proxy-mcp

proxy-mcp is an MCP server that runs an explicit HTTP/HTTPS MITM proxy (L7). It captures requests/responses, lets you modify traffic in-flight (headers/bodies/mock/forward/drop), supports upstream proxy chaining, and records TLS fingerprints for connections to the proxy (JA3/JA4) plus optional upstream server JA3S. Ships "interceptors" to route stealth browsers (cloakbrowser and Camoufox), CLI tools, Docker containers, and Android devices/apps through the proxy, plus Playwright-driven browser automation with locator-based click, typing, scroll, and ARIA snapshots.

74 tools + 8 resources + 3 resource templates. Built on mockttp, cloakbrowser, and Camoufox.

Table of Contents

• Setup

• HTTP Proxy Configuration

• Mobile Capture (Transparent Proxy)

• Boundaries

  • TLS ClientHello Passthrough

• Tools Reference

  • Lifecycle

  • Upstream Proxy

  • Interception Rules

  • Traffic Capture

  • Modification Shortcuts

  • TLS Fingerprinting

  • Interceptors

  • Browser DevTools-equivalents

  • Sessions

  • Humanizer

• Resources

• Usage Example

• Architecture

• Testing

• Credits

Related MCP server: Android Proxy MCP

Setup

Quick install (Claude Code)

claude mcp add proxy-mcp -- npx -y proxy-mcp@latest

This installs proxy-mcp as an MCP server using stdio transport. It auto-updates on every Claude Code restart.

Scopes:

# Per-user (available in all projects)
claude mcp add --scope user proxy-mcp -- npx -y proxy-mcp@latest

# Per-project (shared via .mcp.json, commit to repo)
claude mcp add --scope project proxy-mcp -- npx -y proxy-mcp@latest

Prerequisites

• Node.js 20+

From source (development)

git clone https://github.com/yfe404/proxy-mcp.git
cd proxy-mcp
npm install
npm run build

# stdio transport (default) — used by MCP clients like Claude Code
node dist/index.js

# Streamable HTTP transport — exposes /mcp endpoint for scripting
node dist/index.js --transport http --port 3001

--transport and --port also accept env vars TRANSPORT and PORT.

Manual MCP configuration

The configured server alias controls Claude's generated tool prefix. The examples below use proxy-mcp, so Claude Code exposes tools as mcp__proxy-mcp__<tool_name>. If you rename the server key to proxy, use mcp__proxy__<tool_name> instead.

Claude Code CLI:

# stdio (default)
claude mcp add proxy-mcp -- npx -y proxy-mcp@latest

# From local clone
claude mcp add proxy-mcp -- node /path/to/proxy-mcp/dist/index.js

# HTTP transport for scripting
claude mcp add --transport http proxy-mcp http://127.0.0.1:3001/mcp

.mcp.json (project-level, commit to repo):

{
 "mcpServers": {
 "proxy-mcp": {
 "command": "npx",
 "args": ["-y", "proxy-mcp@latest"]
 }
 }
}

Streamable HTTP transport:

{
 "mcpServers": {
 "proxy-mcp": {
 "type": "streamable-http",
 "url": "http://127.0.0.1:3001/mcp"
 }
 }
}

HTTP Proxy Configuration

1) Start proxy and get endpoint

proxy_start

Use the returned port and endpoint http://127.0.0.1:<port>.

2) Browser setup (recommended: interceptor)

Use the browser interceptor so proxy flags and cert trust are configured automatically. Launches cloakbrowser — a stealth-patched Chromium with source-level C++ fingerprint patches and humanize mode on by default:

interceptor_browser_launch --url "https://example.com"

Drive the page with Playwright-backed tools (no CDP, no sidecar — target_id is all you need):

interceptor_browser_navigate --target_id "browser_<id>" --url "https://apify.com"
interceptor_browser_snapshot --target_id "browser_<id>"
interceptor_browser_screenshot --target_id "browser_<id>" --file_path "/tmp/shot.png"

