Dears,
I am trying to filter traversal access to my lan via HTTP CONNECT method.
And I tried to use acl with url_ip based on private ip range constants.
Apparently this method works for HTTP GET, but isn't working for HTTP
CONNECT.
Is there any other way to inspect HTTP CONNECT destination?
My config:
acl forbidden_dst url_ip 192.168.0.0/24
acl forbidden_dst url_ip 172.16.0.0/12
acl forbidden_dst url_ip 10.0.0.0/8
http-request deny if forbidden_dst
Log for HTTP GET, request blocked:
Oct 1 11:08:37 ip-10-2-170-57 haproxy[2227]: x.x.x.x:35963
[01/Oct/2015:11:08:37.182] proxy-in proxy-in/<NOSRV> 0/-1/-1/-1/0 403 188 -
- PR-- 0/0/0/0/
0 0/0 "GET http://10.1.1.1:22/ HTTP/1.1"
Log for HTTP CONNECT, request bypassed (reponded as HTTP/403 by backend
service)
Oct 1 11:08:55 ip-10-2-170-57 haproxy[2227]: x.x.x.x:35966
[01/Oct/2015:11:08:55.101] proxy-in proxy/i-4c333482 0/0/1/2/3 403 423 - -
---- 1/1/0/0/0 0
/0 "CONNECT 10.1.1.1:22 HTTP/1.1"
--
BR,
Pavlo Zhuk
I am trying to filter traversal access to my lan via HTTP CONNECT method.
And I tried to use acl with url_ip based on private ip range constants.
Apparently this method works for HTTP GET, but isn't working for HTTP
CONNECT.
Is there any other way to inspect HTTP CONNECT destination?
My config:
acl forbidden_dst url_ip 192.168.0.0/24
acl forbidden_dst url_ip 172.16.0.0/12
acl forbidden_dst url_ip 10.0.0.0/8
http-request deny if forbidden_dst
Log for HTTP GET, request blocked:
Oct 1 11:08:37 ip-10-2-170-57 haproxy[2227]: x.x.x.x:35963
[01/Oct/2015:11:08:37.182] proxy-in proxy-in/<NOSRV> 0/-1/-1/-1/0 403 188 -
- PR-- 0/0/0/0/
0 0/0 "GET http://10.1.1.1:22/ HTTP/1.1"
Log for HTTP CONNECT, request bypassed (reponded as HTTP/403 by backend
service)
Oct 1 11:08:55 ip-10-2-170-57 haproxy[2227]: x.x.x.x:35966
[01/Oct/2015:11:08:55.101] proxy-in proxy/i-4c333482 0/0/1/2/3 403 423 - -
---- 1/1/0/0/0 0
/0 "CONNECT 10.1.1.1:22 HTTP/1.1"
--
BR,
Pavlo Zhuk