The exploitation of open internet proxies is a source of significant concern and a security risk. One easy way to inadvertently create an Open Proxy is to allow use of the HTTP CONNECT method on a proxy device such as the CacheFlow 5000 without specifying proper restrictions on access. Any client that can open connections to such a proxy can then use the CONNECT method to tunnel arbitrary requests.
Therefore, by default, the CacheFlow appliance blocks use of the CONNECT method. This has a side effect of blocking all explicit proxy HTTPS requests. There are circumstances, however, under which it is desirable to use the appliance as an explicit proxy to test HTTPS traffic. One such example is for testing filtering of HTTPS traffic.
By default, a CONNECT request will be denied and the CacheFlow appliance’s access log will contain the following values for the request:
NOTE: This solution is only available on CacheFlow software versions 220.127.116.11 and greater.
Policy can be specified on the CacheFlow appliance to allow selected CONNECT requests. This can be achieved via Local Policy or the Policy GUI. The following steps illustrate how to permit CONNECT traffic on port 443.
Using the Policy GUI
Display the context menu for Destination and select Set.
Using Local Policy
ALLOW url.port=443 http.method=CONNECT
Explicit Proxy HTTPS requests will then be allowed and the appliance’s access log will contain the following values for the requests:
· s-action -> TCP_TUNNELED
· cs-method -> CONNECT
· cs-uri-port -> 443
For additional information on the HTTP CONNECT method, see the HTTP RFC at http://www.w3.org/Protocols/rfc2616/rfc2616.html