[zorp] HTTPS proxy-stacking example

Peter HOLTZL zorp@lists.balabit.hu
Thu, 08 Jan 2004 17:39:12 +0100


On Thu, 2004-01-08 at 17:12, Michael D. (Mick) Bauer wrote:
> Hi, all.
> 
> I've been looking in vain for sample policy.py code for proxy
> stacking. Can someone please show me what this should look like for
> a general-HTTPS-browsing scenario, e.g., intranet users need to
> reach various ecommerce sites on the Internet? I've seen code for
> doing this with PlugProxy, but I'd much rather do it with PsslProxy
> and HttpProxy (i.e., with some intelligence ;-).
> 
> (I hope I'm not assuming too much in thinking this isn't an X.509
> nightmare...)

At first I create a HttpProxy, whth file matcher to enable and diable
URLs, like denying sex, but allow dosexpert:


class MyHttpProxy(HttpProxyURIFilter):
	matcher=RegexpFileMatcher("/etc/zorp/blacklist-http",
"/etc/zorp/blacklist-http.ignore")

"sex" is in  etc/zorp/blacklist-http "dosexpert" is in
/etc/zorp/blacklist-http.ignore

then i create a https proxy, deriverd from pssl proxy:

class MyHttpsProxy(PsslProxy):

	def config(self):
		# both side need ssl
		self.server_need_ssl = TRUE
		self.client_need_ssl = TRUE

		# client secret key and cert generated by openssl
		self.client_cert = '/etc/zorp/myhttps.crt'
		self.client_key = '/etc/zorp/myhttps.key'

		# do not check clients certificates (no mutual auth)
		self.client_verify_type = NONE

		# strict check of https server certs
		self.server_verify_type = SSL_VERIFY_REQUIRED_TRUSTED

		# put the allowed CAs' certs into this directory, so
		# only the good servers will be allowed, for instance
		# if you only put verysign CA cert here, only those
		# servers will be allowed, which owns VS certs
		# WARNING: never allow sef singed certs;-))))
		# you can gain CA certs form apache-ssl deb package
		self.server_ca_directory = '/etc/zorp/ca.d/'

		# you want to shutdown each way Read and Write)
		# separately.
		self.shutdown_soft      = TRUE

		# now I stack Http Proxy with the previous
		# URI filtering into the SSL proxy, so sex.com 		# cannot be visited
neither via HTTP and HTTPS...
		self.stack_proxy = MyHttpProxy


that is all

> P.S. I've made an incredible amount of progress this morning thanks
> to this List. You guys rock!

very welcome!

-- 
HÖLTZL Péter

BalaBit IT Kft          | Tel:   +36  1 371-0540 | GnuPG Fingerprint:
holtzl.peter@balabit.hu | Mobil: +36 20 366-9667 | 796B C9D3 E492 B006 C8B2
http://www.balabit.hu/  | Fax:   +36  1 208-0875 | 4D1F 5320 28E3 9A1B 3FC6