update readme

Author: timzaak

README.md

@@ -1,76 +1,101 @@
-## https proxy
-It's mitm http/https proxy. It outputs the https request and response for test.
-
-### Requires
-1. require JDK 19+
-2. https cert and private key
-3. https certificate.
-
-If you want to install self-signed certificate, you could use [mkcert](https://github.com/FiloSottile/mkcert) to do this.
-more info can be found here [mkcert.md](mkcert.md)
-
-### Usage
-If you want to get all requests and responses about `https://www.exmample.com (192.168.3.3)` 
-1. change domain ip like:`127.0.0.1 www.example.com`
-2. run commands below:
-```shell
-# run with sbt
-sbt "runMain Main --dns=192.168.3.3:www.example.com --jks-path=jks.jks --jks-password=123456 --viewPort=9000"
-
-
-# run with docker
-# config file would be:
-
-# jks {
-#   path=/server/config/jks.jks
-#   password=123456
-# }
-# resolver=[114.114.114.114]
-# viewerPort=9000
-# ##selfSignedCert = "" # if you use self signed cert.
+## HTTPS Proxy
+A MITM (Man-In-The-Middle) HTTP/HTTPS proxy that logs HTTPS requests and responses for debugging and testing purposes.
+### Features
+- Logs HTTPS request and response details.
+- View traffic through a browser UI.
+- Docker & CLI supported.
+- Supports custom DNS mappings and JKS SSL certificates.
+### Requirements
+1. JDK 19+
+2. HTTPS certificate and private key (in JKS format).
+3. If using self-signed certificates, consider using [mkcert](https://github.com/FiloSottile/mkcert).
+
+> 📄 more info: [mkcert.md](mkcert.md)
+
+### Quick Start
+Suppose you're intercepting traffic for https://www.example.com (IP: 192.168.3.3).
+#### Step 1: Local Host Mapping
+Edit your system's host file (e.g., `/etc/hosts` or `C:\Windows\System32\drivers\etc\hosts`):
 
-docker run --rm  -v ${pwd}/private.conf:/server/config/application.conf -v${pwd}/jks.jks:/server/config/jks.jks -p 443:443 -p 9000:9000 ghcr.io/timzaak/log-http-proxy:latest
+```
+127.0.0.1 www.example.com
+```
+#### Step 2: Run the Proxy
+##### Using SBT
+```bash
+sbt "runMain Main --dns=192.168.3.3:www.example.com --jks-path=jks.jks --jks-password=123456 --viewPort=9000"
+```
+##### Using Docker
+Create a `private.conf` file with the following content:
+```hocon
+jks {
+  path = "/server/config/jks.jks"
+  password = "123456"
+}
+resolver = [114.114.114.114]
+viewerPort = 9000
+# selfSignedCert = ""  # Uncomment if using a self-signed cert
+```
+Then run:
+```bash
+docker run --rm \
+  -v ${PWD}/private.conf:/server/config/application.conf \
+  -v ${PWD}/jks.jks:/server/config/jks.jks \
+  -p 443:443 -p 9000:9000 \
+  ghcr.io/timzaak/log-http-proxy:latest
 
+```
+> Open your browser and navigate to http://127.0.0.1:9000 to view traffic logs.
 
-# open your browser to access http://127.0.0.1:9000
+<img src="/doc/usage.png" alt="Usage screenshot" width="500" /> 
 
-```
-<img src="/doc/usage.png" alt="usage" width="500" />
+### Parameters
 
-The params are:
+| Name             | Description                                                     |
+|------------------| --------------------------------------------------------------- |
+| `--dns`          | A list of `IP:domain` mappings to inject into the DNS resolver. |
+| `--jks-path`     | Path to the JKS file containing the SSL certificate and key.    |
+| `--jks-password` | Password for the JKS keystore.                                  |
+| `--resolver`     | (Optional) DNS resolver to use (e.g., `1.1.1.1`).               |
+| `--viewPort`     | (Optional) Port for the web UI or WebSocket logging.            |
 
-* dns: A list of domain-to-IP mappings in the format ip:domain. These mappings will be added to the DNS resolver.
-* jksPath: An optional path to a JKS file for SSL/TLS configuration.
-* jksPassword: An optional password for the JKS file specified by jksPath.
-* resolver: An optional custom DNS resolver address, e.g., 1.1.1.1, 8.8.8.8.
-* websocketPort: An optional port to start a WebSocket server for logging. If not provided, logs would output to the command line.
 
-### Package as command-line tool
-```shell
-### you can package it with the following command: 
+### Packaging as a CLI Tool
+```bash
+# Package with sbt
 sbt stage
-cd package
 
+# Then package with jpackage
+cd package
 version="0.1.0"
-jpackage --name https-proxy --input ../target/universal/stage/lib --main-jar https-proxy.https-proxy-${version}.jar --main-class Main --type app-image --win-console
 
+jpackage \
+  --name https-proxy \
+  --input ../target/universal/stage/lib \
+  --main-jar https-proxy.https-proxy-${version}.jar \
+  --main-class Main \
+  --type app-image \
+  --win-console
 ```
 
 
 ### Known Issue
-1. Request does not support brotli compression, would drop request header: Accept-Encoding.
-2. Request would drop header remote-address
+1. Brotli compression (Accept-Encoding: br) is not supported. This header will be stripped.
+2. remote-address headers are not retained.
 
 
-### Another way to log
+### Alternative Logging (Raw Packet Capture)
+#### On Linux Server
+> Note: Windows users may need to use `tshark` instead.
 
-```shell
-### Linux Server
-#### Windows may need use tshark to replace it.
+```bash
 ssh user@remote 'tcpdump -i any -w - -U port <port>' | wireshark -k -i -
+```
 
-
-### K8S use debug to inject and run tcpdump, then k8s exec to get tcpdump output
-kubectl debug -it <pod-name> -n <namespace> --image=nicolaka/netshoot --target=<container-name>
-
+#### On Kubernetes
+```bash
+kubectl debug -it <pod-name> -n <namespace> \
+  --image=nicolaka/netshoot \
+  --target=<container-name>
 ```
+Use tcpdump inside the debug container to capture traffic.

mkcert.md

@@ -1,59 +1,125 @@
-## 📥 Install mkcert
-> Do NOT download the binary directly from the Releases page, especially on macOS, as it can lead to issues.
-> Instead, follow the installation steps provided in the official [README](https://github.com/FiloSottile/mkcert).
-
-```shell
-# Install root CA in the system trust store (requires root privileges).
-# The root CA is valid for 10 years.
-# To undo this later, you can run: mkcert -uninstall
+# 📥 Installing and Using `mkcert` for Local HTTPS and Java Keystore
+
+This guide walks you through the process of installing `mkcert`, generating local certificates, and importing them into a Java KeyStore (JKS) for use in HTTPS services.
+
+---
+
+## 🛠️ Prerequisites
+
+- `mkcert` installed (see below)
+- `openssl` installed
+- JDK (includes `keytool`)
+- Environment variable `JAVA_HOME` properly configured (for Java truststore support)
+
+---
+
+## 📦 Install `mkcert`
+
+> ⚠️ **Important:** Do **not** download the binary directly from the GitHub Releases page, especially on **macOS**.  
+> Instead, follow the official instructions from the [`mkcert` README](https://github.com/FiloSottile/mkcert).
+
+Once installed, set up the local root Certificate Authority (CA):
+
+```bash
+# Install the root CA into the system trust store
 mkcert -install
+```
 
-# Get the directory where the root CA is stored:
+This will generate a root certificate valid for **10 years**, and install it into:
+
+```bash
 cd "$(mkcert -CAROOT)"
+# You'll find:
+# - rootCA.pem        (the root certificate)
+# - rootCA-key.pem    (the private key)
+```
+
+To uninstall the root CA later:
 
-# In this directory, you'll find rootCA.pem and rootCA-key.pem
+```bash
+mkcert -uninstall
 ```
-## 📄 Generate Certificates
-```shell
-# Generate certificate and private key for the domain example.com and its subdomains:
+
+---
+
+## 📄 Generate TLS Certificates
+
+Generate a certificate and private key for your domain (e.g., `example.com` and its subdomains):
+
+```bash
 mkcert example.com "*.example.com"
 ```
-## 🔐 Create a Java KeyStore (JKS)
-```shell
-# Step 1: Convert to PKCS12 format (example.com.p12)
+
+This will output two files:
+
+- `example.com.pem` — the certificate
+- `example.com-key.pem` — the private key
+
+---
+
+## 🔐 Convert to Java KeyStore (JKS)
+
+### Step 1: Convert to PKCS#12 (.p12)
+
+```bash
 openssl pkcs12 -export \
-    -in example.com.pem \
-    -inkey example.com-key.pem \
-    -out example.com.p12 \
-    -name example.com \
-    -CAfile rootCA.pem \
-    -caname root
-
-# Step 2: Import the PKCS12 file into a Java KeyStore (JKS)
+  -in example.com.pem \
+  -inkey example.com-key.pem \
+  -out example.com.p12 \
+  -name example.com \
+  -CAfile rootCA.pem \
+  -caname root
+```
+
+> This creates `example.com.p12`, which bundles the certificate and private key.
+
+### Step 2: Import `.p12` into JKS
+
+```bash
 keytool -importkeystore \
-    -srckeystore example.com.p12 \
-    -srcstoretype PKCS12 \
-    -destkeystore example.com.jks \
-    -deststoretype JKS \
-    -alias example.com
+  -srckeystore example.com.p12 \
+  -srcstoretype PKCS12 \
+  -destkeystore example.com.jks \
+  -deststoretype JKS \
+  -alias example.com
+```
 
-# 🔍 View the JKS Contents
+### 🔍 View the JKS Contents
+
+```bash
 keytool -list -v -keystore example.com.jks -storepass changeit
 ```
-> You can repeat the keytool -importkeystore step multiple times to import multiple .p12 files into the same JKS.
 
-## 📦 Install the Root CA on Another Machine
-```shell
-# 1. Copy the rootCA.pem to the target machine.
-# 2. Set the CAROOT environment variable to the directory containing rootCA.pem
-export CAROOT=$(pwd)
+> 💡 You can repeat the `keytool -importkeystore` step to import additional `.p12` certificates into the same JKS file.
 
-# 3. Verify the environment variable
-echo $CAROOT
+---
 
-# 4. Install the root CA into the local trust store on the target machine
-mkcert -install
-```
-> ⚠️ Note: Ensure the JAVA_HOME environment variable is correctly set on the machine.
-If not, mkcert will not be able to inject the CA into the Java truststore.
+## 📤 Installing the Root CA on Another Machine
+
+To use the generated certificates on another machine:
+
+1. Copy the `rootCA.pem` file to the target machine.
+2. Set the `CAROOT` environment variable:
+
+   ```bash
+   export CAROOT=$(pwd)  # Set to the directory containing rootCA.pem
+   ```
+
+3. Confirm:
+
+   ```bash
+   echo $CAROOT
+   ```
+
+4. Install the root CA:
+
+   ```bash
+   mkcert -install
+   ```
+
+> ⚠️ Ensure that the `JAVA_HOME` environment variable is correctly set on the target machine.  
+> If it's not, `mkcert` may fail to inject the CA into the Java truststore.
+
+---
 
+✅ Done! You now have local TLS certificates trusted by your OS and Java, ready for use in development or testing environments.