3) Browser setup (manual fallback)

If launching a browser manually, pass the proxy flag yourself:

google-chrome --proxy-server="http://127.0.0.1:<port>"

4) CLI/process setup

Route any process through proxy-mcp by setting proxy env vars:

export HTTP_PROXY="http://127.0.0.1:<port>"
export HTTPS_PROXY="http://127.0.0.1:<port>"
export NO_PROXY="localhost,127.0.0.1"

If the client verifies TLS, trust the proxy-mcp CA certificate (see proxy_get_ca_cert) or use the Terminal interceptor (interceptor_spawn) which sets proxy env vars plus common CA env vars (curl, Node, Python requests, Git, npm/yarn, etc.):

interceptor_spawn --command curl --args '["-s","https://example.com"]'

Explicit curl examples:

curl --proxy http://127.0.0.1:<port> http://example.com
curl --proxy http://127.0.0.1:<port> https://example.com

5) Upstream proxy chaining

Set optional proxy chaining from proxy-mcp to another upstream proxy (for geolocation, auth, or IP reputation):

Client/app → proxy-mcp (local explicit proxy) → upstream proxy (optional chaining layer)

proxy_set_upstream --proxy_url "socks5://user:pass@upstream.example:1080"

Supported upstream URL schemes: socks4://, socks5://, http://, https://, pac+http://.

Typical geo-routing examples:

# Route ALL outgoing traffic from proxy-mcp via a geo proxy
proxy_set_upstream --proxy_url "socks5://user:pass@fr-exit.example.net:1080"

# Bypass upstream for local/internal hosts
proxy_set_upstream --proxy_url "http://user:pass@proxy.example.net:8080" --no_proxy '["localhost","127.0.0.1",".corp.local"]'

# Route only one hostname via a dedicated upstream (overrides global)
proxy_set_host_upstream --hostname "api.example.com" --proxy_url "https://user:pass@us-exit.example.net:443"

# Remove overrides when done
proxy_remove_host_upstream --hostname "api.example.com"
proxy_clear_upstream

For HTTPS MITM, the proxy CA must be trusted in the target environment (proxy_get_ca_cert).

6) Validate and troubleshoot quickly

proxy_list_traffic --limit 20
proxy_search_traffic --query "example.com"

Common issues:

• Traffic from the wrong browser instance (fix: always pass target_id from interceptor_browser_launch)

• HTTPS cert trust missing on target

• NO_PROXY bypassing expected hosts

• First launch is slow: cloakbrowser downloads a ~200 MB stealth Chromium binary on first use (cached afterwards)

7) HAR import + replay

Import HAR into a persisted session, then analyze with existing session query/findings tools:

proxy_import_har --har_file "/path/to/capture.har" --session_name "imported-run"
proxy_list_sessions
proxy_query_session --session_id SESSION_ID --hostname_contains "api.example.com"
proxy_get_session_handshakes --session_id SESSION_ID

Replay defaults to dry-run (preview only). Execute requires explicit mode:

# Preview what would be replayed
proxy_replay_session --session_id SESSION_ID --mode dry_run --limit 20

# Execute replay against original hosts
proxy_replay_session --session_id SESSION_ID --mode execute --limit 20

# Optional: override target host/base URL while preserving path+query
proxy_replay_session --session_id SESSION_ID --mode execute --target_base_url "http://127.0.0.1:8081"

Note: imported HAR entries (and entries created by proxy_replay_session) do not carry JA3/JA4/JA3S handshake metadata. Use live proxy-captured traffic to analyze handshake fingerprints.

Mobile Capture (Transparent Proxy)

For mobile apps with custom HTTP stacks that ignore the system proxy (most modern Android apps — Shopee, SHEIN, TikTok, banking, etc.) the explicit proxy won't see their traffic. proxy-mcp ships a transparent listener that sits behind an iptables REDIRECT and MITMs using the TLS SNI — no CONNECT tunnel required.

