Tunneling Secure Traffic Through Proxies

Previous page
Table of content
Next page

14.9 Tunneling Secure Traffic Through Proxies

Clients often use web proxy servers to access web servers on their behalf (proxies are discussed in Chapter 6). For example, many corporations place a proxy at the security perimeter of the corporate network and the public Internet (Figure 14-19). The proxy is the only device permitted by the firewall routers to exchange HTTP traffic, and it may employ virus checking or other content controls.

Figure 14-19. Corporate firewall proxy

figs/http_1419.gif

But once the client starts encrypting the data to the server, using the server's public key, the proxy no longer has the ability to read the HTTP header! And if the proxy cannot read the HTTP header, it won't know where to forward the request (Figure 14-20).

Figure 14-20. Proxy can't proxy an encrypted request

figs/http_1420.gif

To make HTTPS work with proxies, a few modifications are needed to tell the proxy where to connect. One popular technique is the HTTPS SSL tunneling protocol. Using the HTTPS tunneling protocol, the client first tells the proxy the secure host and port to which it wants to connect. It does this in plaintext, before encryption starts, so the proxy can read this information.

HTTP is used to send the plaintext endpoint information, using a new extension method called CONNECT. The CONNECT method tells the proxy to open a connection to the desired host and port number and, when that's done, to tunnel data directly between the client and server. The CONNECT method is a one-line text command that provides the hostname and port of the secure origin server, separated by a colon. The host:port is followed by a space and an HTTP version string followed by a CRLF. After that there is a series of zero or more HTTP request header lines, followed by an empty line. After the empty line, if the handshake to establish the connection was successful, SSL data transfer can begin. Here is an example:

CONNECT home.netscape.com:443 HTTP/1.0
User-agent: Mozilla/1.1N
<raw SSL-encrypted data would follow here...>

After the empty line in the request, the client will wait for a response from the proxy. The proxy will evaluate the request and make sure that it is valid and that the user is authorized to request such a connection. If everything is in order, the proxy will make a connection to the destination server and, if successful, send a 200 Connection Established response to the client.

HTTP/1.0 200 Connection established
Proxy-agent: Netscape-Proxy/1.1

For more information about secure tunnels and security proxies, refer back to Section 8.5.

 


Previous page
Table of content
Next page
HTTP. The Definitive Guide
HTTP: The Definitive Guide
ISBN: 1565925092
EAN: 2147483647
Year: 2001
Pages: 294
Authors: David Gourley, Brian Totty
BUY ON AMAZON
CompTIA Project+ Study Guide: Exam PK0-003
Software Configuration Management
C++ GUI Programming with Qt 3
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Competency-Based Human Resource Management
Microsoft VBScript Professional Projects
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy