The HTTP proxy as currently implemented is a means of filtering Web content for outbound references from Web browsers to external, unknown servers.
The HTTP proxy:
Provides a relay capability for HTTP access to the World Wide Web; this relay supports HTTP and the Secure Sockets Layer (SSL).
Allows or denies sessions based on the source and destination addresses
Provides selective filtering of HTTP content (such as Java applets, ActiveX, and cookies) based on the source and destination addresses for sessions
Is useful in implementing network address translation (NAT) because it originates all outbound connections to Web servers; it reuses a single IP address for multiple browser clients.
Can filter Java applets based on the signatures encapsulated in Jar files attached to the applet or based on a precomputed hash of valid applets
Is configured on a per-rule basis in the configuration editor to:
Remove cookies (see "HTTP Proxy Limitations")
Block ActiveX content
Block or allow all Java content (see "HTTP Proxy Limitations")
Block SSL content.
Can be used with virus-scanning software
When you use your HTTP proxy in conjunction with VirusWall scanning, your HTTP proxy examines Web content for malicious scripting language code and executable content, and scans downloaded data for possible computer viruses. The scanner instructs that the content be blocked, or altered (for example, clean viruses from the content), or returned unaltered. Scanning results are recorded in the SunScreen log entries regarding HTTP transfers. See "VirusWall Content Scanning" for detailed information about VirusWall.
To use the HTTP proxy, define the source addresses that should be allowed to have access to the proxy and to the destination addresses of allowed Web servers to be contacted. To create the HTTP proxy rule, use the built-in service www, reference your desired source and destination addresses, and select the PROXY for PROXY_HTTP during rule definition (in the administration GUI) or the PROXY_HTTP keyword (for command-line rule creation).
To require user authentication of HTTP traffic through the proxy, the USER keyword may be used in rule creation on the command line; equivalently, a proxyuser object may be associated with PROXY_HTTP rules within the rule manipulation facilities provided by the Admin GUI. This usage is similar to that of the FTP and Telnet proxies, but for the HTTP proxy, user authentication is optional.
The HTTP proxy allows further restrictions based on target port numbers. HTTP provides for user-specified references to arbitrary port numbers using the http://host:port/... construction. Because of the way in which the Screen operates, client browsers can be inadvertently allowed access to services that would otherwise be restricted save for this feature of HTTP.
The port restriction mechanism for the SunScreen HTTP proxy is controlled by the variable TargetSvcs. This variable can either be global or Screen-specific. It contains the following items:
sys=Screen (optional)
prg=httpp
name=TargetSvcs
values={ svc=service... } - Name or names of service objects for services to allow
description="descriptive text" (optional)
enabled | disabled - The default is enabled.
As initially installed, a global version of this variable is created that restricts such access to port 80 (the www service).
The following is an example of what you would type to display this (initial) variable while logged into the primary Screen:
admin% ssadm -r primary edit Initial edit> vars print prg=httpp name=TargetSvcs PRG="httpp" NAME="TargetSvcs" ENABLED VALUES={ svc="www" } DESCRIPTION="target TCP ports that the HTTP proxy can get to" |
To have access to a wider range of ports configuring a new service object and an added variable (for example, this time, for a particular Screen) is one way of doing this. The following example show what you type while logged into the primary Screen:
>admin% ssadm -r primary edit Initial edit> add service www-targets SINGLE FORWARD "tcp" PORT 1024-1520 PORT 1522-3850 PORT 3856-5999 PORT 6064-65545 COMMENT "more TCP port numbers to allow as targets in HTTP proxy URIs" edit> vars add sys=screen prg=httpp name=TargetSvcs values={ svc=ssl svc=www svc=www-targets } description="target TCP ports that the HTTP proxy can get to" edit> save edit> quit |
The above definitions prevent access to ports that are below 1024 except for www and ssl. It also prevents access to port 1521 (SQLNET), ports 3851 through 3855 (the Screen's administrative and SecurID PIN server ports), and ports 6000 through 6063 (which are used by X Windows). Tailor your restrictions to suit your security needs.
You can configure the SunScreen HTTP proxy to restrict Web content.You can block or allow content, or you can be configured to verify certain content (Java applets) based on digital signatures or hashes. You configure these content-filtering features as part of the rules employing the HTTP proxy.
The HTTP proxy relays access for the ftp:// method to the FTP proxy. This approach enables users of the browser to list directories and download files. Most often, this facility is used in conjunction with URLs embedded in web content that is designed to facilitate file downloading.