Pairs with proxy-ap-card — a XIAO ESP32-S3 that broadcasts a WiFi AP (proxy-ap SSID by default) and presents to the laptop as a USB-NCM ethernet adapter. That repo handles the AP + NAPT side; proxy-mcp handles the laptop side.

Prerequisites

• Laptop: Linux with iptables, sysctl, nmcli (NetworkManager), ip (iproute2), adb. sudo for network configuration (one command per session).

• Hardware router: a proxy-ap-card (XIAO ESP32-S3) with firmware flashed. Or any USB-ethernet / USB-WiFi combo where the laptop NATs traffic for the phone's subnet — pass --ap_iface / --ap_subnet to override defaults.

• Target device: Android with root (Magisk / KernelSU). Root is required to inject the CA into the system cert store. Android 14-16 additionally need the zygote mount-namespace injection which this tool does automatically.

• ADB access: the target device must appear in adb devices (USB at minimum, wireless after pairing).

First-time walkthrough

1. Flash + plug in the proxy-ap-card

Follow the proxy-ap-card README to build + flash the XIAO. On replug the laptop should show a cdc_ncm interface (verify: ls /sys/class/net/*/device/uevent | xargs grep DRIVER | grep cdc_ncm).

2. Connect the target device to the laptop via USB

Only needed the first time per device, to push the CA. Verify with adb devices. Copy the serial.

3. Run the setup tool

proxy_mobile_setup --android_serial <serial>

Optional arguments:

The response is JSON with three key bits:

{
 "ap_iface": "enp195s0f3u1u4",
 "cert_injected": true,
 "android_target_id": "adb_HQ63C81CB2",
 "sudo_command": "sudo bash /tmp/proxy-mcp-mobile-setup-<hex>.sh"
}

Keep android_target_id around — you'll need it for teardown.

4. Run the emitted sudo script

sudo bash /tmp/proxy-mcp-mobile-setup-<hex>.sh

This is the only sudo required. The script is idempotent, safe to re-run. It plumbs the routing that iptables needs root for:

# Static IP on the AP iface (skipped if already configured).
ip addr add 192.168.99.2/24 dev <ap_iface>

# Forwarding + dedicated nat chain.
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -N PROXY_MCP_PREROUTING
iptables -t nat -A PROXY_MCP_PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PROXY_MCP_PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
iptables -t nat -A PREROUTING -i <ap_iface> -j PROXY_MCP_PREROUTING

# Block QUIC so apps fall back to TCP/TLS.
iptables -A FORWARD -i <ap_iface> -p udp --dport 443 -j DROP

# Masquerade out through the real egress.
iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -o <egress_iface> -j MASQUERADE

Why a script and not direct execution? MCP runs as your user; iptables needs root; sudo from an MCP tool would require NOPASSWD or polkit policy (fragile, distro-specific). Emitting a script is auditable, reproducible, and portable.

5. Connect the phone to the proxy-ap WiFi

Credentials are set in the proxy-ap-card firmware (default SSID proxy-ap, default password shown in that repo). After connecting, the phone can be unplugged from USB — future sessions don't need it.

6. Start capturing

Every HTTP/HTTPS request from the phone now lands in proxy-mcp's ring buffer:

proxy_list_traffic --source_filter transparent # iptables-redirected HTTPS
proxy_list_traffic --source_filter explicit # absolute-URL HTTP that arrived on :80
proxy_get_exchange --exchange_id <id> # full headers + body preview
proxy_search_traffic --query "api.example.com" # full-text search

Each entry carries source: "explicit" | "transparent" + TLS fingerprints (ja3, ja4).

Subsequent sessions (phone already paired)

Skip step 2. Run:

proxy_mobile_setup # skip android_serial — cert already installed
sudo bash /tmp/proxy-mcp-mobile-setup-<hex>.sh

Then phone joins the AP and capture resumes.

Upstream chaining

Set upstream_proxy_url to route outbound traffic through a residential/ISP proxy — the target servers see that proxy's IP, not your laptop's:

proxy_mobile_setup \
 --upstream_proxy_url "http://user:pass@proxy.example.com:8000" \
 --android_serial <serial>

Applies to BOTH listeners. Use proxy_set_upstream after the fact to change it without restarting.

Verifying each step

Teardown

proxy_mobile_teardown --android_target_id <from-setup>
sudo bash /tmp/proxy-mcp-mobile-teardown-<hex>.sh

The MCP call stops both listeners and deactivates the Android target. The sudo script removes the iptables rules, disables ip_forward, and hands the AP iface back to NetworkManager. Phone stays connected to the AP until you forget it in phone WiFi settings.

Troubleshooting

Without the proxy-ap-card

Any USB-NCM or USB-ethernet bridge that the phone can route through works:

proxy_mobile_setup --ap_iface eth1 --ap_address 10.0.0.1/24 --ap_subnet 10.0.0.0/24

Or use a laptop-hosted WiFi AP via hostapd on a USB WiFi adapter (MT76x2U, RTL8812AU, etc.) — pass the wlanN interface as ap_iface.

Limitations

• Cert pinning — apps that pin specific public keys (Instagram, WhatsApp, banking, Shopee homepage feed, etc.) will refuse our mockttp cert even with CA trust installed. You see partial capture (tracking / static / unpinned endpoints succeed, pinned API calls fail). Fix: Frida or LSPosed unpinning module for that specific app. See interceptor_frida_attach in the tool reference, or morrownr's USB-WiFi guides for common patterns.

• Chrome on Android — Chrome ships its own Mozilla CA bundle and enforces Certificate Transparency. Our CA is self-signed and not in any CT log, so Chrome rejects it regardless of system trust. Use any other app (or any OkHttp/Conscrypt-based browser) to verify the pipeline.

• QUIC / HTTP3 — the transparent listener is TCP/TLS only. By default we drop UDP/443 so apps fall back to TCP. Set block_quic: false if you want QUIC to pass through uncaptured (QUIC content won't appear in traffic logs).

• Non-standard ports — the default iptables rules only redirect TCP/80 and TCP/443. Shopee's :20346, custom gaming protocols, etc. will bypass. Add more REDIRECT rules in the sudo script (or chain redsocks to issue CONNECT tunnels through the explicit listener).

• Native TLS pinning — some apps use BoringSSL/OpenSSL directly via JNI with pins embedded in the .so. Java-layer Frida hooks won't catch these; native hooks needed.

• Root required — the system-trust CA overlay requires root. Non-rooted Android only trusts user-installed CAs for apps that explicitly opt in via network_security_config — which no shipping app does. There's no bypass for that without root.

Boundaries

• Only sees traffic configured to route through it (not a network tap or packet sniffer)

• Spoofs outgoing JA3 + HTTP/2 fingerprint + header order (via impit — native Rust TLS impersonation), not JA4 (JA4 is capture-only)

• Can add, overwrite, or delete HTTP headers; outgoing header order can be controlled via fingerprint spoofing

• Returns its own CA certificate — does not expose upstream server certificate chains

TLS ClientHello Passthrough (browser via interceptor)

When cloakbrowser is launched via interceptor_browser_launch, proxy-mcp forwards the browser's original TLS ClientHello to the upstream server for document loads and same-origin sub-resource requests. The target server sees an authentic Chrome TLS fingerprint — not the proxy's.

This is a key difference from typical MITM proxies (mitmproxy, Charles, Fiddler) which re-terminate TLS with their own fingerprint, making MITM trivially detectable by anti-bot systems via JA3/JA4 analysis.

