Preventing clients from using SOCKS to bypass forward proxy
 Technote (troubleshooting)
 
Problem(Abstract)
It is possible for clients to use a SOCKS client, such as Aventail to bypass the forward proxy. The problem is that requests to the proxy are configured to be authenticated before being forwarded to the origin server. This document explains how to configure the forward proxy to prevent clients from using SOCKS clients to bypass the proxy.
 
Resolving the problem
SOCKS clients make an HTTP CONNECT request to the proxy server. Many caching proxy configurations do not account for CONNECT requests.

In order to prevent SOCKS clients from bypassing the authentication process, add a new value in the Protect directive to prompt all traffic to enter a user ID and password before the request can be forwarded to the destination server.

For best results, configure the following directives after the ADD NEW MAPPING RULES HERE area in the ibmproxy.conf file:

  • Configure the protection group (the Protection directive)

  • Configure the Protect directive as Protect * <groupID>, where <groupID> is the name of the protection group that you specified in the Protection directive. This configuration prompts all requests to the proxy to enter a user ID and password.

  • Configure the Pass directive.

The ibmproxy.conf file example below shows a proxy that is configured to prompt all incoming traffic to enter a user ID and password.

Pass /pacfiles/* /opt/ibm/edge/cp/server_root/pub/pacfiles/*
# *** ADD NEW MAPPING RULES HERE ***
Protection abc {
GroupFile /opt/ibm/edge/cp/server_root/protect/test.group
PasswdFile /opt/ibm/edge/cp/server_root/protect/test.passwd
PostMask All@(*)
PutMask All@(*)
GetMask All@(*)
Mask All@(*)
AuthType Basic
ServerID abc
}

### the following forces the use of the abc protection method on all (*) requests ### CONNECT, FTP, HTTP, etc before passing them to their desired location

Protect * abc
Pass /* opt/ibm/edge/cp/server_root/pub/en_US/*

By configuring the caching proxy in this manner, the following will occur:

  1. When launching a browser configured to use the pacfile, the user is
    prompted to authenticate against the protection group ID once. The users in this group cannot access the pages protected by prot-admin.

  2. When attempting to access the GUI Administration pages, the users are forced to reauthenticate against "private_authorization" (the default protection group ID for the Configuration and Administration pages).
 
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Edge Component
Operating system(s): Windows
Software version: 6.1
Software edition:
Reference #: 1167810
IBM Group: Software Group
Modified date: Nov 30, 2007