SOCKS gateway rewrites destination address and port sending CONNECT to an upstream proxy
search cancel

SOCKS gateway rewrites destination address and port sending CONNECT to an upstream proxy

book

Article ID: 373373

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy

Issue/Introduction

Downstream proxy sends incorrect destination details in SOCKS CONNECT to an upstream proxy. It sends upstream proxy IP address and port in the CONNECT packet instead of OCS IP and port. 

In policy trace you see original server next-hop IP set to the upstream proxy IP:

connection: service.name=SOCKS client.address=10.0.200.1 (effective address=10.0.200.1) proxy.port=80 source.port=50080 dest.port=80 client.interface=0:0.1 routing-domain=default
  location-id=0 access_type=unknown
time: 2024-07-30 06:58:39 UTC
TUNNEL http://X.X.X.X/ <== OCS IP or FQDN
  RDNS lookup was restricted
origin server next-hop IP address=10.0.80.81 <== Upstream proxy IP
user: unauthenticated
authentication status='not_attempted' authorization status='not_attempted'
user: authenticated=false authorized=true relative username=''
verdict: ALLOWED

PCAP confirms the same observation. SOCKS CONNECT towards the parent SOCKS gateway is rewritten with proxy IP/port. 

Since the upstream proxy receives a CONNECT request to itself it cannot properly tunnel it and transaction fails.

Environment

  • Chained proxy deployment, downstream proxy doesn't have internet connectivity and connects through an upstream proxy 
  • SOCKS gateway is configured to forward the traffic 

 

Cause

Downstream proxy may have a forwarder host/group in place that also kicks in for the transaction. Forwarders and SOCKS gateways are not mutually exclusive. If a transaction matches both then forwarder host will kick in first and SOCKS gateway will be applied afterwards. In this particular case forwarder rewrites transaction destination and SOCKS sends CONNECT with incorrect destination details after that. 

Resolution

Check forwarder configuration in the downstream proxy to resolve unnecessary forwarding:

  1. If there is a forwarding rule matches that would be easy to see in policy trace
  2. if no forwarding rules matched in traces check Default Sequence settings under Forwarder Host configuration in the proxy. It may contain one or more records and forwarder hosts/groups in there are always evaluated even if no forwarding rules in the policy
    forwarding ;mode
create host "ProxySG2" "10.0.80.81" http=8080 proxy
default-sequence add ProxySG2 <== There is a default sequence set
exit

To disable forwarding for a particular transaction add the following CPL code or its VPM analog:

<Forward>
    server_url.address=X.X.X.X/32 forward(no)

Additional Information

Default Sequence TechDocs

Powered by Wolken Software