Simple Connect Proxy
Ashish R Bhandari
Posted on January 3, 2021
Over Here, we are Talking about Control that a Proxy Have (i.e Proxy used in a Internal Network to APPLY RESTRICTIONS
)
Refer Here : What All Things are Possible in a Proxy(Forward Proxy)
So A Connect Proxy basically means that yes it supports connecting to HTTPS Website, Because there were Proxies which did not Support CONNECT Method
i.e were not able to connect to HTTPS site.
So we are talking about a Proxy that handles CONNECT
Method and then basically creates a TCP Socket to the Remove Server and then their are 2 TCP SOCKETS as shown below
CLIENT -----> Proxy ------> SERVER
TCP SOCKET =====> TCP SOCKET
The Proxy is going to send any data received from client as it is to server socket. because after Successful TLS Connection it is encrypted, the Proxy cannot interpret the data.
SO then What all things a CONNECT PROXY can do
Let's look at the Data that it Has
All Possible Data
1) Client IP
2) Remote Server Domain, Port and After Resolution IP Address
3) User-Agent
4) Time [When The Request Came]
5) Authentication Details [If Proxy Requires Authentication to Identify User and Then Allows]
6) Web Category/URL Category [I will later Add a Link For Reference]
A Small Note on Web Category :
But in Simple Words, There is a Database of Websites which are Added to a Group of Category
Example:
A Simple Table
Domain Name | Category |
---|---|
google.com | SearchEngine |
facebook.com | Social Networking |
porn.com |
Pornography , Adult Content
|
A Quick View at Request By Client for www.example.com via a Corporate Proxy
Client[192.168.0.167] Sends Header:
CONNECT www.example.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: www.example.com:443
[WebCategory Check]: [Website:www.example.com] => [Category List: Test Driven Sites, Safe Sites]
Now Let's Look at the Data that the Proxy Has or May or can Have
Minimum Data
1) Client IP
2) Remote Server Domain, Port and After Resolution IP Address
3) Time [When The Request Came]
Now Coming to What Can be done
The Proxy Can Apply Rule as
- Allow/Block The Access If Request is From Certain Client IP Address
- Allow/Block The Access If Request is To Certain Remote Server Domain
- Allow/Block The Access If Request is To Certain Remote Server Port
- Allow/Block The Access If Remote Server Domain Resolved To a Certain IP or IP List or to a CNAME
- Allow/Block The Access If User-Agent is of a Certain Regex String
- Allow/Block The Access If User-Agent is NOT of a Certain Regex String
- Allow/Block The Access If The Time When the Request Came is Between a Range
- Allow/Block The Access If The Time When the Request Came is NOT in Between a Range Provided.
- Allow/Block The Access If Request is Authenticated
- Allow/Block The Access If Request is Authenticated and the User is Sam
- Allow/Block The Access If Request is Authenticated and the User is NOT Sam
Their are Tremendous Amount Of Combination that can be done to Get what is Required
Let me Give the Condition Pattern
Fields | Values |
---|---|
Authentication | |
AND or OR |
|
Client IP | |
AND or OR |
|
Remote Server Domain | |
AND or OR |
|
Remote Server Port | |
AND or OR |
|
Remote Server IP | |
AND or OR |
|
WebCategory | |
AND or OR |
|
User-Agent | |
AND or OR |
|
Time | |
AND or OR |
|
Access | ALLOW/BLOCK |
The Above Table Follows a AND and OR Condition
Lets Take a Example
Example 1: Allow User: Sam
via IP : 192.168.0.156
to access Google.com
via Modern Browsers [Chrome
, Firefox
, Edge
] only between Office Time [9 To 5]
Well Now the Below Just Shows Allowing on Certain Condition, But it Also Depends if the Proxy has a Default Blocking Rule has another Rule to Just Cut off Access and then Create a Allow Rule, A Lot of Possibility Possible
.
Fields | Values |
---|---|
Authentication | Sam |
AND |
|
Client IP | 192.168.0.156 |
AND |
|
Remote Server Domain | Regex:google.com |
AND |
|
Remote Server Port | 443,80 |
AND |
|
Remote Server IP | ANY |
AND |
|
WebCategory | ANY |
AND |
|
User-Agent |
Chrome , Firefox , Edge
|
AND |
|
Time | Office Time [9 To 5] |
AND |
|
Access | ALLOW |
*** Regardless of Web Category i.e even if google.com falls in any Category it is not effects the Policy ***
Example 2: Block User: ANY
via IP : ANY
to access WebCategory SearchEngine
via Modern Browsers [ANY
] between Office Time [9 To 5]
Fields | Values |
---|---|
Authentication | ANY |
AND |
|
Client IP | ANY |
AND |
|
Remote Server Domain | ANY |
AND |
|
Remote Server Port | ANY |
AND |
|
Remote Server IP | ANY |
AND |
|
WebCategory | SearchEngine |
AND |
|
User-Agent | ANY |
AND |
|
Time | Office Time [9 To 5] |
AND |
|
Access | BLOCK |
This is Where WebCategory
Help you,
Now Here ANY
User is NOT ALLOWED to access SearchEngine
Sites like Google, Yahoo, Bing etc and many More.
Now The Allow Rule Table Says To Block All Users, Depending on the Proxy Working NEW Policy
can be below to allow Access to Certain IP
Quick Example:
Fields | Values |
---|---|
Authentication | Bob |
AND |
|
Client IP | ANY |
AND |
|
Remote Server Domain | ANY |
AND |
|
Remote Server Port | ANY |
AND |
|
Remote Server IP | ANY |
AND |
|
WebCategory | SearchEngine |
AND |
|
User-Agent | ANY |
AND |
|
Time | Office Time [9 To 5] |
AND |
|
Access | ALLOW |
Now Here User Bob
is allowed to access SearchEngine
Sites like Google, Yahoo, Bing etc and many More.
Last and a Quick One For OR
Condition
Fields | Values |
---|---|
Authentication | Annie |
AND |
|
Client IP | ANY |
AND |
|
Remote Server Domain |
Regex:searchable.co.in , Regex:facetime.com
|
OR |
|
WebCategory | SearchEngine |
AND |
|
Remote Server Port | ANY |
AND |
|
Remote Server IP | ANY |
AND |
|
User-Agent | ANY |
AND |
|
Time | Office Time [9 To 5] |
AND |
|
Access | ALLOW |
This one was to show that you can create a Rule to allow SearchEngine
as well as two more Websites Regardless in What WebCategory they fall in.
*The Above Was a Glimpse and a Use Case and Illustration of How a Proxy Restriction Working can be. Feel Free to Interrupt and Correct me
Posted on January 3, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.