1 2 Previous Next 16 Replies Latest reply on Sep 25, 2012 11:00 AM by feeeds

    Cloak http responses as https

      Hi,

       

      I understand that Webgateway has following option under "Set Client context without CA" setting:

       

      SSL-Scanner functionality applies only to client connection. I reckon that an SSL tunnel will be created only between Client and webwasher, whereas the Webwasher to Web Server connection will be Standard HTTP. Note: We are operating in Reverse Proxy Configuration.

       

      setup.JPG

      Essentially, we want the client to have a secure tunnel upto the webwasher. We have the SSL certificates available at the Webwasher. But our Webserver is totally HTTP based, it won't entertain any HTTPS request.

      Therefore our requirements are:

      1. If the client types : Http://www.webserver.com, webwasher should redirect the user to https. Simultaneously, it should send an SSL certificate that corresponds to the webserver.

      2. Although the Webwahser will send certificate to the client, it will reconvert the URL to HTTP before passing it on to the Webserver (as it can handle HTTP requests only).

      3. The Webserver will send an HTTP response to the appliance. Here we want a rule that would cloak the HTTP response into HTTPS before passing it on to the client.

       

      Does anyone have such setup inplemented? My main issue is step 3. How to change the HTTP responses received by the appliance into HTTPS.

        • 1. Re: Cloak http responses as https

          You need experienced geek for that. Good luck.

          • 2. Re: Cloak http responses as https
            asabban

            Hello,

             

            actually this is not really complicated. I created an example rule set for two Web Servers called

             

            www.reverse.securelabs.local

            mail.reverse.securelabs.local

             

            When the Client looks up these host names they will point to MWG. MWG has an entry in the /etc/hosts file, so that DNS resolution on the MWG points to the original web server.

             

            On MWG I have a port 80 and a port 443 to receive HTTP and HTTPS requests:

             

            Auswahl_275.png

             

            First of all I created a rule which redirects HTTP to HTTPS:

             

            Auswahl_276.png

             

            The rule is only triggered when an HTTP request comes in on Port 80 (see the criteria of the rule set and the rule). In the Event I take the original URL and replace http:// by https://. The result is written into "Redirect.URL". Then I call the redirect action, which redirects to the content of Redirect.URL.

             

            So when I go to http://www.reverse.securelabs.local, MWG sends a 302 and redirects me to https://www.reverse.securelabs.local.

             

            Now I create a rule set to intercept SSL traffic. As you mentioned using the "Enable Client Context without CA" and especially the "Client connection only" flag are what we need. The flag causes MWG to do the SSL handshake completely without verification/talking to the remote server. This means we establish a tunnel between the client and MWG. Once done, the client can talk HTTP in the tunnel as usual. My setting looks like this:

             

            Auswahl_277.png

            The corresponding rule set looks like this:

             

            Auswahl_278.png

            I trigger the SSL rule set only for request on port 443. Please note that I also enabled Content Inspection, which is required for MWG to perform the handshake.

             

            Now so far there is probably nothing new to you. At this point MWG would already work as a reverse proxy, but talk HTTPS to the remote server. You can change this behaviour:

             

            Auswahl_279.png

            That Event causes MWG to talk plain HTTP to the web server.

             

            This is what happens:

             

            - Client etablished connection to MWG on port 443

            - MWG performs handshake with client, without talking to the server

            - SSL tunnel is set up

            - Client sends GET / HTTP/1.1 within the tunnel to MWG

            - MWG takes that request and forwards it to the webserver via HTTP

            - Web server answers with an HTTP response

            - MWG sends this response to the client within the tunnel

            - Client displays data

             

            That should do the trick.

             

            Please note that the rules/rule set may not be perfect or need to be changed to match your enironment. I created them in a couple of minutes for my lab here.

             

            Best,

            Andre

            1 of 1 people found this helpful
            • 3. Re: Cloak http responses as https

              Thanks for your reply Andre. This is the response I am getting.

               

              redirection.JPG

              I guess there's something with the redirection rule that I am not getting. Could you please take a look at my ruleset? Also can you explain how "string.ReplaceFirstMatch" works.

