test

Oracle iPlanet Web Proxy Server 4.0.14 Administration Guide

Configuring SSL Tunneling

The following procedure describes how to configure your Proxy Server to tunnel SSL.

ProcedureTo configure SSL tunneling

  1. Access the Server Manager for a server instance and click the Routing tab.

  2. Click the Enable/Disable Proxying link.

  3. Select the connect://.*.443 resource from the drop-down list.

    The connect:// method is an internal proxy notation that does not exist outside of the proxy. See Technical Details for SSL Tunneling for more information about connect.

    To allow connections to other ports, you can use similar URL patterns in a template. For more information about templates, see Chapter 16, Managing Templates and Resources.

  4. Select Enable Proxying Of This Resource and click OK.

    Caution – Caution –

    If the proxy is misconfigured, someone can use the proxy to make it appear that a telnet connection is coming from the proxy host rather than the actual connecting host. Therefore do not allow any more ports than absolutely necessary, and use access control on your proxy to restrict the client hosts.

Technical Details for SSL Tunneling

Internally, SSL tunneling uses the CONNECT method with the destination host name and port number as a parameter followed by an empty line:

CONNECT energy.example.com:443 HTTP/1.0

The following example shows a successful response from the Proxy Server, followed by an empty line:

HTTP/1.0 200 Connection establishedProxy-agent: Oracle-iPlanet-Proxy-Server/4.0

The connection is then set up between the client and the remote server. Data can be transferred in both directions until either closes the connection.

Internally, to benefit from the typical configuration mechanism based on URL patterns, the host name and port number are automatically mapped into a URL such as this:

connect://energy.example.com:443

connect:// is an internal notation used by Proxy Server to make configuration easier and more uniform with other URL patterns. Outside of the Proxy Server, connect URLs do not exist. If the Proxy Server receives such a URL from the network, it marks the URL as invalid and refuses to service the request.