How to verify passthrough is working:

proxy_list_tls_fingerprints --hostname_filter "example.com"

• JA3 varies across requests to the same host — this is expected; Chrome randomizes cipher suite order per-connection (feature since Chrome 110+)

• JA4 stays stable — same cipher/extension set, just different ordering

• JA3 variation + JA4 stability = authentic Chrome TLS passthrough confirmed

When passthrough applies vs. when spoofing is needed:

Built on stealth browsers + Playwright

Browser automation uses cloakbrowser for stealth-patched Chromium and Camoufox for anti-detect Firefox, both driven through Playwright. There is no CDP sidecar or hand-rolled stealth script in proxy-mcp. Downstream tools take a browser_* target from interceptor_browser_launch or a camoufox_* target from interceptor_camoufox_launch.

Standard flow:

1. Call proxy_start

2. Optionally enable outbound fingerprint spoofing for cross-origin sub-resources: proxy_set_fingerprint_spoof --preset chrome_136

3. Call interceptor_browser_launch --url "https://example.com" or interceptor_camoufox_launch

4. Drive the page: interceptor_browser_navigate, interceptor_browser_snapshot, humanizer_click --selector "...", humanizer_type --text "..."

5. Inspect traffic: proxy_search_traffic --query "<hostname>"

Tools Reference

Lifecycle (4)

Transparent / Mobile Capture (6)

Upstream Proxy (4)

Interception Rules (7)

Quick debugging examples:

# Simulate a request and see which rule would win
proxy_test_rule_match --mode simulate --request '{"method":"GET","url":"https://example.com/api/v1/items","headers":{"accept":"application/json"}}'

# Evaluate a real captured exchange by ID
proxy_test_rule_match --mode exchange --exchange_id "ex_abc123"

Traffic Capture (4)

Modification Shortcuts (3)

TLS Fingerprinting (9)

Fingerprint spoofing works by re-issuing the request from the proxy via impit (native Rust TLS/HTTP2 impersonation via rustls). TLS 1.3 and HTTP/2 fingerprints (SETTINGS, WINDOW_UPDATE, PRIORITY frames) match real browsers by construction. The origin server sees the proxy's spoofed TLS, HTTP/2, and header order — not the original client's. When a user_agent is set (including via presets), proxy-mcp also normalizes Chromium UA Client Hints headers (sec-ch-ua*) to match the spoofed User-Agent (forwarding contradictory hints is a common bot signal). Browser exception: when cloakbrowser is launched via interceptor_browser_launch, document loads and same-origin requests use the browser's native TLS (no impit), preserving fingerprint consistency for bot detection challenges. Only cross-origin sub-resource requests are re-issued with spoofed TLS. Non-browser clients (curl, spawn, HAR replay) get full TLS + UA spoofing on all requests. Use proxy_set_fingerprint_spoof with a browser preset for one-command setup. proxy_set_ja3_spoof is kept for backward compatibility but custom JA3 strings are ignored (the preset's impit browser target is used instead). JA4 fingerprints are captured (read-only) but spoofing is not supported.

Interceptors (21)

Interceptors configure targets (browsers, processes, devices, containers) to route their traffic through the proxy automatically.

Discovery (3)

Browser (3)

Stealth is source-level: cloakbrowser ships 48+ C++ patches so ja3n/ja4/akamai match real Chrome, navigator.webdriver is false, audio/canvas/WebGL fingerprints match real hardware. No JS stealth injection needed. First launch downloads a ~200 MB Chromium binary (cached afterwards).

Camoufox (4) — anti-detect Firefox

Camoufox is a patched Firefox with source-level fingerprint controls (OS, WebGL vendor/renderer, fonts, locale, geoip-derived timezone, WebRTC blocking, humanize cursor). Camoufox runs as an external Python process and exposes a Playwright WS endpoint, but proxy-mcp also binds the returned camoufox_* target to the same interceptor_browser_* and humanizer_* tools used by cloakbrowser. Use the exposed wsUrl only when you need custom Playwright code outside MCP.

