Fluxzy .NET SDK
High-performance HTTP/HTTPS MITM proxy for .NET
Fluxzy.Core is a fully managed MITM engine that intercepts, records, and modifies HTTP/1.1, HTTP/2, WebSocket, and gRPC traffic, in plain or over TLS. Built for performance with full streaming architecture, it handles traffic with minimal overhead while providing complete control over request and response manipulation.
Why Fluxzy?
The capabilities below are the ones rarely found together in other MITM tools:
- gRPC interception - Inspect, alter, and replay unary, streaming, and bidirectional gRPC calls. Enable HTTP/2 on the proxy-to-client leg with
SetServeH2(true)and you get full visibility, not an opaque tunnel. - JA4 fingerprint impersonation - Built-in Chrome and Firefox TLS fingerprints, swappable per host, with custom HTTP/2 settings frames. Useful for testing bot detection without driving a real browser.
- PCAP export with TLS session keys - Record the proxied stream as
pcapngand emit the matching SSLKEYLOGFILE so Wireshark decrypts it directly. No pre-shared keys, no live capture required. - Multi-protocol entry - HTTP CONNECT, SOCKS5 (no-auth and basic), reverse proxy (TLS or plain), and system proxy. CONNECT and SOCKS5 are auto-detected on the same listening port.
- Hot reload rules - Swap proxy rules at runtime without restarting the listener or losing in-flight connections.
- Local process tracking - Attribute each captured exchange to the originating process on the same machine (loopback only).
- OpenTelemetry native - One
Activityper exchange under theFluxzy.Coresource, W3Ctraceparentpropagation in and out, plus structuredILoggerevents with a stable EventId catalogue. - Zero-copy streaming - Bodies pass through without buffering by default; modification hooks switch to buffered mode only for the rules that need it.
Quick Start
dotnet add package Fluxzy.Core
using System.Net;
using Fluxzy;
using Fluxzy.Rules.Actions;
var setting = FluxzySetting.CreateDefault(IPAddress.Loopback, 44344);
setting.ConfigureRule()
.WhenAny()
.Do(new AddResponseHeaderAction("X-Proxy", "Fluxzy"));
await using var proxy = new Proxy(setting);
proxy.Run();
Console.WriteLine("Proxy running. Press any key to exit...");
Console.ReadKey();
Examples
The snippets below are illustrative. For runnable, always-current sample projects, see the
examples/directory on the main repo.
Record Traffic to HAR or Fluxzy Archive
Capture HTTP traffic and export to standard formats for analysis.
var tempDirectory = "capture_dump";
var setting = FluxzySetting
.CreateDefault(IPAddress.Loopback, 44344)
.SetOutDirectory(tempDirectory)
.SetAutoInstallCertificate(true);
await using (var proxy = new Proxy(setting))
{
proxy.Run();
// ... traffic flows through proxy
}
// Export after proxy disposal
Packager.Export(tempDirectory, "mycapture.fxzy");
Packager.ExportAsHttpArchive(tempDirectory, "mycapture.har");
Capture OS-Wide Traffic
Register Fluxzy as the system proxy to intercept all HTTP traffic from the machine.
var setting = FluxzySetting.CreateLocalRandomPort();
await using var proxy = new Proxy(setting);
var endpoints = proxy.Run();
// Register as system proxy (auto-reverts on dispose)
await using var registration = await SystemProxyRegistrationHelper.Create(endpoints.First());
Console.WriteLine("Capturing all OS traffic. Press any key to stop...");
Console.ReadKey();
Mock Responses
Return custom responses without hitting the actual server.
var setting = FluxzySetting.CreateDefault();
setting.ConfigureRule()
.WhenHostMatch("api.example.com", StringSelectorOperation.StartsWith)
.Do(new MockedResponseAction(
MockedResponseContent.CreateFromPlainText("Mocked response", 200)));
await using var proxy = new Proxy(setting);
proxy.Run();
Transform Request/Response Bodies
Modify content in transit with full streaming support.
setting.ConfigureRule()
.WhenAny(new JsonRequestFilter())
.Do(new TransformRequestBodyAction(async (ctx, reader) => {
var content = await reader.ConsumeAsString();
return content.ToUpperInvariant();
}));
// Transform responses
setting.ConfigureRule()
.WhenAny()
.Do(new TransformResponseBodyAction(async (ctx, reader) => {
var content = await reader.ConsumeAsString();
return new BodyContent(content.Replace("foo", "bar"));
}));
Inject HTML/JavaScript
Insert code snippets into HTML pages passing through the proxy.
setting.ConfigureRule()
.When(new RequestHeaderFilter("text/html", "content-type"))
.Do(new InjectHtmlTagAction
{
HtmlContent = "<script>console.log('Injected by Fluxzy');</script>",
Tag = "head"
});
Browser Fingerprint Impersonation
Impersonate browser TLS and HTTP/2 fingerprints for testing bot detection.
var setting = FluxzySetting.CreateLocalRandomPort();
// BouncyCastle required for fingerprint impersonation
setting.UseBouncyCastleSslEngine();
setting.AddAlterationRulesForAny(
new ImpersonateAction(ImpersonateProfileManager.Chrome131Windows));
await using var proxy = new Proxy(setting);
var endpoints = proxy.Run();
// Register as system proxy
await using var registration = await SystemProxyRegistrationHelper.Create(endpoints.First());
Built-in profiles: Chrome 131/139, Firefox 142, and more.
