For Caching Proxy, default change made to disable SSL tunneling, and new options added to CONNECT method
 Technote (troubleshooting)
 
Problem(Abstract)
Beginning with Caching Proxy 4.0.2.32 (Edge Server V2), Caching Proxy 5.0.2.11, 5.0.3, and 5.1.0.1 (Edge Component), there is a change to the default behavior to disable the CONNECT method and SSL tunneling directive. New options have also been added for the CONNECT method.
 
Cause
The change was made to the default behavior to protect reverse proxy from SSL tunneling vulnerability attacks when using default or customized configurations. New options have been added to the Enable CONNECT directive that gives you more security control over SSL tunneling when configuring Caching Proxy as a forward proxy.
 
Resolving the problem
When using reverse proxy, there is no need to change your current configuration file. SSL tunneling and CONNECT method are disabled when applying the above fix packs or later releases.

When using forward proxy, an additional configuration setup is necessary to continue supporting SSL tunneling and CONNECT method after applying the above fix packs.
To support SSL tunneling, set SSLTunneling on and enable the CONNECT method. The following three new options (OutgoingPorts, OutgoingIPs, IncomingIPs) are provided for the Enable CONNECT directive for enhanced SSL tunneling security. We recommend that you specify a value for at least the OutgoingPorts option.

1. OutgoingPorts (to limit access for SSL tunneling by remote server's ports)

OutgoingPorts [all | [port1|port1-port2|port1-*],...]

To allow clients to connect only to the remote servers' port 443 for SSL tunneling, set the following directives. Normally port 443 is for HTTPS requests on the remote server.

Enable CONNECT OutgoingPorts 443
SSLTunneling on

To allow clients to connect to any port on the remote servers for SSL tunneling, set the following directives:

Enable CONNECT OutgoingPorts all
SSLTunneling on

To allow clients to connect to ports 80, 8080-8088, and 9000 and above ports on the remote servers for SSL tunneling, set the following directives:

Enable CONNECT OutgoingPorts 80,8080-8088,9000-*
SSLTunneling on

Notes:
  1. For forward proxy configuration, at least specify 443 or all with OutgoingPorts option to enable normal SSL tunneling.
  2. Ports and port ranges are separated by a comma without any space in the list.

2. OutgoingIPs (to limit access for SSL tunneling by remote server's IP address)

OutgoingIPs [[!]IP_pattern,...]

For example, to allow clients to connect to any port on the remote servers that matches the IP/host name *.ibm.com and must not match 192.168.*.* , set the following directives:

Enable CONNECT OutgoingPorts all OutgoingIPs *.ibm.com,!192.168.*.*
SSLTunneling on

Note: IP_patterns are separated by a comma without any space in the list.


3. IncomingIPs (to limit access for SSL tunneling by client's IP address)

IncomingIPs [[!]IP_Pattern,...]

For example, to allow clients coming from IP address 192.168.*.* to make a connection to any port on the remote servers for SSL tunneling, set the following directives:

Enable CONNECT OutgoingPorts all IncomingIPs 192.168.*.*
SSLTunneling on

Notes:
  1. Assuming 192.168.*.* is the internal LAN IP mask, the above option allows only internal users to use the connect method and SSL tunneling function.
  2. IP_patterns are separated by a comma without any space in the list.
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Edge Server Caching Proxy AIX, Linux, Solaris, Windows 2000, Windows NT Edge Server 2.0.x
Application Servers Runtimes for Java Technology Java SDK
 
Historical Number
186338
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Edge Component
Operating system(s): Windows
Software version: 5.1
Software edition:
Reference #: 1158667
IBM Group: Software Group
Modified date: Sep 3, 2007