The standard form of an ftp:// method URL is as follows:
ftp://user:passwd@host:/dir...type
The user, passwd, and type are optional (and not often used by ftp:// method references.) The list of dir components specifies path name of the reference. Note that SunScreen does not implement the port option for ftp:// URLs.
The default behavior of the user and passwd references is to use anonymous FTP. A typical URL would then look like:
ftp://codebloat.com/pub/dwnlds/exploder5.exe
Control over the defaulting of user and passwd is obtained using three variables -- FtpPwdDomain, FtpPwdUser, and FtpUser -- each of which is described below.
FtpPwdDomain contains the following items:
sys=screen (optional)
prg=http
name=FtpPwdDomain
value=domain - domain is used in creating an anonymous password.
description="descriptive text" (optional)
enabled | disabled - The default is disabled.
This variable (if not found or disabled) in the HTTP proxy defaults at run-time to the domain name of the Screen (for example, the output of the Solaris defaultdomain command).
FtpPwdUser contains:
sys=screen (optional)
prg=http
name=FtpPwdUser
value=user - user is used in creating an anonymous password. The default is webproxy..
description="descriptive text" (optional)
enabled | disabled - The default is enabled.
The HTTP proxy uses this variable, in conjunction with the (perhaps defaulted) value of FtpPwdDomain to construct an anonymous password of the form:
@FtpPwdUser@FtpPwdDomain
If the passwd supplied in the URL is a string that contains no @ characters (encoded as %40), then that passwd string takes the place of the value of FtpPwdUser in the anonymous password construction. Thus the URL:
ftp://:bob@codebloat.com/pub/dwnlds/exploder5.exe
enables designating the user bob for the user portion of the anonymous password (for example, @bob@FtpPwdDomain).
The value of FtpPwdUser can be changed to redirect potential email responses from FTP servers to an appropriate storage receptacle.
FtpUser contains:
sys=screen (optional)
prg=http
name=FtpUser
value=proxyuser - proxyuser is used in anonymous access. The default is anonymous.
description="descriptive text" (optional)
enabled | disabled - The default is enabled.
This variable does not normally need to be altered unless the identity of the predefined user anonymous in the Screen's proxyuser database has been changed.
In addition to the anonymous usage, it is possible to download using authenticated users through the FTP proxy using the ftp:// method. An example URL is:
ftp://proxyuser:proxypass%40serverpass@server/README.TXT
This performs an operation identical to a direct interaction with the FTP proxy, supplying the user as proxyuser@server and the password as proxypass@serverpass.
T:o enable the HTTP proxy to use the ftp:// method, one or more rules are needed to allow the HTTP proxy itself to be a client of the FTP proxy. The HTTP proxy always connects to the FTP proxy using the LOOPBACK (127.0.0.1) address. So, for example, to enable the ftp:// method anonymous access to "outside" web servers
edit> add address outside ... edit> add address local127 RANGE 127.0.0.1 127.255.255.255 ... edit> add rule ftp local127 outside ALLOW PROXY_FTP USER anonymous FTP_GET FTP_CHDIR |
This enables anonymous FTP through the proxy for any user on the Screen itself as well.
As previously stated, the HTTP proxy can optionally require users to authenticate themselves. The addition of a USER attribute to a rule, along with an associated proxyuser object name, will cause requests to require authentication (based on the source and/or destination addresses within the rule).
HTTP proxy authentication uses the same mechanisms as other proxies. See Chapter 9, Authentication for information about SunScreen user authentication mechanisms.
The SunScreen HTTP proxy supports the Basic HTTP authentication method and provides several HTTP proxy authentication variables for configuring the method.
These variables do not normally need alteration, and come prefigured for immediate operation. The variables are:
sys= Screen (optional)
prg=httpp
name=AuthBasicRealm
value=SunScreen (optional - prefigured as shown)
description="descriptive text" (optional)
enabled | disabled (prefigured as enabled)
The Basic authentication mechanism allows use of a Realm name; this realm name is displayed by the user's browser as part of the authentication, and is intended to be useful in identifying the collection of resources being protected by authentication. It is an authentication mechanism between the user and the programs he or she wants to access. The administrator knows about this and other kinds of authentication associated with a firewall, but an end user may not. The realm variable identifies who or what is interposing this authentication on the proxy. What the user sees in the password process of the browser varies depending on how these variables are set. The word "SunScreen" could be replaced with some company-specific term, for instance.
sys= Screen (optional)
prg=httpp
name=AuthBasicTTL
value=authttl (default is "15m")
description="descriptive text" (optional)
enabled | disabled (prefigured as enabled)
authttl is a timeout, constructed of an unsigned number, followed optionally by one of the scaling characters (d, h, m, or s). These indicate time units of days, hours, minutes, or seconds, respectively. The scaling characters are case-insensitive, and the default unit scale is seconds.