Intercept gRPC Calls
gRPC requires HTTP/2 framing (streams, trailers, binary frames). By default Fluxzy serves HTTP/1.1 to the client, which makes the gRPC handshake fail. Toggle SetServeH2(true) and the proxy negotiates HTTP/2 end-to-end, giving you full inspection and alteration of unary and streaming calls.
var setting = FluxzySetting.CreateLocalRandomPort();
// Required: serve HTTP/2 to the client so gRPC can negotiate
setting.SetServeH2(true);
// In MITM mode, the gRPC client must trust Fluxzy's CA (or skip validation)
setting.AddAlterationRules(
new SkipRemoteCertificateValidationAction(), AnyFilter.Default);
await using var proxy = new Proxy(setting);
proxy.Run();
A complete client driving a public gRPC server through Fluxzy lives at Samples.No023.GrpcThroughProxy.
Use Client Certificates (mTLS)
Authenticate with client certificates per-host.
var certificate = Certificate.LoadFromPkcs12("client.p12", "password");
setting.ConfigureRule()
.WhenHostEndsWith("mtls-api.example.com")
.Do(new SetClientCertificateAction(certificate));
Hot Reload Rules at Runtime
Update proxy rules without restarting.
await using var proxy = new Proxy(setting);
proxy.Run();
// Update rules while proxy is running
proxy.UpdateRules(s => {
s.AddAlterationRules(
new AddResponseHeaderAction("X-Version", "v2"),
AnyFilter.Default
);
});
// Or replace with a new rule set
proxy.UpdateRules(new List<Rule>
{
new Rule(new AddRequestHeaderAction("X-Debug", "true"), AnyFilter.Default)
});
// Get current active rules
var activeRules = proxy.GetActiveRules();
Session Capture and Replay
Capture session data (cookies, auth headers) from browser and replay via other clients.
var yamlRules = """
rules:
# Capture cookies and auth headers from responses
- filter:
typeKind: AnyFilter
action:
typeKind: CaptureSessionAction
captureCookies: true
captureHeaders:
- Authorization
- X-CSRF-Token
# Apply captured session to curl requests
- filter:
typeKind: RequestHeaderFilter
headerName: User-Agent
pattern: curl
operation: Contains
action:
typeKind: ApplySessionAction
applyCookies: true
applyHeaders: true
""";
setting.AddAlterationRules(yamlRules);
Raw Packet Capture (PCAP)
Export decrypted traffic as PCAP files for Wireshark analysis.
// Requires: dotnet add package Fluxzy.Core.Pcap
var setting = FluxzySetting
.CreateDefault(IPAddress.Loopback, 44344)
.SetOutDirectory("capture_dump");
// Enable BouncyCastle for NSS key log extraction
setting.UseBouncyCastleSslEngine();
await using var tcpProvider = await CapturedTcpConnectionProvider.CreateInProcessCapture();
await using var proxy = new Proxy(setting, tcpConnectionProvider: tcpProvider);
proxy.Run();
// After capture, export with SSL keys for Wireshark decryption
var archiveReader = new DirectoryArchiveReader("capture_dump");
var exchange = archiveReader.ReadAllExchanges().First();
var rawStream = archiveReader.GetRawCaptureStream(exchange.ConnectionId);
var sslKeys = archiveReader.GetRawCaptureKeyStream(exchange.ConnectionId);
await using var pcapFile = File.Create("capture.pcapng");
await PcapngUtils.CreatePcapngFileWithKeysAsync(sslKeys, rawStream, pcapFile);
Core Features
| Feature | Description |
|---|---|
| Traffic Interception | HTTP/1.1, HTTP/2, WebSocket, and gRPC over plain or TLS |
| Proxy Entry Points | HTTP CONNECT, SOCKS5 (auto-detected on the same port), reverse proxy (TLS or plain), system proxy |
| System Proxy Mode | OS-wide traffic capture with auto-revert |
| Raw Packet Capture | PCAP export with SSL key log (via Fluxzy.Core.Pcap) |
| TLS Providers | .NET native SSL or BouncyCastle engine |
| Browser Fingerprints | Built-in JA4 / HTTP/2 profiles (Chrome, Firefox), swappable per host |
| Archive Formats | HAR and Fluxzy Archive (.fxzy) export |
| Certificate Management | Auto-generate and install root CA |
| Session Capture/Replay | Share sessions across clients |
| Hot Reload Rules | Update rules at runtime without restart |
| Observability | ILogger event catalogue + per-exchange ActivitySource with W3C trace context |
| Process Tracking | Tag exchanges with the originating local process (loopback only) |
Traffic Modification
50+ built-in actions for traffic manipulation. Browse all actions.
Headers & Body: Add/remove/modify headers, transform bodies, mock responses, inject HTML/JS
Routing & Security: Forward requests, spoof DNS, abort connections, add auth headers, client certs
Caching & Content: Remove cache directives, add cookies, serve static directories
Packages
| Package | Description | Install |
|---|---|---|
| Fluxzy.Core | Core MITM engine | dotnet add package Fluxzy.Core |
| Fluxzy.Core.Pcap | Raw packet capture | dotnet add package Fluxzy.Core.Pcap |
Requirements: .NET 8.0 or .NET 10.0
CLI & Docker
CLI
| Platform | Download |
|---|---|
| Windows | |
| macOS | |
| Linux |
Docker
docker run -it -p 44344:44344 fluxzy/fluxzy:latest start
Documentation
- Getting Started Guide - Step-by-step introduction
- API Reference - Complete API documentation
- Examples - 20+ sample projects
- Rule Actions - All built-in filters and actions
For CLI and Desktop documentation, visit fluxzy.io.
License
See LICENSE for details.