cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cho
Level 7
Report Inappropriate Content
Message 1 of 3

Modify URL parameters and redirect https requests

Hi,


I'm having some trouble configuring the following use case in our proxy and hope you can help me with that:


All incoming requests (http & https) from a client to the proxy should be modified in a certain way and send back with a new location in the response header.


For example: The client sends the request "https://google.com/foo/bar.html" to the proxy. The proxy then modifies the URL (i.e. adding the suffix "-intranet" in the URL protocol) and sends a response header with the new location "https-intranet://google.com/foo/bar.html" and HTTP code 307 back to the client.

 

curl -i -x <my-proxy-url> https://google.com/foo/bar.html
HTTP/1.0 200 Connection established

HTTP/1.1 307 Temporary Redirect
Via: 1.1 <proxy-ip> (McAfee Web Gateway 9.2.8.35765)
Location: https-intranet://google.com/foo/bar.html
Connection: Keep-Alive
Transfer-Encoding: chunked

 

This already works with my configuration for http and for some https requests. But it only works for https requests with "real" / responding webservers (e.g. google.com) since the proxy does the whole SSL handshake with the external server and only then sends back the modified response header to the client.

But I want the proxy to send the modifed URL in every case (regardless if the handshake is succesful or not or the webserver exists or not). So if the user requests "https://foo.bar/non-existing-site.html" the proxy should just respond with the new location "https-intranet://foo.bar/non-existing-site.html" and not bother, whether it can connect to the host 'foo.bar' or not. (The actual connection to the requested url is not important at this point and will be handled by other systems in our environment)

 

curl -i -x <my-proxy-url> https://foo.bar/non-existing-site.html
HTTP/1.0 200 Connection established

HTTP/1.1 502 notresolvable
Via: 1.1 <my-proxy-ip> (McAfee Web Gateway 9.2.8.35765)
Connection: Keep-Alive
Content-Type: text/html
Cache-Control: no-cache
Content-Length: 2473
X-Frame-Options: deny

 

Is there a way that the proxy skips or ignores the handshake / CONNECT call with the actual web server and simply handles the GET request from the client (simliar to http requests)?

(If I disable the SSL Scanner or try to apply my Redirect rule also to the CONNECT call, the proxy can't access the whole url path and just replies with the url domain, without ".../foo/bar.html")

Here's my current config:

Overview:

1_proxy_overview.png

Handle CONNECT Call:2_handle_CONNECT_https.png

Redirect https:3_redirect_https.png

2 Replies
asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Modify URL parameters and redirect https requests

Hi,

should this work for ALL URLs someone wants to access or is it a limited subset of internal URLs?

Andre

cho
Level 7
Report Inappropriate Content
Message 3 of 3

Re: Modify URL parameters and redirect https requests

Essentially this should work for all URLs (from the perspective of these rules).

But we already filter in earlier stages via proxy pac file, which proxy handles which URL. So in the end only a subset of certain URLs get to this specific proxy / rule set.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community