2.3.1. Proxy stacking

Proxy stacking is mainly used to inspect embedded protocols, or perform virus filtering: e.g., to inspect HTTPS traffic, the external SSL protocol is examined with a Pssl proxy, and then a HTTP proxy is stacked to inspect the internal protocol. It is possible to stack several layers of proxies into each other if needed, e.g., in the above example, a further virus filtering solution (like a module) could be stacked into the HTTP proxy.

Note

Starting with Zorp version 3.3FR1, every proxy is able to handle SSL/TLS-encypted connection on its own, making the Pssl proxy redundant. This feature greatly decreases the need of proxy stacking, making it needed only in special cases, for example, to inspect HTTP traffic tunneled in SSH.

Stacking a proxy to inspect the embedded protocol is possible via the self.request_stack attribute; if another attribute has to be used, it is noted in the description of the given proxy. The HTTP proxy is special in the sense that it is possible to stack different proxies into the requests and the responses.

The parameters of the stack attribute has to specify the following:

  • The protocol elements for which embedded inspection is required. This parameter can be used to specify if all received data should be passed to the stacked proxy ("*"), or only the data related (sent or received) to specific protocol elements (e.g., only the data received with a GET request in HTTP).

  • The mode how the data is passed to the stacked proxy. This parameter governs if only the data part should be passed to the stacked proxy (XXXX_STK_DATA, where XXXX depends on the protocol), or (if applicable) MIME header information should be included as well (XXXX_STK_MIME) to make it possible to process the data body as a MIME envelope. Please note that while it is possible to change the data part in the stacked proxy, it is not possible to change the MIME headers - they can be modified only by the upper level proxy. The available constants are listed in the respective protocol descriptions. The default value for this argument is XXXX_STK_NONE, meaning that no data is transferred to the stacked proxy. In some proxies it is also possible to call a function (using the XXXX_STK_POLICY action) to decide which part (if any) of the traffic should be passed to the stacked proxy.

  • The proxy class that will perform inspection of the embedded protocol.

The use of proxy stacking is illustrated in the following example:

Example 2.6. HTTP proxy stacked into an HTTPS connection

The following proxy class stacks an Http proxy into a Pssl Proxy to inspect HTTPS traffic.

class HttpsPsslProxy(PsslProxy):
	def config(self):
		PsslProxy.config(self)
		self.stack_proxy=(Z_STACK_PROXY, HttpProxy)

For additional information on proxy stacking, see , and the various tutorials available at the Balasys Documentation Page.