By default, proxy-mcp sets Camoufox fingerprint generation to the host OS (linux, macos, or windows) instead of Camoufox's upstream random OS list. Override with os when you intentionally need a different family, or pass an array such as ["windows", "macos"] to let Camoufox choose from that subset. Launch/list/info responses include a safe fingerprint summary with the resolved OS, User-Agent, platform, OSCPU, screen/window dimensions, WebGL vendor/renderer, and font/voice counts; raw Camoufox config and process environment are not exposed.

Host requirements:

pip install "cloverlabs-camoufox[geoip]" # active fork; daijro/camoufox stale on Firefox 135 → DataDome distrusts
python3 -m camoufox fetch official/150.0.2-alpha.26 # Firefox 150; default `fetch` still picks v135 due to repos.yml constraint

# For TLS MITM trust (NSS profile is created per-launch and the proxy CA is imported):
sudo apt install libnss3-tools # Debian/Ubuntu
sudo dnf install nss-tools # Fedora/RHEL
# macOS: brew install nss (or use /Applications/Firefox.app/Contents/MacOS/certutil)

If certutil is missing, the launch still succeeds but the proxy CA is not trusted — HTTPS pages will show certificate errors. Proxy traffic is still captured.

Usage:

proxy_start // start the MITM proxy
interceptor_camoufox_launch { headless: true } // returns { targetId, wsUrl, fingerprint, ... }
interceptor_browser_navigate --target_id "camoufox_<id>" --url "https://example.com"
interceptor_browser_snapshot --target_id "camoufox_<id>" --mode ai
interceptor_browser_list_console --target_id "camoufox_<id>"
interceptor_browser_list_cookies --target_id "camoufox_<id>"
// Or in your own Node code:
// import { firefox } from 'playwright-core';
// const browser = await firefox.connect(wsUrl);
// const page = await (await browser.newContext()).newPage();
// await page.goto('https://example.com');
interceptor_camoufox_close { target_id } // when done

playwright-core is already a proxy-mcp dependency — Camoufox uses its firefox namespace via WebSocket; no extra Node packages needed. Traffic capture, TLS fingerprinting, rules, mocks, sessions, upstream chaining, and JA3/JA4 spoofing all apply to camoufox automatically because the proxy sits in front of it.

Terminal / Process (2)

Sets 18+ env vars covering curl, Node.js, Python requests, Deno, Git, npm/yarn.

Android ADB (4)

Caveats: CA cert injection requires root access. Supports Android 14+ (/apex/com.android.conscrypt/cacerts/). Wi-Fi proxy is opt-in (default off).

Android Frida (3)

Caveats: Requires frida-server running on device. Uses frida-js (pure JS, no native binaries on host). SSL unpinning covers OkHttp, BoringSSL, TrustManager, system TLS — but may not work against QUIC or custom TLS stacks.

Docker (2)

Two modes: exec (live injection, existing processes need restart) and restart (stop + restart container). Uses host.docker.internal for proxy URL.

Browser DevTools-equivalents (12)

Playwright-driven tools for the browser target. Each takes a target_id directly — no session binding, no sidecar. Works on both cloakbrowser (browser_* IDs) and camoufox (camoufox_* IDs) targets via the shared getPageForTarget() resolver.

Network data is sourced from the MITM proxy rather than a browser-side protocol — the proxy sees every wire request regardless of what the browser reported.

Stealth tradeoffs for JS injection:

References: Playwright evaluate, Playwright addInitScript, Camoufox stealth.

Worlds and isolation — what your JS can and can't see

The two backends ship different world models. Picking the wrong tool is the most common stealth footgun, so the boundary matters.

Cloakbrowser (Chromium). Playwright's evaluate runs in an isolated "utility" world that shares globals with the page's main world. An addInitScript patch to navigator.webdriver is visible to (a) your subsequent evaluate probes AND (b) anti-bot code the site loads. This is the model most "stealth playbooks" assume. Detection vectors are CDP-side (Runtime.evaluate chatter) — cloakbrowser's C++ patches mitigate those.