              • 4. Re: Cloak http responses as https
                asabban

                Hello,

                 

                please look at the redirect rule again. In the event you need to rewrite the property "URL", not a string URL. The string "URL" does not match the regular expression so MWG tries to redirect you to "URL", which is not a valid destination :-)

                 

                I admin this can hardly be seen from the screenshot. the only difference is that the string URL is in quoes, while the property is not. I should have added a more detailed screenshot here.

                 

                If you modify your redirect rule as follows it should work:

                 

                 

                Property Parameters_283.png

                Additionally I found that you call the Redirect Event only for Response and Embedded Cycles. I would recommend to call it in Request cycle only, as shown in my screenshot above (look at the enabled/disabled cycles).

                 

                String.ReplaceFirstMatch applied a regular expression and rewrites something in a string. In this case I look for ^http://(.*), so I check if a string starts with (^) http://. The (.*) "remembers" everything that follows the http:// string. I replace this by https://\1. \1 will be filled with the content I remembered before. So when I have

                 

                http://www.ranbaxy.com/index.htm

                 

                the "\1" contains "www.ranbaxy.com/index.htm". With the replace string the rule redirects to

                 

                https://www.ranbaxy.com/index.htm

                 

                Thats the idea behing it. The String.ReplaceFirstMatch ensures that MWG does not try to rewrite more occurences of "http://". If will only replace the very first match and then stop.

                 

                Note: I found somewhere that you plan to switch to transparent environment. I am not sure if this rule will work for transparent setups.

                 

                Best,

                Andre

                 

                Nachricht geändert durch asabban on 30.01.12 02:33:28 CST
                • 5. Re: Cloak http responses as https

                  Hi Andre,

                   

                  Thanks for the update. With correction, the rule works like a charm. Currently I am exploring if I transparent mode can help me in serving reverse proxy connections in a better manner. Will give it a shot. If it works fine, otherwise we have more or less completed it in explicit proxy scenario. We will stick to that.

                  Thanks again for all the help you have given us in caarying forward this implementation, you have been immensely helpful.

                   

                  Best Regards,

                  Ankit

                  • 6. Re: Cloak http responses as https

                    One more question. If my webserver receives http requests at a non-standard port (say 3311) and we want to cloak these as https as discussed intially.

                     

                    Client sends http request on port 3311

                    This request is turned into https by virtue of http to https redirection rule.

                    MWG sees that request is Https, and will send appropriate certificate based on the host name. As SSL Scanner functionality applies to client connection only, an HTTP connection will be established with webserver (will this connection established on standard port 80 or port 3311?) For safety sake, I trigger an action to initiate URL.port=3311 when URL.Host matches with that of the webserver.

                     

                    However this configuration doesn't seem to work. Could this be due to port settings in proxy? Will using * in ports treated as SSL for 3311 make any difference?

                    config.jpg

                    • 7. Re: Cloak http responses as https
                      asabban

                      Hello,

                       

                      If there is HTTP traffic coming in on port 3311 you should not tell MWG to treat traffic on this port as SSL. I would assume that you would enter port 443 as the ports treated as SSL for port 3311 as well.

                       

                      I would assume MWG tries to talk to port 80 in the backend. Setting the URL.Port should work (I didn´t test this so far). Can you try setting 443 as the ports for SSL and see what the result is? Maybe you can share some more details abotu the error(s) you see.

                       

                      best,

                      Andre

                      • 8. Re: Cloak http responses as https

                        Hi,

                         

                        Using port 443 gives server unreachable error. When I change it to * (port treated as SSL for port 3311), follwing output appears.

                         

                        error.png

                        • 9. Re: Cloak http responses as https
                          asabban

                          Hello,

                           

                          if you add 3311 or * to the ports treated as SSL MWG will expect HTTPS communication on this port. Since you are talking to this port HTTP, you do not want to set this. Please change it back to 443. Then we should look at the server unreachable error.

                           

                          Did I understand it correctly that you want to redirect a client coming in on port 3311 to HTTPS (443)? Is this already working with the existing rules? Can you find out which port MWG is trying to talk to?

                           

                          I believe MWG is probably talking to the web server on the wrong port.

                           

                          Best,

                          Andre

                          1 2 Previous Next