Credentials for proxy authentication are stored by the browser and offered repeatedly with subsequent requests. This functionality prevents annoying the user with many such challenges, which would otherwise render web browsing unusable. However, the SunScreen administrator is allowed to place a reasonable upper limit on the amount of time a given browser instance (or group of instances) will be allowed to reuse the same credentials without requalification. Tailoring this variable restricts the time which an unattended browser might be usable by another party before the latter would be required to re-authenticate. The AuthBasicTTL variable controls this time-to-live setting for credentials using the Basic authentication method.
When the HTTP proxy starts, it reads its policy files, starts a Java Virtual Machine (JVM) for processing Jar (Java archive) files, and then listens on the standard HTTP port (80) for connections. When a connection is made, the HTTP proxy starts a new thread to handle the connection, and the main thread resumes listening.
The child thread reads the first line of the HTTP header request from the client and parses the actual destination address. The method (for example, http:// or ftp://) is determined. If the ftp:// method is requested, the request for file retrieval is forwarded to the FTP proxy as described above. Otherwise (for the http:// method) the thread searches the proxy policy rules for a match on the source and destination addresses.
If the rule matched specifies (proxy) user authentication, and if proper user credentials are not present in the request or have expired, the proxy returns a response indicating a need for (proxy) user credentials.
If a match is found, the flags associated with that policy rule are set. The proxy then reads the rest of the client's HTTP request. If a match for the connection is not found, the HTTP proxy sends the client an error (Method Not Implemented) and closes the connection.
If cookies are not allowed, any cookie responses are deleted.
If SSL is allowed and the connection uses SSL, the connection continues. No further processing can take place, because the rest of the connection is encrypted. If SSL is not allowed, the HTTP proxy drops the connection and sends an error (Method Not Implemented) to the client.
If the rule matched specifies (proxy) user authentication, and if proper user credentials are not present in the request or have expired, the proxy returns a response indicating a need for (proxy) user credentials.
If the connection is allowed, the HTTP proxy attempts to open a connection to the actual destination web server. If the web server cannot be reached, the proxy returns an error (Cannot locate host) to the client and closes the connection.
If the HTTP proxy connects to the web server, it sends the client's HTTP request to the server and waits for a response. When a response arrives, the proxy reads the response header and, if appropriate, drops any cookie requests. If the response header indicates that the response includes Java or ActiveX content, the proxy examines the response body to determine the nature of the content. If the content is not allowed, the proxy sends an error (Cannot connect to host) to the client and drops the connection.
If content scanning has been configured, and once the above-mentioned proxy-based content checks have been performed, the resulting content is passed to the scanner for inspection. The scanner may instruct that the content be blocked, or may alter the content (clean viruses, for example) , or may return it unaltered. Scanning results are given to the user (as being blocked, if so determined). Scanning results are reflected in SunScreen log entries regarding the HTTP request and its results.
If the body contains a Jar file, the Jar is passed to the JVM, which extracts the signature components and calculates a hash for the Jar. The signatures are compared to the list of approved signatures and if the signatures match and signed Jars are allowed, the data are passed on to the client. If hashed Jars are allowed, the proxy compares the computed hash to the list of approved hash values and if a match is found, passes the response to the client.
After all of the data have been passed to the client, the proxy closes the connections to the client and the server and terminates the thread.
The HTTP proxy is configured on a global basis in the configuration editor to verify the list of acceptable signatures and hash values on Jar content.
Both the Jar hashes and signatures are stored in the vars database.
Currently, there is no provision to create Screen-specific versions of the Jar hashes and signatures for the Screen
The following is an example of what you type to manage Jar hashes:
edit> jar_hash parameters |
You can add, delete, list, and rename Jar hashes. You assign names, which are ephemeral strings. Names are used only to reference items when managing them using the jar_hash command.
You can add, delete, list, or rename Jar signatures. You assign the names, which are ephemeral strings. The names are used only for purposes of reference to items when managing them using the jar_sig command.
Jar validation facilities acquire the hash and signature values that are added to the configuration.
ActiveX filtering currently blocks certain types of Java content.