Camoufox (cloverlabs ≥0.6 + Firefox 150 — current build). No separate JS world. page.evaluate and page.addInitScript both run in the page's main world, the same realm as a real <script> tag. Implications:

• inject_init_script patches reach the page (e.g. Object.defineProperty(navigator, 'webdriver', ...) does affect what site scripts see). The DOWNSIDE: the patch is observable to anti-bot code on the page — Function.prototype.toString.toString() reveals replaced functions, Object.defineProperty hooks see the call.

• interceptor_browser_evaluate reads are invisible (no window writes, no prototype changes). Mutating evals (() => { window.x = 1 }) are observable.

• world: "isolated" and world: "main" accept the same script args for API compatibility but run in the same realm once main is enabled. main_world_eval: true still gates explicit world: "main" calls in proxy-mcp; on this build it does not create a separate execution realm.

Verify behavior on your installed build:

npx tsx scripts/camoufox-world-probe.ts --venv=/path/to/camoufox-venv

Historical note. Earlier daijro/camoufox (Firefox 135 line) ran evaluate and addInitScript in a separate Juggler scope that was invisible to the page — patches there did NOT reach site scripts (camoufox#48), but automation JS was equally invisible to anti-bot code. Cloverlabs/FF150 dropped that isolation. If your workflow depends on Juggler-scope invisibility, stay on daijro/FF135.

Practical rules:

Stealth note: on the current camoufox build, every JS-level mutation from automation is observable by anti-bot code on the page. Prefer source-level configuration over runtime patching. Use evaluate for reads, not writes, when stealth matters.

Sessions (14)

Persistent, queryable on-disk capture for long runs and post-crash analysis.

proxy_get_session_exchange and proxy_export_har automatically decompress response bodies (gzip, deflate, brotli) based on the stored content-encoding header. The returned responseBodyText and responseBodyBase64 contain the decompressed content. Raw compressed bytes are preserved on disk for exact replay fidelity.

Note on proxy_start with persistence_enabled: true: this auto-creates a session. A subsequent proxy_session_start() call returns the existing active session instead of failing — no need to stop and re-start.

Humanizer — Playwright Input (5)

Human-like browser input via Playwright page.mouse / page.keyboard. Works with browser_* targets from interceptor_browser_launch and camoufox_* targets from interceptor_camoufox_launch. Cloakbrowser's own humanize patches apply when enabled at launch; Camoufox cursor humanization follows the Camoufox launch config.

All tools require target_id from a prior interceptor_browser_launch or interceptor_camoufox_launch. The engine maintains tracked mouse position across calls for coordinate-based move/click/idle behavior.

Behavioral details:

• Mouse: humanizer_move calls page.mouse.move; locator clicks call Playwright locators and raw-coordinate clicks call page.mouse.click

• Typing: humanizer_type calls page.keyboard.type(text, { delay }) when delay_ms is provided; no WPM, typo, or bigram model is implemented in proxy-mcp

• Scrolling: humanizer_scroll sends one wheel event with the requested delta

• Idle: Periodic micro-jitter (±3px subtle / ±8px normal) and random micro-scrolls at configurable intensity

Resources

Usage Example

# Start the proxy
proxy_start

# Optional: start persistent session recording
proxy_session_start --capture_profile full --session_name "reverse-run-1"

# Configure device to use proxy (Wi-Fi settings or interceptors)
# Install CA cert on device (proxy_get_ca_cert)

# Or use interceptors to auto-configure targets:
interceptor_browser_launch # Launch stealth browser with proxy
interceptor_spawn --command curl --args '["https://example.com"]' # Spawn proxied process
interceptor_android_activate --serial DEVICE_SERIAL # Android device

# Set upstream proxy for geolocation
proxy_set_upstream --proxy_url socks5://user:pass@geo-proxy:1080

# Mock an API response
proxy_mock_response --url_pattern "/api/v1/config" --status 200 --body '{"feature": true}'

# Inject auth headers (set value to null to delete a header)
proxy_inject_headers --hostname "api.example.com" --headers '{"Authorization": "Bearer token123"}'

