On Thu, 2004-01-08 at 17:12, Michael D. (Mick) Bauer wrote:
Hi, all.
I've been looking in vain for sample policy.py code for proxy stacking. Can someone please show me what this should look like for a general-HTTPS-browsing scenario, e.g., intranet users need to reach various ecommerce sites on the Internet? I've seen code for doing this with PlugProxy, but I'd much rather do it with PsslProxy and HttpProxy (i.e., with some intelligence ;-).
(I hope I'm not assuming too much in thinking this isn't an X.509 nightmare...)
At first I create a HttpProxy, whth file matcher to enable and diable URLs, like denying sex, but allow dosexpert: class MyHttpProxy(HttpProxyURIFilter): matcher=RegexpFileMatcher("/etc/zorp/blacklist-http", "/etc/zorp/blacklist-http.ignore") "sex" is in etc/zorp/blacklist-http "dosexpert" is in /etc/zorp/blacklist-http.ignore then i create a https proxy, deriverd from pssl proxy: class MyHttpsProxy(PsslProxy): def config(self): # both side need ssl self.server_need_ssl = TRUE self.client_need_ssl = TRUE # client secret key and cert generated by openssl self.client_cert = '/etc/zorp/myhttps.crt' self.client_key = '/etc/zorp/myhttps.key' # do not check clients certificates (no mutual auth) self.client_verify_type = NONE # strict check of https server certs self.server_verify_type = SSL_VERIFY_REQUIRED_TRUSTED # put the allowed CAs' certs into this directory, so # only the good servers will be allowed, for instance # if you only put verysign CA cert here, only those # servers will be allowed, which owns VS certs # WARNING: never allow sef singed certs;-)))) # you can gain CA certs form apache-ssl deb package self.server_ca_directory = '/etc/zorp/ca.d/' # you want to shutdown each way Read and Write) # separately. self.shutdown_soft = TRUE # now I stack Http Proxy with the previous # URI filtering into the SSL proxy, so sex.com # cannot be visited neither via HTTP and HTTPS... self.stack_proxy = MyHttpProxy that is all
P.S. I've made an incredible amount of progress this morning thanks to this List. You guys rock!
very welcome! -- HÖLTZL Péter BalaBit IT Kft | Tel: +36 1 371-0540 | GnuPG Fingerprint: holtzl.peter@balabit.hu | Mobil: +36 20 366-9667 | 796B C9D3 E492 B006 C8B2 http://www.balabit.hu/ | Fax: +36 1 208-0875 | 4D1F 5320 28E3 9A1B 3FC6