[zorp] HTTPS proxy-stacking example

Peter HOLTZL zorp@lists.balabit.hu
Fri, 09 Jan 2004 11:12:02 +0100

On Thu, 2004-01-08 at 18:08, Michael D. (Mick) Bauer wrote:

> If I skip the the file matcher (at this point I'm not worried about
> content filtering), am I right in thinking that plain old HttpProxy
> still leverages significant intelligence against my connections?
> What sort of attacks does it defend against? (Cross-site scripting?
> Really-long URL (GET) requests?)

Zorp forces strictly the correct usage of the given protocol, which
means RFC compliant usage of commands (reqests and responses), correct
orders and attributes (lengths, character sets etc). I think developers
can give us more details.

So if an exploit, a worm or a valid utility;-) keeps the RFC it will get
through the proxy. Fortunately majority of the worms, attacks and other
bad things do not comply with the protocol (like code red or nimda). If
something complies with the protocol it is an nIDS, content vectoring or
virus detection issue, not a protocol proxy's task!

Zorp's architecture has many layers, but two main layer is the proxy
itself, which is writen in C (it is a "stupid" protocol parser) and the
python layer, which gives a very powerfull tool to implement your
policy and an administrator can create the narrowest channel between the

If you see the package zorp modules (binaries) are in /usr/lib/zorp/ and
python codes are in /usr/share/zorp/pylib/Zorp/*.py. All .py file begins
with a long documentation, which describes how the given proxy works and
what kind of attriutes it has. These attributes' defaults has been set
to the possible strictest state. It is strong enough to block many
attacks. In addition all the proxies can parse the protocol and it is
transmitted to the python layer. From the policy you can accept, reject
or even change the the given request or response. For example in a Http
proxy you can change the user agent to hide your internal architecture
(MUAs, browsers, etc):

class MyHttpProxy(HttpProxy):
	def config(self):
		self.request_headers["User-Agent"] = [HTTP_CHANGE_VALUE, "Lynx 2.4.1"]

There are alvays an AbstractProxy, which contains the basic settings of
the proxy (many of the protocol commands are handled here - please see,
but don't be afraid;-) and there are many predefined proxy sets derived
from Abstractproxy, which are the most common used proxy sets. ftp is a
good example:

class FtpProxy(AbstractFtpProxy):
class FtpProxyAnonRO(AbstractFtpProxy):
class FtpProxyRO(AbstractFtpProxy):
class FtpProxyAnonRW(AbstractFtpProxy):
class FtpProxyRW(AbstractFtpProxy):
class FtpProxyMinimal(FtpProxyRO):

If you want to change something, it is enough to derive an own proxy
from the most suitable predefined, and change your needs.




BalaBit IT Kft          | Tel:   +36  1 371-0540 | GnuPG Fingerprint:
holtzl.peter@balabit.hu | Mobil: +36 20 366-9667 | 796B C9D3 E492 B006 C8B2
http://www.balabit.hu/  | Fax:   +36  1 208-0875 | 4D1F 5320 28E3 9A1B 3FC6