3. Python code summary

When configured according to this tutorial, the policy.py file of Application-level Gateway should look something like this:

Configuring SSL proxying:

EncryptionPolicy(
    name="MyTLSEncryption",
    encryption=TwoSidedEncryption(
        client_verify=ClientNoneVerifier(),
        client_ssl_options=ClientSSLOptions(),
        server_verify=ServerCertificateVerifier(
            ca_directory="/etc/ca.d/certs/",
            crl_directory="/etc/ca.d/crls/",
            trusted=TRUE, verify_depth=4,
            permit_invalid_certificates=FALSE,
            permit_missing_crl=FALSE,
            check_subject=TRUE
            ),
        server_ssl_options=ServerSSLOptions(
            method=SSL_METHOD_TLSV1,
            cipher=SSL_CIPHERS_HIGH, timeout=300,
            disable_sslv2=TRUE, disable_sslv3=FALSE,
            disable_tlsv1=FALSE, disable_tlsv1_1=FALSE,
            disable_tlsv1_2=FALSE,
            ),
        client_certificate_generator=StaticCertificate(
            certificate=Certificate.fromFile(
                certificate_file_path="/etc/key.d/MS_Engine/cert.pem",
                private_key=PrivateKey.fromFile(
                    "/etc/key.d/MS_Engine/key.pem")
            ))
        ))


    def demo() :
    Service(
        name='demo/intra_HTTPS_inter',
        router=TransparentRouter(),
        chainer=ConnectChainer(),
        proxy_class=HttpProxy,
        max_instances=0,
        max_sessions=0,
        keepalive=Z_KEEPALIVE_NONE,
        encryption_policy="MyTLSEncryption"
    )

    Rule(
        rule_id=300,
        src_subnet=('192.168.1.1/32', ),
        dst_zone=('internet', ),
        proto=6,
        service='demo/intra_HTTPS_inter'
    )

If keybridging is performed:

EncryptionPolicy(
    name="KeybridgingEncryption",
    encryption=TwoSidedEncryption(
        client_verify=ClientNoneVerifier(),
        client_ssl_options=ClientSSLOptions(),
        server_verify=ServerCertificateVerifier(),
        server_ssl_options=ServerSSLOptions(),
        client_certificate_generator=DynamicCertificate(
            private_key=PrivateKey.fromFile(key_file_path="/etc/key.d/SSL-bridge/key.pem"),
            trusted_ca=Certificate.fromFile(
                certificate_file_path="/etc/ca.d/certs/CA_for_Trusted_certs.pem",
                private_key=PrivateKey.fromFile("/etc/ca.d/keys/CA_for_Trusted_certs.pem")),
            untrusted_ca=Certificate.fromFile(
                certificate_file_path="/etc/ca.d/certs/CA_for_Untrusted_certs.pem",
                private_key=PrivateKey.fromFile("/etc/ca.d/keys/CA_for_Untrusted_certs.pem")),
            cache_directory="/var/lib/zorp/ssl-bridge")
    ))


    def demo_instance() :
        Service(name='demo/intra_HTTPS_Keybridge_inter', router=TransparentRouter(), chainer=ConnectChainer(), proxy_class=HttpProxy, max_instances=0, max_sessions=0, keepalive=Z_KEEPALIVE_NONE, encryption_policy="KeybridgingEncryption")

    Rule(rule_id=20,
    src_zone=('intra', ),
    dst_zone=('internet', ),
    proto=6,
    service='demo_instance/intra_HTTPS_Keybridge_inter'
    )

Previous		Next
	Home