SSL Certificates in a Reverse HTTPS Proxy
A reverse HTTPS proxy configuration is usually set up to protect a limited number of web servers against the upload of unwanted data by clients. You need to import SSL certificates for these servers and add them to the appliance configuration.
In a reverse HTTPS proxy configuration, the appliance communicates in SSL-secured mode with its clients. The SSL certificates that the appliance sends to the clients during the SSL handshake cannot be issued, however, by its SSL Scanner module. Therefore, the appliance uses the original certificates of the web servers that the clients request access to.
You can import these certificates when configuring the settings for the SSL Client Context without CA module.
The appliance uses several methods to find the appropriate certificates for sending to its clients.
Choosing certificates for sending to the clients
To find out which certificate should be sent to a client in a given situation, the appliance scans the list of imported certificates. On this list, certificates are mapped to the host names of the web servers they belong to. The appliance then sends the certificate that is mapped to the name of the host that a client requested access to.
In an explicit proxy setup, the host name would be transmitted and made known to the appliance in the header of the CONNECT request.
In a transparent setup, the appliance uses the following methods to detect the host names:
- If a client sends an SNI extension, the host name can be found in a way that is similar to detecting it in an explicit proxy configuration.
- If client requests are redirected to the appliance according to DNS entries, the host name is known by the IP address that you specified when configuring redirection.
In this case, you also need to create a rule set with rules that set the URL.Host property to the appropriate value for every IP address the appliance has been configured to listen to. This is to let the appliance know where to forward a request to when it has been filtered and allowed. - If the transparent setup does not use redirection by DNS entries, the appliance will send a handshake message to the web server that a client requested, extract the common name from the certificate it receives from the web server, and use this common name to detect the appropriate host name.
This method requires that the appliance and the web server communicate in SSL-secured mode, too. You can configure a setting on the appliance to ensure this mode is used.
Create settings for SSL certificates in a reverse HTTPS proxy configuration
You can create settings for the SSL certificates that are used for web servers in a reverse HTTPS proxy configuration and import the certificates when configuring these settings.
- Select Policies | Settings.
- On the settings tree, select Enable SSL Client Context without CA.
- Click Add above the settings tree.
The Add Settings window opens. - In the Name field, enter a name for the settings you want to add, for example,
Imported web server certificates
. - [Optional] In the Comments field, type a plain-text comment on the settings.
- [Optional] Select the Permissions tab and configure who is allowed to access the settings.
- In the Define SSL Client Context (Without Certificate Authority) section, configure the settings parameters.
- On the toolbar of the inline list Select server certificate by host or IP, click Add.
The Add Host to Certificate Mapping window opens. - Click Import and use the options of the Import Server Certificate window that opens to import an SSL certificate for a web server.
- Configure the other parameters in the Add Host to Certificate Mapping window as needed.
- Click OK.
The window closes and a new entry for mapping an SSL certificate to the host name of a web server appears in the inline list. - Repeat substeps a to d if you want to add more mapping entries to the inline list.
- Select or deselect SSL-Scanner functionality applies only to client connection, according to whether the connection to the web server should be SSL-secured or not.
If you choose to let this connection be unsecured, you need to create a rule that changes the network protocol from HTTPS to HTTP. - Configure the other settings parameters for the SSL client context as needed.
- Click OK.
The Add Settings window closes and the new settings appear on the settings tree.
- On the toolbar of the inline list Select server certificate by host or IP, click Add.
- Click OK.
The window closes and the new settings appear on the settings tree. - Click Save Changes.
You can use these settings in the rule for setting the client context that is provided in the SSL Scanner rule set of the default rule set system.