|Overview| Examples| Bugs| FAQ | White papers | Download | Help wanted | SourceForge Project page | Filltable utility|
You can use the HttpProxyURIFilter class for it. This class have an attribute called "matcher". The matcher attribute should be initialized to refer to a Matcher object (i.e. an instance of the Matcher class.) For each URI, the checkMatch() method of the matcher will be called. If it returns true, the page will be blocked. You can use some of the built-in matcher classes with it, or write your own matcher if you have extra requirements. In regexp.policy you see RegexpFileMatcher used. It is one of the built-in matchers, using files containing regular expressions to decide whether an URI should be blocked or not.
You can use the request_headers attribute of the Http proxy with HTTP_HDR_INSERT. See inserthdr.policy for the details.
2.3 I have one IP addressable from the internet, but my DMZ contains more web servers. What can I do?
You can set up virtualhosting with zorp. See virtualhost.policy for an example.
Can someone please show me what this should look like for a general-HTTPS-browsing scenario, e.g., intranet users need to reach various ecommerce sites on the Internet? I've seen code for doing this with PlugProxy, but I'd much rather do it with PsslProxy and HttpProxy (i.e., with some intelligence ;-).
At first I create a HttpProxy, whth file matcher to enable and diable URLs, like denying sex, but allow dosexpert:
class MyHttpProxy(HttpProxyURIFilter): matcher=RegexpFileMatcher("/etc/zorp/blacklist-http", "/etc/zorp/blacklist-http.ignore")
"sex" is in etc/zorp/blacklist-http "dosexpert" is in /etc/zorp/blacklist-http.ignore
then i create a https proxy, deriverd from pssl proxy:
class MyHttpsProxy(PsslProxy): def config(self): # both side need ssl self.server_need_ssl = TRUE self.client_need_ssl = TRUE # client secret key and cert generated by openssl self.client_cert = '/etc/zorp/myhttps.crt' self.client_key = '/etc/zorp/myhttps.key' # do not check clients certificates (no mutual auth) self.client_verify_type = NONE # strict check of https server certs self.server_verify_type = SSL_VERIFY_REQUIRED_TRUSTED # put the allowed CAs' certs into this directory, so # only the good servers will be allowed, for instance # if you only put verysign CA cert here, only those # servers will be allowed, which owns VS certs # WARNING: never allow sef singed certs;-)))) # you can gain CA certs form apache-ssl deb package self.server_ca_directory = '/etc/zorp/ca.d/' # you want to shutdown each way Read and Write) # separately. self.shutdown_soft = TRUE # now I stack Http Proxy with the previous # URI filtering into the SSL proxy, so sex.com # cannot be visited neither via HTTP and HTTPS... self.stack_proxy = MyHttpProxy
This response is sent by some http servers. The problem is that this response is invalid, hence no one plans to accept it in zorp. It might helps to set the client to talk 1.0 version of the protocol, because the known case sends the erroneous header only in HTTP/1.1
Converting http proxy requests to ftp is a complex task, and have nothing to do with security. So do not except Zorp to support it soon. You can drop a squid or other similar caching proxy before the firewall, and use that to make the conversion.
2.7 How can I route https traffic arriving to my firewall to two different servers based on the server name in request?
With side stacking, of course. The problem with http-in-pssl is that pssl connects to the destination _before_ it starts the stacked-in proxy. The solution looks something like this:
Service('https', DecryptPsslProxy, router=InbandRouter(), chainer=SideStackChainer(HttpProxy, chainer=SideStackChainer(CryptPsslProxy)))
The first pssl is one-sided, uses SSL on the client side, and cleartext in the server side. The second proxy is a http proxy, which starts the other pssl when it connects to the server. This second one is cleartext in the client side, and SSL on the server side.
If your server does not really talks ssl, you can leave the second pssl. An example:
class TESTHTTPS(HttpProxy): def config(self): HttpProxy.config(self) self.session.server_address = SockAddrInet("192.168.1.101", 443) self.request["GET"] = (HTTP_REQ_POLICY, self.filterURL) self.request["POST"] = (HTTP_REQ_POLICY, self.filterURL) def setServerAddress(self, host, port): return TRUE domain2_url = re.compile('domain2.hu') def filterURL(self, method, url, version): if (self.domain2_url.search(url)): self.session.server_address = SockAddrInet("192.168.2.101", 443) return HTTP_REQ_ACCEPT return HTTP_REQ_ACCEPT Service('https', DecryptPsslProxy, router=InbandRouter(), chainer=SideStackChainer(TESTHTTPS, chainer=SideStackChainer(CryptPsslProxy)))
See Balabit's whitepaper at http://www.zorpfirewall.com/reviews/whitepapers/win-update.pdf
Next Previous Contents