HTTP Proxy Port Restrictions
The HTTP proxy allows further restrictions based on target port numbers. HTTP provides for user-specified references to arbitrary port numbers using the http://host:port/... construction. Because of the way in which the Screen operates, client browsers can be inadvertently allowed access to services that would otherwise be restricted save for this feature of HTTP.
The port restriction mechanism for the SunScreen HTTP proxy is controlled by the variable TargetSvcs. This variable can either be global or Screen-specific. It contains the following items:
-
sys=Screen (optional)
-
prg=httpp
-
name=TargetSvcs
-
values={ svc=service... } - Name or names of service objects for services to allow
-
description="descriptive text" (optional)
-
enabled | disabled - The default is enabled.
As initially installed, a global version of this variable is created that restricts such access to port 80 (the www service).
The following is an example of what you would type to display this (initial) variable while logged into the primary Screen:
admin% ssadm -r primary edit Initial
edit> vars print prg=httpp name=TargetSvcs
PRG="httpp" NAME="TargetSvcs" ENABLED VALUES={ svc="www" }
DESCRIPTION="target TCP ports that the HTTP proxy can get to"
|
To have access to a wider range of ports configuring a new service object and an added variable (for example, this time, for a particular Screen) is one way of doing this. The following example show what you type while logged into the primary Screen:
>admin% ssadm -r primary edit Initial
edit> add service www-targets SINGLE FORWARD "tcp" PORT
1024-1520 PORT 1522-3850 PORT 3856-5999 PORT 6064-65545 COMMENT "more TCP
port numbers to allow as targets in HTTP proxy URIs"
edit> vars add sys=screen prg=httpp name=TargetSvcs values={ svc=ssl
svc=www svc=www-targets } description="target TCP ports that the HTTP proxy can get to"
edit> save
edit> quit
|
Note -
The above definitions prevent access to ports that are below 1024 except for www and ssl. It also prevents access to port 1521 (SQLNET), ports 3851 through 3855 (the Screen's administrative and SecurID PIN server ports), and ports 6000 through 6063 (which are used by X Windows). Tailor your restrictions to suit your security needs.
You can configure the SunScreen HTTP proxy to restrict Web content.You can block or allow content, or you can be configured to verify certain content (Java applets) based on digital signatures or hashes. You configure these content-filtering features as part of the rules employing the HTTP proxy.
- © 2010, Oracle Corporation and/or its affiliates