
it's
a
request
and
a
response.
You
can
you
can
search
or
filter
them.
So
it's
it's
always
possible
to
do
something.
A
Yeah
I
didn't
use
that
option,
but
this
tool
can
allow
you
to
replay
a
request,
so
you
would
just
select
well.
We
can
actually
try
that
it's
working
here.
A
Okay,
so
you
can
take
this
low,
that's
how
it's
called
here
and
you
can
replay
it
and
it
will
just
redo
the
the
same
request
so
yeah.
There
are
a
lot
of
options:
I
don't
use
all
of
them,
but
I
use
mainly
the
like
as
a
as
an
inspecting
tool.
A
Okay,
is
there
any
other
question.
A
No
well,
okay,
I
guess
that's
an
additional
hammer
or
wrench
or
whatever
you
want
to
call
it
to
your
toolbox.
So
this
can
be
useful
to
debug
some
pretty
nasty
bugs.
A
Okay,
yeah
I,
guess
that's
it
for
this
one.
It
was
a
short
one,
but
that's
okay,
so
I
guess
I
will
see
you
in
the
next
one.
Bye.