[zorp] HTTPS proxy-stacking example
Peter HOLTZL
zorp@lists.balabit.hu
Thu, 08 Jan 2004 17:39:12 +0100
On Thu, 2004-01-08 at 17:12, Michael D. (Mick) Bauer wrote:
> Hi, all.
>
> I've been looking in vain for sample policy.py code for proxy
> stacking. Can someone please show me what this should look like for
> a general-HTTPS-browsing scenario, e.g., intranet users need to
> reach various ecommerce sites on the Internet? I've seen code for
> doing this with PlugProxy, but I'd much rather do it with PsslProxy
> and HttpProxy (i.e., with some intelligence ;-).
>
> (I hope I'm not assuming too much in thinking this isn't an X.509
> nightmare...)
At first I create a HttpProxy, whth file matcher to enable and diable
URLs, like denying sex, but allow dosexpert:
class MyHttpProxy(HttpProxyURIFilter):
matcher=RegexpFileMatcher("/etc/zorp/blacklist-http",
"/etc/zorp/blacklist-http.ignore")
"sex" is in etc/zorp/blacklist-http "dosexpert" is in
/etc/zorp/blacklist-http.ignore
then i create a https proxy, deriverd from pssl proxy:
class MyHttpsProxy(PsslProxy):
def config(self):
# both side need ssl
self.server_need_ssl = TRUE
self.client_need_ssl = TRUE
# client secret key and cert generated by openssl
self.client_cert = '/etc/zorp/myhttps.crt'
self.client_key = '/etc/zorp/myhttps.key'
# do not check clients certificates (no mutual auth)
self.client_verify_type = NONE
# strict check of https server certs
self.server_verify_type = SSL_VERIFY_REQUIRED_TRUSTED
# put the allowed CAs' certs into this directory, so
# only the good servers will be allowed, for instance
# if you only put verysign CA cert here, only those
# servers will be allowed, which owns VS certs
# WARNING: never allow sef singed certs;-))))
# you can gain CA certs form apache-ssl deb package
self.server_ca_directory = '/etc/zorp/ca.d/'
# you want to shutdown each way Read and Write)
# separately.
self.shutdown_soft = TRUE
# now I stack Http Proxy with the previous
# URI filtering into the SSL proxy, so sex.com # cannot be visited
neither via HTTP and HTTPS...
self.stack_proxy = MyHttpProxy
that is all
> P.S. I've made an incredible amount of progress this morning thanks
> to this List. You guys rock!
very welcome!
--
HÖLTZL Péter
BalaBit IT Kft | Tel: +36 1 371-0540 | GnuPG Fingerprint:
holtzl.peter@balabit.hu | Mobil: +36 20 366-9667 | 796B C9D3 E492 B006 C8B2
http://www.balabit.hu/ | Fax: +36 1 208-0875 | 4D1F 5320 28E3 9A1B 3FC6