A CacheFlow appliance may be configured with explicit HTTP connections enabled. This is done by enabling the ‘Explicit' HTTP proxy service on port 80. The primary purpose of allowing explicit HTTP connections to the CacheFlow on port 80 is to allow an L4 switch (redirecting HTTP user traffic to one or more CacheFlow appliances) to perform CacheFlow health checks.
When a CacheFlow appliance is deployed in a network location that is accessible from the internet (it is configured with a public IP, or is otherwise publicly accessible) it can unknowingly be turned into what is called an “open proxy” (an “open HTTP proxy” in this case). The primary use of an “open proxy” is to get around the user’s network security. Having a network device discovered as an “open proxy” can lead to attacks that may overload the device, causing considerable performance degradation. Even after an “open proxy” has been secured, it may still likely be the subject of failed attacks, as it was previously discovered as one. Hence, it is important to safeguard against “open proxy” attacks upon your deployment of the CacheFlow appliance.
Important: Please note that it is not necessary to do this if you are not using CacheFlow health checks on your L4 switch.
To prevent your CacheFlow from being an “open proxy,” explicit traffic sent to the IP of the CacheFlow at port 80 needs to be restricted to a “permitted group” of client IPs. This access restriction can be done on any one of these network devices:
In terms of performance, the most efficient approach is to apply this restriction at the edge router or on the L4 switch, rather than on every CacheFlow appliance in your network. Dropping unwanted packets as soon as they enter your network reduces the load on processing and directing/routing these packets within your network. Please consult the product documentation of your router or L4 switch for implementing this restriction on the device.
If you decide to restrict explicit access to port 80 on the CacheFlow appliance, you will need to do the following using “local policy” in the CLI:
Here is an example of “local policy” based on the above-mentioned steps:
; Policy Rules
define subnet allowed_explicit_clients
10.167.0.7 ; L4 switch running CacheFlow health checks
10.168.0.24/29 ; explicit HTTP proxy test clients
… [remainder of your “local policy” goes here, if any] …
In ‘(config)’ mode, use ‘inline policy local’ command to install the entire contents of your “local policy”.
(config)inline policy local <EOF>
[Your “local policy”]