test

Sun Java System Web Proxy Server 4.0.3 2006Q2 Administration Guide

Configuring SSL Tunneling

The following procedure describes how to configure your Proxy Server to tunnel SSL.

ProcedureTo configure SSL tunneling

Steps

  1. Access the Server Manager for a server instance and click the Routing tab.

  2. Click the Enable/Disable Proxying link.

  3. Select the connect://.*.443 resource from the drop-down list.

    The connect:// method is an internal proxy notation and does not exist outside of the proxy. See the following description in Technical Details for SSL Tunneling for more information about connect. To allow connections to other ports, you can use similar URL patterns in a template. For more information about templates, see Chapter 16, Managing Templates and Resources.

  4. Select Enable Proxying Of This Resource and click OK.

    Caution – Caution –

    If the proxy is misconfigured, it is possible to abuse the SSL proxy to achieve telnet hopping. Someone can use the proxy to make it appear that a telnet connection is coming from the proxy host, rather than the actual connecting host. This is why you must allow no more ports than absolutely necessary, and use access control on your proxy (restricting the client hosts).

Technical Details for SSL Tunneling

Internally, SSL tunneling uses the CONNECT method with the destination host name and port number as a parameter followed by an empty line:

CONNECT energy.example.com:443 HTTP/1.0

A successful response from the Proxy Server would be the following, followed by an empty line:

HTTP/1.0 200 Connection establishedProxy-agent: Sun-Java-System-Web-Proxy-Server/4.0

The connection is then set up between the client and the remote server, and data can be transferred in both directions until either closes the connection.

Internally, to benefit from the typical configuration mechanism based on URL patterns, the host name and port number (energy.example.com:443) are automatically mapped into a URL such as this:

connect://energy.example.com:443

connect:// is only an internal notation used by Proxy Server to make configuration easier and uniform with other URL patterns. Outside of the Proxy Server, connect URLs do not exist, and if the Proxy Server receives such a URL from the network, it marks it as invalid and refuses to service the request.