The Official Unofficial Zorp project
 
Overview| Examples| Bugs| FAQ | White papers | Download | Help wanted | SourceForge Project page | Filltable utility  
 
 
SourceForge.net: SF.net Project News: Zorp unofficial
  • zorp 2.0.9-6 has been released
  • iptables-utils zorp-unoff version has been released
  • New whitepaper, even more FAQs
  • Zorp whitepapers released, new FAQs
  • New tproxy versions
  • New Zorp version: get the DN
  • The best bughunter
  • Bughunting contest extended
  • Valentine day bughunting contest!
  • Site updates: FAQ, design
  • SourceForge.net: Project File Releases: Zorp unofficial
  • zorp 2.0.9-6 released (Mon, 01 Nov 2004 21:49:58 GMT)
  • zorp 2.0.9-6 released (Mon, 01 Nov 2004 21:40:56 GMT)
  • iptables-utils 1.21-1 released (Mon, 01 Nov 2004 21:19:42 GMT)
  • zorp 2.0.9-1 released (Sat, 12 Jun 2004 00:00:00 GMT)
  • zorplibll 2.0.26.24-1 released (Sat, 12 Jun 2004 00:00:00 GMT)
  • zorp zorp_2.0.8-1 released (Thu, 11 Dec 2003 00:00:00 GMT)
  • zorp zorp_2.0.7-2 released (Wed, 03 Dec 2003 00:00:00 GMT)
  • zorp zorp_2.0.7-1 released (Tue, 11 Nov 2003 00:00:00 GMT)
  • zorplibll zorplibll_2.0.26.23-1 released (Mon, 10 Nov 2003 00:00:00 GMT)
  • Next Previous Contents

    2. Http related questions

    2.1 How can I filter URIs in the http proxy?

    You can use the HttpProxyURIFilter class for it. This class have an attribute called "matcher". The matcher attribute should be initialized to refer to a Matcher object (i.e. an instance of the Matcher class.) For each URI, the checkMatch() method of the matcher will be called. If it returns true, the page will be blocked. You can use some of the built-in matcher classes with it, or write your own matcher if you have extra requirements. In regexp.policy you see RegexpFileMatcher used. It is one of the built-in matchers, using files containing regular expressions to decide whether an URI should be blocked or not.

    2.2 How can I insert the address of the client into a header of the http request?

    You can use the request_headers attribute of the Http proxy with HTTP_HDR_INSERT. See inserthdr.policy for the details.

    2.3 I have one IP addressable from the internet, but my DMZ contains more web servers. What can I do?

    You can set up virtualhosting with zorp. See virtualhost.policy for an example.

    2.4 A general HTTPS-browsing scenario

    Can someone please show me what this should look like for a general-HTTPS-browsing scenario, e.g., intranet users need to reach various ecommerce sites on the Internet? I've seen code for doing this with PlugProxy, but I'd much rather do it with PsslProxy and HttpProxy (i.e., with some intelligence ;-).

    At first I create a HttpProxy, whth file matcher to enable and diable URLs, like denying sex, but allow dosexpert:


    class MyHttpProxy(HttpProxyURIFilter):
            matcher=RegexpFileMatcher("/etc/zorp/blacklist-http", "/etc/zorp/blacklist-http.ignore")
    

    "sex" is in  etc/zorp/blacklist-http "dosexpert" is in /etc/zorp/blacklist-http.ignore

    then i create a https proxy, deriverd from pssl proxy:


    class MyHttpsProxy(PsslProxy):
            def config(self):
                    # both side need ssl
                    self.server_need_ssl = TRUE
                    self.client_need_ssl = TRUE
    
                    # client secret key and cert generated by openssl
                    self.client_cert = '/etc/zorp/myhttps.crt'
                    self.client_key = '/etc/zorp/myhttps.key'
    
                    # do not check clients certificates (no mutual auth)
                    self.client_verify_type = NONE
    
                    # strict check of https server certs
                    self.server_verify_type = SSL_VERIFY_REQUIRED_TRUSTED
    
                    # put the allowed CAs' certs into this directory, so
                    # only the good servers will be allowed, for instance
                    # if you only put verysign CA cert here, only those
                    # servers will be allowed, which owns VS certs
                    # WARNING: never allow sef singed certs;-))))
                    # you can gain CA certs form apache-ssl deb package
                    self.server_ca_directory = '/etc/zorp/ca.d/'
    
                    # you want to shutdown each way Read and Write)
                    # separately.
                    self.shutdown_soft = TRUE
    
                    # now I stack Http Proxy with the previous
                    # URI filtering into the SSL proxy, so sex.com
                    # cannot be visited neither via HTTP and HTTPS...
                    self.stack_proxy = MyHttpProxy
    

    2.5 What about "HTTP 200 Document follows" ?

    This response is sent by some http servers. The problem is that this response is invalid, hence no one plans to accept it in zorp. It might helps to set the client to talk 1.0 version of the protocol, because the known case sends the erroneous header only in HTTP/1.1

    2.6 How can I configure the http proxy to handle ftp traffic?

    Converting http proxy requests to ftp is a complex task, and have nothing to do with security. So do not except Zorp to support it soon. You can drop a squid or other similar caching proxy before the firewall, and use that to make the conversion.

    2.7 How can I route https traffic arriving to my firewall to two different servers based on the server name in request?

    With side stacking, of course. The problem with http-in-pssl is that pssl connects to the destination _before_ it starts the stacked-in proxy. The solution looks something like this:


            Service('https', DecryptPsslProxy, 
                    router=InbandRouter(), 
                    chainer=SideStackChainer(HttpProxy, chainer=SideStackChainer(CryptPsslProxy)))
            
    

    The first pssl is one-sided, uses SSL on the client side, and cleartext in the server side. The second proxy is a http proxy, which starts the other pssl when it connects to the server. This second one is cleartext in the client side, and SSL on the server side.

    If your server does not really talks ssl, you can leave the second pssl. An example:


    class TESTHTTPS(HttpProxy):
            def config(self):
                    HttpProxy.config(self)
                    self.session.server_address = SockAddrInet("192.168.1.101",
    443)
    
                    self.request["GET"] = (HTTP_REQ_POLICY, self.filterURL)
                    self.request["POST"] = (HTTP_REQ_POLICY, self.filterURL)
    
            def setServerAddress(self, host, port):
                    return TRUE
    
            domain2_url = re.compile('domain2.hu')
    
            def filterURL(self, method, url, version):
                    if (self.domain2_url.search(url)):
                            self.session.server_address = SockAddrInet("192.168.2.101", 443)
                            return HTTP_REQ_ACCEPT
                    return HTTP_REQ_ACCEPT
    
    
    
     Service('https', DecryptPsslProxy,
             router=InbandRouter(),
             chainer=SideStackChainer(TESTHTTPS,
    chainer=SideStackChainer(CryptPsslProxy)))
            
    

    2.8 How can I handle windows update service?

    See Balabit's whitepaper at http://www.zorpfirewall.com/reviews/whitepapers/win-update.pdf


    Next Previous Contents