# View captured traffic
proxy_list_traffic --hostname_filter "api.example.com"
proxy_search_traffic --query "error"

# TLS fingerprinting
proxy_list_tls_fingerprints # See unique JA3/JA4 fingerprints
proxy_set_ja3_spoof --ja3 "771,4865-..." # Spoof outgoing JA3 (for non-browser clients)
proxy_set_fingerprint_spoof --preset chrome_136 --host_patterns '["example.com"]' # Full fingerprint spoof
proxy_list_fingerprint_presets # Available browser presets

# Human-like browser interaction (browser_* or camoufox_* target)
humanizer_move --target_id "browser_<id>" --x 500 --y 300
humanizer_click --target_id "browser_<id>" --selector "#login-button"
humanizer_click --target_id "browser_<id>" --role "button" --name "Sign in"
humanizer_type --target_id "browser_<id>" --text "user@example.com" --delay_ms 45
humanizer_scroll --target_id "browser_<id>" --delta_y 300
humanizer_idle --target_id "browser_<id>" --duration_ms 2000 --intensity subtle

# Run / inject JS in the page (cloakbrowser + camoufox)
interceptor_browser_evaluate --target_id "browser_<id>" --script_path /tmp/probe.js
interceptor_browser_evaluate --target_id "camoufox_<id>" --script_path /tmp/probe.js --world main # camoufox + main_world_eval=true
interceptor_browser_inject_init_script --target_id "browser_<id>" --script_path /tmp/hook.js # applies on next navigation
interceptor_browser_add_script_tag --target_id "browser_<id>" --script_path /tmp/lib.js # DOM-visible — avoid for stealth

# Query/export recorded session
proxy_list_sessions
proxy_query_session --session_id SESSION_ID --hostname_contains "api.example.com"
proxy_export_har --session_id SESSION_ID

Architecture

• State: ProxyManager singleton manages mockttp server, rules, traffic

• Rule rebuild: Rules must be set before mockttp start(), so rule changes trigger stop/recreate/restart cycle

• Traffic capture: on('request') + on('response') events, correlated by request ID

• Ring buffer: 1000 entries max, body previews capped at 4KB

• TLS capture: Client JA3/JA4 from mockttp socket metadata; server JA3S via tls.connect monkey-patch

• TLS spoofing: impit (native Rust TLS/HTTP2 impersonation via rustls); in-process, no container needed

• Interceptors: Managed by InterceptorManager, each type registers independently

• Browser: cloakbrowser (stealth Chromium, ~200 MB binary auto-downloaded on first launch) and Camoufox (anti-detect Firefox, installed separately) driven via Playwright BrowserContext / Page

• Humanizer: Singleton engine using Playwright's page.mouse / page.keyboard, plus local mouse-position tracking for idle jitter

Testing

npm test # All tests (unit + integration)
npm run test:unit # Unit tests only
npm run test:integration # Integration tests
npm run test:e2e # E2E fingerprint tests (requires cloakbrowser + internet)

Credits

Core Libraries

Vendored Frida Scripts

All scripts in src/frida-scripts/vendor/ are derived from httptoolkit/frida-interception-and-unpinning (MIT):

• config-template.js — proxy/cert config injection

• android-certificate-unpinning.js — TrustManager + OkHttp + BoringSSL hooks

• android-system-certificate-injection.js — runtime cert injection via KeyStore

• android-proxy-override.js — ProxySelector monkey-patch

• native-tls-hook.js — BoringSSL/OpenSSL native hooks

• native-connect-hook.js — libc connect() redirect

Maintenance

Resources

• NPM Package
• GitHub Repository
Need Help?Related Servers

Tools

• humanizer_clickA
• humanizer_idleA
• humanizer_moveB
• humanizer_scrollA
• humanizer_typeA
• interceptor_android_activateA
• interceptor_android_deactivateA
• interceptor_android_devicesA