Certificate pinning, regulated traffic, and high volume media streams are all good reasons to let TLS pass through untouched. This action gives you a precise scalpel for declaring which hosts Fluxzy should leave encrypted while keeping the rest of the session under inspection.
Configure skipSslTunnelingAction when you want Fluxzy to act as a plain TCP tunnel for selected hosts instead of decrypting the TLS session. The action must be attached to a filter that fires on the onAuthorityReceived scope, that is filters that match on host or port. Filters that depend on the decrypted request (path, body, headers) cannot drive this action because Fluxzy needs to decide whether to decrypt before the TLS handshake starts.
Typical reasons to skip tunneling:
Once skipped, the exchange still shows up in the timeline as a CONNECT tunnel, but its body is not decoded.
Targeted bypass so the rest of the device traffic is still decrypted while the pinned API continues to work.
rules:
- filter:
typeKind: HostFilter
pattern: api.pinnedapp.example.com
actions:
- typeKind: SkipSslTunnelingAction
Use a filter collection to skip a curated list of sensitive hosts in one go.
rules:
- filter:
typeKind: FilterCollection
operation: Or
children:
- typeKind: HostFilter
pattern: login.microsoftonline.com
- typeKind: HostFilter
pattern: accounts.google.com
- typeKind: HostFilter
pattern: '.*\.bank\.example\.com'
operation: Regex
actions:
- typeKind: SkipSslTunnelingAction
Use an authority filter to match host and port together when the service listens outside 443.
rules:
- filter:
typeKind: AuthorityFilter
host: streaming.example.com
port: 8443
actions:
- typeKind: SkipSslTunnelingAction
Instructs fluxzy to not decrypt the current traffic. The associated filter must be on OnAuthorityReceived scope in order to make this action effective.
Evaluation scope defines the timing where this filter will be applied.
onAuthorityReceived This scope denotes the moment fluxzy is aware the destination authority. In a regular proxy connection, it will occur the moment where fluxzy parsed the CONNECT request.
skipSslTunnelingAction
This action has no specific characteristic
The following examples apply this action to any exchanges
Instructs fluxzy to not decrypt the current traffic. The associated filter must be on OnAuthorityReceived scope in order to make this action effective.
rules:
- filter:
typeKind: AnyFilter
actions:
- typeKind: SkipSslTunnelingAction
View definition of SkipSslTunnelingAction for .NET integration.
The following actions are related to this action:
Fluxzy decides whether to negotiate TLS based on the host and port observed in the CONNECT request. By the time request headers are visible, the handshake is already done. A path or header filter cannot drive this action.
Yes, but only as a CONNECT tunnel with byte counts. Request and response bodies are not decoded because Fluxzy never saw them in clear text.
skipRemoteCertificateValidationAction decrypts the traffic and accepts a bad server certificate. skipSslTunnelingAction does not decrypt at all, the TLS session is end to end between the client and the server.
Yes. Pair it with upStreamProxyAction to forward the tunnel through a corporate proxy without decrypting it locally.