Device HTTP Proxy¶

FIRERPA provides an HTTP proxy on the phone (the bridging proxy in service configuration, i.e., tunnel2.*). When you point your computer or browser's proxy server to the phone, computer traffic to websites will first go through the phone and then exit from the phone's network, so the external IP appears the same as the phone's. It is the opposite of Setting Proxy, as compared below:

	Device HTTP Proxy (this chapter)	Setting Proxy
Network Direction	Computer → via phone to the internet	App on phone → via external proxy to the internet
Typical Use	Allow the computer to use the phone's IP	Assign a proxy IP to the phone

Common uses include letting a computer and phone share the same egress IP for joint debugging and troubleshooting, pointing mitmproxy's upstream to the phone when capturing traffic so that traffic still originates from the device, or using multiple devices' networks as IP sources.

Using the Proxy¶

This feature is enabled by default. The proxy shares the same service port as remote desktop, defaulting to 65000. Check the current IP in the phone's WLAN settings (the example below uses 192.168.0.2). If you have changed the port, please replace the port in the examples accordingly. The computer must be able to access the phone's FIRERPA service port, which usually means being on the same LAN or forwarding the service port to the public network.

You can quickly verify with the following command on the computer (replace the IP with your device's address):

curl -x http://192.168.0.2:65000 https://httpbin.org/ip

If the returned IP matches the phone's external IP, it is working correctly. In Firefox, you can set the HTTP proxy to 192.168.0.2, port 65000, and check "Also use this proxy for HTTPS". In Python, you can write:

requests.get("https://httpbin.org/ip", proxies={"http": "http://192.168.0.2:65000", "https": "http://192.168.0.2:65000"})

When the service certificate is not enabled, the proxy requires no authentication by default. If you started with a service certificate, you need to use the username lamda and the password from the first line of the service certificate PEM file (the same as the HTTPS remote desktop login password, but not the WebUI custom password). You can also set tunnel2.password in Service Configuration to specify a separate proxy password. In this case, the curl example becomes:

curl --proxy-insecure -x https://lamda:cert-password@192.168.0.2:65000 https://httpbin.org/ip

And the Python example:

requests.get("https://httpbin.org/ip", verify=False, proxies={"http": "https://lamda:cert-password@192.168.0.2:65000", "https": "https://lamda:cert-password@192.168.0.2:65000"})

Configuring the Proxy¶

You can adjust the bridging proxy in Service Configuration. For example, set tunnel2.login and tunnel2.password to customize the login credentials:

tunnel2.login=lamda
tunnel2.password=your-new-password

tunnel2.iface specifies the egress network interface: wlan for Wi-Fi, rmnet for mobile data (4G/5G; even if Wi-Fi is connected, mobile data will be preferred). When not configured, the system default network is used. If the selected interface currently has no network, the proxy will be unavailable.

tunnel2.iface=rmnet