aashishrbhandari

Ashish R Bhandari

Posted on January 3, 2021

Simple Connect Proxy

Over Here, we are Talking about Control that a Proxy Have (i.e Proxy used in a Internal Network to APPLY RESTRICTIONS)

Refer Here : What All Things are Possible in a Proxy(Forward Proxy)

So A Connect Proxy basically means that yes it supports connecting to HTTPS Website, Because there were Proxies which did not Support CONNECT Method i.e were not able to connect to HTTPS site.

So we are talking about a Proxy that handles CONNECT Method and then basically creates a TCP Socket to the Remove Server and then their are 2 TCP SOCKETS as shown below

CLIENT -----> Proxy ------> SERVER
TCP SOCKET =====> TCP SOCKET

The Proxy is going to send any data received from client as it is to server socket. because after Successful TLS Connection it is encrypted, the Proxy cannot interpret the data.

SO then What all things a CONNECT PROXY can do

Let's look at the Data that it Has

All Possible Data
1) Client IP
2) Remote Server Domain, Port and After Resolution IP Address
3) User-Agent
4) Time [When The Request Came]
5) Authentication Details [If Proxy Requires Authentication to Identify User and Then Allows]
6) Web Category/URL Category [I will later Add a Link For Reference]


A Small Note on Web Category :
But in Simple Words, There is a Database of Websites which are Added to a Group of Category
Example:

A Simple Table

Domain Name Category
google.com SearchEngine
facebook.com Social Networking
porn.com Pornography, Adult Content

A Quick View at Request By Client for www.example.com via a Corporate Proxy

Client[192.168.0.167] Sends Header:

CONNECT www.example.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: www.example.com:443

[WebCategory Check]: [Website:www.example.com] => [Category List: Test Driven Sites, Safe Sites]

Enter fullscreen mode Exit fullscreen mode

Now Let's Look at the Data that the Proxy Has or May or can Have

Minimum Data

1) Client IP
2) Remote Server Domain, Port and After Resolution IP Address
3) Time [When The Request Came]

Now Coming to What Can be done

The Proxy Can Apply Rule as

  • Allow/Block The Access If Request is From Certain Client IP Address
  • Allow/Block The Access If Request is To Certain Remote Server Domain
  • Allow/Block The Access If Request is To Certain Remote Server Port
  • Allow/Block The Access If Remote Server Domain Resolved To a Certain IP or IP List or to a CNAME
  • Allow/Block The Access If User-Agent is of a Certain Regex String
  • Allow/Block The Access If User-Agent is NOT of a Certain Regex String
  • Allow/Block The Access If The Time When the Request Came is Between a Range
  • Allow/Block The Access If The Time When the Request Came is NOT in Between a Range Provided.
  • Allow/Block The Access If Request is Authenticated
  • Allow/Block The Access If Request is Authenticated and the User is Sam
  • Allow/Block The Access If Request is Authenticated and the User is NOT Sam

Their are Tremendous Amount Of Combination that can be done to Get what is Required

Let me Give the Condition Pattern

Fields Values
Authentication
AND or OR
Client IP
AND or OR
Remote Server Domain
AND or OR
Remote Server Port
AND or OR
Remote Server IP
AND or OR
WebCategory
AND or OR
User-Agent
AND or OR
Time
AND or OR
Access ALLOW/BLOCK

The Above Table Follows a AND and OR Condition
Lets Take a Example

Example 1: Allow User: Sam via IP : 192.168.0.156 to access Google.com via Modern Browsers [Chrome, Firefox, Edge] only between Office Time [9 To 5]

Well Now the Below Just Shows Allowing on Certain Condition, But it Also Depends if the Proxy has a Default Blocking Rule has another Rule to Just Cut off Access and then Create a Allow Rule, A Lot of Possibility Possible .

Fields Values
Authentication Sam
AND
Client IP 192.168.0.156
AND
Remote Server Domain Regex:google.com
AND
Remote Server Port 443,80
AND
Remote Server IP ANY
AND
WebCategory ANY
AND
User-Agent Chrome, Firefox, Edge
AND
Time Office Time [9 To 5]
AND
Access ALLOW

*** Regardless of Web Category i.e even if google.com falls in any Category it is not effects the Policy ***

Example 2: Block User: ANY via IP : ANY to access WebCategory SearchEngine via Modern Browsers [ANY] between Office Time [9 To 5]

Fields Values
Authentication ANY
AND
Client IP ANY
AND
Remote Server Domain ANY
AND
Remote Server Port ANY
AND
Remote Server IP ANY
AND
WebCategory SearchEngine
AND
User-Agent ANY
AND
Time Office Time [9 To 5]
AND
Access BLOCK

This is Where WebCategory Help you,
Now Here ANY User is NOT ALLOWED to access SearchEngine Sites like Google, Yahoo, Bing etc and many More.

Now The Allow Rule Table Says To Block All Users, Depending on the Proxy Working NEW Policy can be below to allow Access to Certain IP

Quick Example:

Fields Values
Authentication Bob
AND
Client IP ANY
AND
Remote Server Domain ANY
AND
Remote Server Port ANY
AND
Remote Server IP ANY
AND
WebCategory SearchEngine
AND
User-Agent ANY
AND
Time Office Time [9 To 5]
AND
Access ALLOW

Now Here User Bob is allowed to access SearchEngine Sites like Google, Yahoo, Bing etc and many More.

Last and a Quick One For OR Condition

Fields Values
Authentication Annie
AND
Client IP ANY
AND
Remote Server Domain Regex:searchable.co.in, Regex:facetime.com
OR
WebCategory SearchEngine
AND
Remote Server Port ANY
AND
Remote Server IP ANY
AND
User-Agent ANY
AND
Time Office Time [9 To 5]
AND
Access ALLOW

This one was to show that you can create a Rule to allow SearchEngine as well as two more Websites Regardless in What WebCategory they fall in.

*The Above Was a Glimpse and a Use Case and Illustration of How a Proxy Restriction Working can be. Feel Free to Interrupt and Correct me

💖 💪 🙅 🚩
aashishrbhandari
Ashish R Bhandari

Posted on January 3, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

Simple Connect Proxy
connectproxy Simple Connect Proxy

January 3, 2021