2.2. Procedure – HTTPS and non-transparent proxying
Purpose:
The method described in Procedure 2.1, Enabling TLS-encryption in the connection can be used when the connections of the clients are proxied transparently. In the non-transparent case, use two HttpProxy classes. (A connection is non-transparent if the clients address the firewall host directly, and Application-level Gateway selects the target.)
Steps:
Create and configure a transparent Http proxy to handle HTTPS connections as described in Steps 1-4 of Procedure 2.1, Enabling TLS-encryption in the connection. If a transparent HTTPS proxy has already been created and configured, skip this step.
Navigate to
, and create a non-transparent HTTP proxy using the predefinedHttpProxyNonTransparent
proxy class. Name this new class, for example,HttpSProxyNonTransparent
.Select this newly created proxy (for example,
HttpSProxyNonTransparent
) and add theself.request
attribute to the panel. To configure theself.request
attribute, complete the following steps.Select the attribute and click
.To accept every request types, enter the
*
(asterisk) character, then click OK.Alternatively, you can add the request types you want to permit. It is recommended to enable the GET, POST, HEAD, and CONNECT requests.
Click on the text in the
field, then selectconst_http_req_accept
.
Add the
self.connect_proxy
attribute to the panel, then click . Select the proxy to be used for the HTTPS connections from the appearing list (for example, StrongHttpsProxy).Note This proxy is needed to handle the TLS data communicated in the plain-text nontransparent HTTP connection. If you do not want to examine that this traffic is indeed HTTP traffic, use a simple PlugProxy configured to handle TLS connections as well.
Python:
class HttpSProxyNonTransparent(HttpProxyNonTransparent): def config(self): HttpProxyNonTransparent.config(self) self.connect_proxy=StrongHttpsProxy self.request["*"]=HTTP_REQ_ACCEPT
Create a service that clients can use to access the Internet in a secure channel. This service will use the non-transparent Http proxy class (for example,
HttpSProxyNonTransparent
) created in Step 2.Create a service that clients can use to access the Internet.
Select
, and enter a name for the service (for example,intra_HTTP_inter
).Select
.Select a
for the service. Note the following points:When non-transparently proxying HTTP traffic without any parent proxy, the Service must use InbandRouter.
If a parent proxy is used (that is, the clients connect to a web proxy like Squid through Application-level Gateway), DirectedRouter or InbandRouter can be used. InbandRouter can only be used if the
parent_proxy
andparent_proxy_port
parameters are properly configured. If the firewall host is located network-transparently in front of the proxy server, even TransparentRouter can be used. For further details on Routers, see Section 6.4.5, Routing — selecting routers and chainers in Proxedo Network Security Suite 2 Administrator Guide.
Configure the other parameters of the service as needed for your environment, then click
.Select
, and select the service created in the previous step.Note If the clients connect directly to the firewall as a proxy, non-transparent service has to be used (using the same IP:port pair that is set on the clients).
If the firewall is located in front of the parent proxy used by the clients, a transparent listener has to be used, even though the proxy class used in the service is non-transparent.
Configure the other parameters of the rule as needed for your environment, then click
.
Commit and upload the changes, then restart Application-level Gateway.
© 2021 BalaSys IT Security.
Send your comments to support@balasys.hu