How to configure the CacheFlow Appliance to allow CONNECT traffic
search cancel

How to configure the CacheFlow Appliance to allow CONNECT traffic

book

Article ID: 166359

calendar_today

Updated On:

Products

CF-5000

Issue/Introduction

The exploitation of open internet proxies is a source of significant concern and a security risk. One easy way to inadvertently create an Open Proxy is to allow use of the HTTP CONNECT method on a proxy device such as the CacheFlow 5000 without specifying proper restrictions on access. Any client that can open connections to such a proxy can then use the CONNECT method to tunnel arbitrary requests.

Therefore, by default, the CacheFlow appliance blocks use of the CONNECT method. This has a side effect of blocking all explicit proxy HTTPS requests. There are circumstances, however, under which it is desirable to use the appliance as an explicit proxy to test HTTPS traffic.  One such example is for testing filtering of HTTPS traffic.

By default, a CONNECT request will be denied and the CacheFlow appliance’s access log will contain the following values for the request:

  • s-action      -> TCP_DENIED
  • cs-method     -> CONNECT
  • cs-uri-port   -> explicit_proxy_port, usually 8080 or 80

Resolution

NOTE: This solution is only available on CacheFlow software versions 2.1.4.7 and greater.

Policy can be specified on the CacheFlow appliance to allow selected CONNECT requests. This can be achieved via Local Policy or the Policy GUI. The following steps illustrate how to permit CONNECT traffic on port 443.

 

Using the Policy GUI

  1. In the Policy GUI add a new Access Layer.

  2. Display the context menu for Destination and select Set.

  1. Create a new Request URL… object.

 

  1. Enable the radio button Advanced Match and specify 443 in the Port field.

  1. Click Add and then Close. Highlight the newly created object and click OK.

  1. Display the context menu for Service and select Set.

  1. Create a new Protocol Methods… object.

 

  1. Check mark the CONNECT method.

  1. Highlight the newly created object and click OK.

  1. Display the context menu for Action and select Allow.

  1. Click the Install Policy button. Policy installs successfully.

 

 

Using Local Policy

  1. Add the following to the local policy file using the #inline policy local <eof marker> command:

<access>

  ALLOW url.port=443 http.method=CONNECT

 

 

Explicit Proxy HTTPS requests will then be allowed and the appliance’s access log will contain the following values for the requests:

·         s-action         -> TCP_TUNNELED

·         cs-method        -> CONNECT

·         cs-uri-port      -> 443

 

 

For additional information on the HTTP CONNECT method, see the HTTP RFC at http://www.w3.org/Protocols/rfc2616/rfc2616.html

 

Powered by Wolken Software