Show HN: Httpdbg – A tool to trace the HTTP requests sent by your Python code (github.com)
I created httpdbg, a tool for Python developers to easily debug HTTP(S) client requests in Python programs.
I developed it because I needed a tool that could help me trace the HTTP requests sent by my tests back to the corresponding methods in our API client.
The goal of this tool is to simplify the debugging process, so I designed it to be as simple as possible. It requires no external dependencies, no setup, no superuser privileges, and no code modifications.
I'm sharing it with you today because I use it regularly, and it seems like others have found it useful too—so it might be helpful for you as well.
Hope you will like it.
cle
Source: https://github.com/cle-b/httpdbg
Documentation: https://httpdbg.readthedocs.io/
A blog post on a use case: https://medium.com/@cle-b/trace-all-your-http-requests-in-py...
61 comments
[ 2.7 ms ] story [ 112 ms ] threaddo I have to use specific http library?
https://github.com/cle-b/httpdbg/tree/main/httpdbg/hooks
It supports any HTTP library based on Python’s standard socket library. Specifically, it works with libraries like requests, httpx, aiohttp, and urllib3, as well as pytest, providing more detailed information about the initiator of the requests.
This is documented here: https://httpdbg.readthedocs.io/en/latest/notebook/
It would be good to be be able to have django debug toolbar integration, that way I could see which requests were made to backend APIs without leaving Django.
Having tried MITMProxy something like httpdbg is definitely needed.
Why is it a special case to track HTTP/s requests, that otherwise couldn't be logged like any other process/function? I'd guess most people use libcurl and you can wrap something around that.
I guess I'm lost on why this is HTTP or Python specific, or if it is, fine.
If you're coding something up, why wouldn't you know that piece of code does a HTTP/s request? Based on what you said, it sounds like a scenario where a programmer doesn't know how a request was made. Are there examples of scenarios where that's the case?
Sounds like a bit of a security nightmare where there's code doing arbitrary requests.
Maybe you are generating HTTP requests through an API and need to see which headers it sets by default, or which headers are or are not getting set due to a misconfiguration or bug.
There are probably loads more use cases, and if I actually did programming for a living, I could probably list a lot more.
libcurl is used on billions of devices across the world and has plenty of debugging capabilities.
MITM proxy works across all languages.
Because tracing all side-effects in a huge codebase with a lot of libraries and layers can be a daunting task.
Update: if you haven't worked with 20 year old >1m LOC codebase which went through many different teams and doesn't have any documentation whatsoever, you may lack necessary perspective to see value tools like this.
Yes, "tools are helpful", but whether there's a python/http specific tool that doesn't do what more generic tools do remains to be seen.
A similar tool for this would be VCR (originally built in Ruby, but ported to other languages since): https://vcrpy.readthedocs.io/en/latest/. This injects itself into the request pipeline, records the result in a local file which can then also be replayed later in tests. It's a quite nice approach when you want to write tests (or just explore) a highly complicated HTTP API without actually hitting it all the time.
A neutral middle-man that gives exact timing/response data.
What you'd want on stage is probably using opentelemetry, which I believe has auto-instrumentation for all network calls. Then you have the data forever and it's in a public, shared platform that is permissioned and everybody knows, and will still exist in 10 years.
If you need a 1-click solution, no dependencies, and no code's required, check out Proxyman with Auto-Setup: https://docs.proxyman.io/automatic-setup/automatic-setup
Works with all popular Python libs: request, aiohttp, http.client, urllib3, etc
* Disclaimer: I'm Noah, creator of Proxyman. I know a pain point when using Charles, and decided to build a new one, to make life easier. Hope it helps you.
- [0]: https://asciinema.org/a/1r8HmOLCfHm40nSvEZBqwm89k
Pip has a hash-checking mode, but it only works if the hashes are listed in the requirements.txt file, and they're the hashes for the target platform. Pipfile.lock supports storeing hashes for multiple platforms, but requirements.txt does not.
If the package hashes are retrieved over the same channel as the package, they can be MITM'd too.
You can store PyPi package hashes in sigstore.
There should be a way for package uploaders to sign their package before uploading. (This is what .asc signatures on PyPi were for. But if they are retrieved over the same channel, cryptographic signatures can also be MITM'd).
IMHO (1) twine should prompt to sign the package (with a DID) before uploading the package to PyPi, and (2) after uploading packages, twine should download the package(s) it has uploaded to verify the signature.
; TCP RESET and Content-Range doesn't hash resources.
I usually use strace(1) to track these down, but it's nowhere near as ergonomic as this tool. I'm wondering now if I could patch the `open` built-in instead.
There's actually not a whole lot I found that's really http-library specific. It uses the traceback module in a decorator that ends up being manually wrapped around all of the functions of the specific libraries the author cared about.
https://github.com/cle-b/httpdbg/blob/main/httpdbg/hooks
Should be easy enough to extend this to other libraries.
Super cool tool thanks for sharing @dmurray!
https://github.com/Sysinternals/ProcMon-for-Linux
Quick example:
Prints: https://docs.python.org/3/library/audit_events.htmlThere is a whole library of so called instrumentation that can monkeypatch standard functions and produce traces of them.
Traces can also propagate across process and rpc, giving you a complete picture, even in a microservice architecture.
https://opentelemetry.io/docs/kubernetes/operator/automatic/ https://github.com/open-telemetry/opentelemetry-demo