Over Here, we are Talking about Control that a Proxy Have (i.e Proxy used in a Internal Network to APPLY RESTRICTIONS)
Refer Here : What All Things are Possible in a Proxy(Forward Proxy)
So A Connect Proxy basically means that yes it supports connecting to HTTPS Website, Because there were Proxies which did not Support CONNECT Method i.e were not able to connect to HTTPS site.
So we are talking about a Proxy that handles CONNECT Method and then basically creates a TCP Socket to the Remove Server and then their are 2 TCP SOCKETS as shown below
CLIENT -----> Proxy ------> SERVER
TCP SOCKET =====> TCP SOCKET
The Proxy is going to send any data received from client as it is to server socket. because after Successful TLS Connection it is encrypted, the Proxy cannot interpret the data.
SO then What all things a CONNECT PROXY can do
Let's look at the Data that it Has
All Possible Data
1) Client IP
2) Remote Server Domain, Port and After Resolution IP Address
3) User-Agent
4) Time [When The Request Came]
5) Authentication Details [If Proxy Requires Authentication to Identify User and Then Allows]
6) Web Category/URL Category [I will later Add a Link For Reference]
A Small Note on Web Category :
But in Simple Words, There is a Database of Websites which are Added to a Group of Category
Example:
A Simple Table
| Domain Name | Category |
|---|---|
| google.com | SearchEngine |
| facebook.com | Social Networking |
| porn.com |
Pornography, Adult Content
|
A Quick View at Request By Client for www.example.com via a Corporate Proxy
Client[192.168.0.167] Sends Header:
CONNECT www.example.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: www.example.com:443
[WebCategory Check]: [Website:www.example.com] => [Category List: Test Driven Sites, Safe Sites]
Now Let's Look at the Data that the Proxy Has or May or can Have
Minimum Data
1) Client IP
2) Remote Server Domain, Port and After Resolution IP Address
3) Time [When The Request Came]
Now Coming to What Can be done
The Proxy Can Apply Rule as
- Allow/Block The Access If Request is From Certain Client IP Address
- Allow/Block The Access If Request is To Certain Remote Server Domain
- Allow/Block The Access If Request is To Certain Remote Server Port
- Allow/Block The Access If Remote Server Domain Resolved To a Certain IP or IP List or to a CNAME
- Allow/Block The Access If User-Agent is of a Certain Regex String
- Allow/Block The Access If User-Agent is NOT of a Certain Regex String
- Allow/Block The Access If The Time When the Request Came is Between a Range
- Allow/Block The Access If The Time When the Request Came is NOT in Between a Range Provided.
- Allow/Block The Access If Request is Authenticated
- Allow/Block The Access If Request is Authenticated and the User is Sam
- Allow/Block The Access If Request is Authenticated and the User is NOT Sam
Their are Tremendous Amount Of Combination that can be done to Get what is Required
Let me Give the Condition Pattern
| Fields | Values |
|---|---|
| Authentication | |
AND or OR |
|
| Client IP | |
AND or OR |
|
| Remote Server Domain | |
AND or OR |
|
| Remote Server Port | |
AND or OR |
|
| Remote Server IP | |
AND or OR |
|
| WebCategory | |
AND or OR |
|
| User-Agent | |
AND or OR |
|
| Time | |
AND or OR |
|
| Access | ALLOW/BLOCK |
The Above Table Follows a AND and OR Condition
Lets Take a Example
Example 1: Allow User: Sam via IP : 192.168.0.156 to access Google.com via Modern Browsers [Chrome, Firefox, Edge] only between Office Time [9 To 5]
Well Now the Below Just Shows Allowing on Certain Condition, But it Also Depends if the Proxy has a Default Blocking Rule has another Rule to Just Cut off Access and then Create a Allow Rule, A Lot of Possibility Possible .
| Fields | Values |
|---|---|
| Authentication | Sam |
AND |
|
| Client IP | 192.168.0.156 |
AND |
|
| Remote Server Domain | Regex:google.com |
AND |
|
| Remote Server Port | 443,80 |
AND |
|
| Remote Server IP | ANY |
AND |
|
| WebCategory | ANY |
AND |
|
| User-Agent |
Chrome, Firefox, Edge
|
AND |
|
| Time | Office Time [9 To 5] |
AND |
|
| Access | ALLOW |
*** Regardless of Web Category i.e even if google.com falls in any Category it is not effects the Policy ***
Example 2: Block User: ANY via IP : ANY to access WebCategory SearchEngine via Modern Browsers [ANY] between Office Time [9 To 5]
| Fields | Values |
|---|---|
| Authentication | ANY |
AND |
|
| Client IP | ANY |
AND |
|
| Remote Server Domain | ANY |
AND |
|
| Remote Server Port | ANY |
AND |
|
| Remote Server IP | ANY |
AND |
|
| WebCategory | SearchEngine |
AND |
|
| User-Agent | ANY |
AND |
|
| Time | Office Time [9 To 5] |
AND |
|
| Access | BLOCK |
This is Where WebCategory Help you,
Now Here ANY User is NOT ALLOWED to access SearchEngine Sites like Google, Yahoo, Bing etc and many More.
Now The Allow Rule Table Says To Block All Users, Depending on the Proxy Working NEW Policy can be below to allow Access to Certain IP
Quick Example:
| Fields | Values |
|---|---|
| Authentication | Bob |
AND |
|
| Client IP | ANY |
AND |
|
| Remote Server Domain | ANY |
AND |
|
| Remote Server Port | ANY |
AND |
|
| Remote Server IP | ANY |
AND |
|
| WebCategory | SearchEngine |
AND |
|
| User-Agent | ANY |
AND |
|
| Time | Office Time [9 To 5] |
AND |
|
| Access | ALLOW |
Now Here User Bob is allowed to access SearchEngine Sites like Google, Yahoo, Bing etc and many More.
Last and a Quick One For OR Condition
| Fields | Values |
|---|---|
| Authentication | Annie |
AND |
|
| Client IP | ANY |
AND |
|
| Remote Server Domain |
Regex:searchable.co.in, Regex:facetime.com
|
OR |
|
| WebCategory | SearchEngine |
AND |
|
| Remote Server Port | ANY |
AND |
|
| Remote Server IP | ANY |
AND |
|
| User-Agent | ANY |
AND |
|
| Time | Office Time [9 To 5] |
AND |
|
| Access | ALLOW |
This one was to show that you can create a Rule to allow SearchEngine as well as two more Websites Regardless in What WebCategory they fall in.
*The Above Was a Glimpse and a Use Case and Illustration of How a Proxy Restriction Working can be. Feel Free to Interrupt and Correct me
Top comments (0)