|
Problem(Abstract) |
Beginning with Caching Proxy 4.0.2.32 (Edge Server V2),
Caching Proxy 5.0.2.11, 5.0.3, and 5.1.0.1 (Edge Component), there is a
change to the default behavior to disable the CONNECT method and SSL
tunneling directive. New options have also been added for the CONNECT
method. |
|
|
|
Cause |
The change was made to the default behavior to protect
reverse proxy from SSL tunneling vulnerability attacks when using default
or customized configurations. New options have been added to the Enable
CONNECT directive that gives you more security control over SSL
tunneling when configuring Caching Proxy as a forward proxy. |
|
|
Resolving the
problem |
When using reverse proxy, there is no need to
change your current configuration file. SSL tunneling and CONNECT method
are disabled when applying the above fix packs or later releases.
When using forward proxy, an additional configuration setup is
necessary to continue supporting SSL tunneling and CONNECT method after
applying the above fix packs.
To support SSL tunneling, set SSLTunneling on and enable the
CONNECT method. The following three new options (OutgoingPorts,
OutgoingIPs, IncomingIPs) are provided for the Enable CONNECT directive
for enhanced SSL tunneling security. We recommend that you specify a value
for at least the OutgoingPorts option.
1. OutgoingPorts (to limit access for SSL tunneling by remote
server's ports)
OutgoingPorts [all |
[port1|port1-port2|port1-*],...]
To allow clients to connect only to the remote servers' port 443 for SSL
tunneling, set the following directives. Normally port 443 is for HTTPS
requests on the remote server.
Enable CONNECT OutgoingPorts 443
SSLTunneling on
To allow clients to connect to any port on the remote servers for
SSL tunneling, set the following directives:
Enable CONNECT OutgoingPorts all
SSLTunneling on
To allow clients to connect to ports 80, 8080-8088, and 9000 and above
ports on the remote servers for SSL tunneling, set the following
directives:
Enable CONNECT OutgoingPorts 80,8080-8088,9000-*
SSLTunneling on
Notes:
- For forward proxy configuration, at least specify 443 or
all with OutgoingPorts option to enable normal SSL tunneling.
- Ports and port ranges are separated by a comma without any space in
the list.
2. OutgoingIPs (to limit access for SSL tunneling by remote
server's IP address)
OutgoingIPs [[!]IP_pattern,...]
For example, to allow clients to connect to any port on the remote
servers that matches the IP/host name *.ibm.com and must not match
192.168.*.* , set the following directives:
Enable CONNECT OutgoingPorts all OutgoingIPs *.ibm.com,!192.168.*.*
SSLTunneling on
Note: IP_patterns are separated by a comma without any space in
the list.
3. IncomingIPs (to limit access for SSL tunneling by client's IP
address)
IncomingIPs [[!]IP_Pattern,...]
For example, to allow clients coming from IP address 192.168.*.* to make a
connection to any port on the remote servers for SSL tunneling, set
the following directives:
Enable CONNECT OutgoingPorts all IncomingIPs 192.168.*.*
SSLTunneling on
Notes:
- Assuming 192.168.*.* is the internal LAN IP mask, the above option
allows only internal users to use the connect method and SSL tunneling
function.
- IP_patterns are separated by a comma without any space in the
list.
|
|
|
|
|
Cross Reference information |
Segment |
Product |
Component |
Platform |
Version |
Edition |
Application Servers |
WebSphere Edge Server |
Caching Proxy |
AIX, Linux, Solaris, Windows 2000, Windows NT |
Edge Server 2.0.x |
|
Application Servers |
Runtimes for Java Technology |
Java SDK |
|
|
|
|
|
|