← cella / Explanation

πŸ’‘ How Transparent MITM Interception Works

A deep dive into cella's HTTPS interception architecture: nftables, TLS MITM, CA injection, and traffic auditing.

The Problem

You want to see what HTTPS requests a container is making β€” but TLS encrypts everything. You can't just sniff the network. Traditional HTTP proxies require changing the application's proxy settings, which is invasive and doesn't work for all software.

cella's Approach: Transparent Proxy

cella uses nftables PREROUTING REDIRECT to invisibly intercept traffic at the kernel level. No proxy configuration needed in the container.

Step-by-step Flow

  1. nftables REDIRECT: cella adds a PREROUTING rule that redirects the container's outbound port 443 traffic to cella's transparent listener on the host
  2. Original destination recovery: The listener reads SO_ORIGINAL_DST from the socket to determine where the traffic was originally headed
  3. TLS ClientHello inspection: cella reads the SNI (Server Name Indication) from the TLS ClientHello to identify the target domain
  4. Dynamic certificate generation: cella's root CA signs a new certificate for that domain on the fly (ECDSA P-256, cached for 24 hours)
  5. MITM handshake: cella completes a TLS handshake with the container using the forged cert, and opens a separate TLS connection to the real upstream server
  6. Traffic relay + inspection: cella relays data between the two connections, parsing HTTP requests/responses in transit
Container ──[HTTPS]──→ nftables REDIRECT ──→ cella listener
                                                    β”‚
                                              β”Œβ”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”
                                              β”‚ TLS MITM   β”‚
                                              β”‚ (forged    β”‚
                                              β”‚  cert)     β”‚
                                              β””β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜
                                                    β”‚
                                              β”Œβ”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”
                                              β”‚ Real TLS   β”‚
                                              β”‚ to upstreamβ”‚
                                              β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

CA Certificate Injection

For TLS to work, the container must trust cella's root CA. cella's autosetup module handles this automatically:

HTTP/2 Support

The MITM handler supports HTTP/2 via ALPN negotiation. When the upstream server supports h2, cella negotiates h2 on both sides of the proxy.

SSE Stream Parsing

For AI API calls that use Server-Sent Events (SSE), cella's inference stats module parses the streaming response chunks in real time to extract model names, token counts, and completion data β€” all without buffering the entire response.

Teardown

Pressing u in the Audit panel removes the nftables rule and the CA certificate, returning the container to its original state.

⚠️ MITM interception is a powerful debugging tool. It should only be used on containers you control, in development/testing environments.