How to configure the CacheFlow Appliance to allow CONNECT traffic
Last Updated May 13, 2017
The exploitation of open internet proxies is a source of significant concern and a security risk. One easy way to inadvertently create an Open Proxy is to allow use of the HTTP CONNECT method on a proxy device such as the CacheFlow 5000 without specifying proper restrictions on access. Any client that can open connections to such a proxy can then use the CONNECT method to tunnel arbitrary requests.
Therefore, by default, the CacheFlow appliance blocks use of the CONNECT method. This has a side effect of blocking all explicit proxy HTTPS requests. There are circumstances, however, under which it is desirable to use the appliance as an explicit proxy to test HTTPS traffic. One such example is for testing filtering of HTTPS traffic.
By default, a CONNECT request will be denied and the CacheFlow appliance’s access log will contain the following values for the request:
s-action -> TCP_DENIED
cs-method -> CONNECT
cs-uri-port -> explicit_proxy_port, usually 8080 or 80
NOTE: This solution is only available on CacheFlow software versions 184.108.40.206 and greater.
Policy can be specified on the CacheFlow appliance to allow selected CONNECT requests. This can be achieved via Local Policy or the Policy GUI. The following steps illustrate how to permit CONNECT traffic on port 443.
Using the Policy GUI
In the Policy GUI add a new Access Layer.
Display the context menu for Destination and select Set.
Create a new Request URL…object.
Enable the radio button Advanced Match and specify 443 in the Port field.
Click Add and then Close. Highlight the newly created object and click OK.
Display the context menu for Service and select Set.
Create a new Protocol Methods…object.
Check mark the CONNECT method.
Highlight the newly created object and click OK.
Display the context menu for Action and select Allow.
Click the Install Policy button. Policy installs successfully.
Using Local Policy
Add the following to the local policy file using the #inline policy local <eof marker> command:
ALLOW url.port=443 http.method=CONNECT
Explicit Proxy HTTPS requests will then be allowed and the appliance’s access log will contain the following values for the requests: