SSL Proxy | Application Security User Guide for Security Devices
SSL proxy is supported on SRX Series devices only.
Secure Sockets Layer (SSL) is an application-level protocol
that provides encryption technology for the Internet. SSL, also called
Transport Layer Security (TLS), ensures the secure transmission of
data between a client and a server through a combination of privacy,
authentication, confidentiality, and data integrity. SSL relies on
certificates and private-public key exchange pairs for this level
of security.
SSL proxy is transparent proxy that performs SSL encryption
and decryption between the client and the server.
How Does SSL Proxy Work?
SSL Proxy with Application Security Services
Types of SSL Proxy
Supported SSL Protocols
Benefits of SSL Proxy
Logical Systems Support
Limitations
How Does SSL Proxy Work? SSL proxy provides secure transmission of data between a client
and a server through a combination of following:
Authentication-Server authentication guards against fraudulent
transmissions by enabling a Web browser to validate the identity of
a webserver.
Confidentiality – SSL enforces confidentiality by encrypting
data to prevent unauthorized users from eavesdropping on electronic
communications; thus ensures privacy of communications.
Integrity- Message integrity ensures that the contents
of a communication are not tampered.
SRX Series device acting as SSL proxy manages SSL connections
between the client at one end and the server at the other end and
performs following actions:
SSL session between client and SRX Series- Terminates
an SSL connection from a client, when the SSL sessions are initiated
from the client to the server. The SRX Series device decrypts the
traffic, inspect it for attacks (both directions), and initiates the
connection on the clients’ behalf out to the server.
SSL session between server and SRX Series – Terminates
an SSL connection from a server, when the SSL sessions are initiated
from the external server to local server. The SRX Series device receives
clear text from the client, and encrypts and transmits the data as
ciphertext to the SSL server. On the other side, the SRX Series decrypts
the traffic from the SSL server, inspects it for attacks, and sends
the data to the client as clear text.
Allows inspection of encrypted traffic.
SSL proxy server ensures secure transmission of data with encryption
technology. SSL relies on certificates and private-public key exchange
pairs to provide the secure communication. For more information, see
SSL Certificates.
To establish and maintain an SSL session between the SRX Series
device and its client/server, the SRX series device applies security
policy to the traffic that it receives. When the traffic match the
security policy criteria, SSL proxy is enabled as an application service
within a security policy.
SSL Proxy with Application Security ServicesFigure 1 shows how SSL proxy
works on an encrypted payload.
Figure 1: SSL Proxy on an Encrypted Payload
When Advanced Security services such as application firewall
(AppFW), Intrusion Detection and Prevention (IDP), application tracking
(AppTrack), UTM, and SkyATP is configured, the SSL proxy acts as an
SSL server by terminating the SSL session from the client and establishing
a new SSL session to the server. The SRX Series device decrypts and
then reencrypts all SSL proxy traffic.
IDP, AppFW, AppTracking, advanced policy-based routing (APBR),
UTM, SkyATP, and ICAP service redirect can use the decrypted content
from SSL proxy. If none of these services are configured, then SSL
proxy services are bypassed even if an SSL proxy profile is attached
to a firewall policy.
Types of SSL ProxySSL proxy is a transparent proxy that performs SSL encryption
and decryption between the client and the server. SRX acts as the
server from the client’s perspective and it acts as the client
from the server’s perspective. On SRX Series devices, client
protection (forward proxy) and server protection (reverse proxy) are
supported using same echo system SSL-T-SSL [terminator on the client
side] and SSL-I-SSL [initiator on the server side]).
SRX Series device support following types of SSL proxy:
Client-protection SSL proxy also known as forward proxy—The
SRX Series device resides between the internal client and outside
server. Proxying outbound session, that is, locally initiated SSL
session to the Internet. It decrypts and inspects traffic from internal
users to the web.
Server-protection SSL proxy also known as reverse proxy—The
SRX Series device resides between the internal server and outside
client. Proxying inbound session, that is, externally initiated SSL
sessions from the Internet to the local server.
For more information on SSL forward proxy and reverse proxy,
see Configuring SSL Proxy.
Supported SSL ProtocolsThe following SSL protocols are supported on SRX Series devices
for SSL initiation and termination service:
TLS version 1. 0—Provides authentication and secure
communications between communicating applications.
TLS version 1. 1—This enhanced version of TLS provides
protection against cipher block chaining (CBC) attacks.
TLS version 1. 2 — This enhanced version of TLS provides
improved flexibility for negotiation of cryptographic algorithms.
TLS version 1. 3 — This enhanced version of TLS provides improved security and better
performance.
Starting with Junos OS Release 15. 1X49-D30 and Junos OS Release
17. 3R1, TLS version 1. 1 and TLS version 1. 2 protocols are supported
on SRX Series devices along with TLS version 1. 0. Starting with Junos
OS Release 15. 1X49-D20 and Junos OS Release 17. 3R1, the SSL protocol
3. 0 (SSLv3) support is deprecated.
Starting in Junos OS Release 21. 2R1, on SRX Series devices, SSL proxy supports TLS
version 1. 3 and it provides improved security and better
Benefits of SSL ProxyDecrypts SSL traffic to obtain granular application information
and enable you to apply advanced security services protection and
detect threats.
Enforces the use of strong protocols and ciphers by the
client and the server.
Provides visibility and protection against threats embedded
in SSL encrypted traffic.
Controls what needs to be decrypted by using Selective
SSL Proxy.
Logical Systems SupportIt is possible to enable SSL proxy on firewall policies that
are configured using logical systems; however, note the following
limitations:
The “services” category is currently not supported
in logical systems configuration. Because SSL proxy is under “services, ”
you cannot configure SSL proxy profiles on a per-logical-system basis.
Because proxy profiles configured at a global level (within
“services ssl proxy”) are visible across logical system
configurations, it is possible to configure proxy profiles at a global
level and then attach them to the firewall policies of one or more
logical systems.
LimitationsOn all SRX Series devices, the current SSL proxy implementation
has the following connectivity limitations:
The SSLv3. 0 protocol support is deprecated.
The SSLv2 protocol is not supported. SSL sessions using
SSLv2 are dropped.
Only X. 509v3 certificate is supported.
Client authentication of SSL handshake is not supported.
SSL sessions where client certificate authentication is
mandatory are dropped.
SSL sessions where renegotiation is requested are dropped.
On SRX Series devices, for a particular session, the SSL proxy
is only enabled if a relevant feature related to SSL traffic is also
enabled. Features that are related to SSL traffic are IDP, application
identification, application firewall, application tracking, advanced
policy-based routing, UTM, SkyATP, and ICAP redirect service. If none
of these features are active on a session, the SSL proxy bypasses
the session and logs are not generated in this scenario.
Tunneling SSL Through the Proxy Server
Tunneling SSL Through the Proxy Server
When you are running a Proxy Server (proxy) in the forward direction
and a client requests an SSL connection to a secure server through the proxy,
the proxy opens a connection to the secure server and copies data in both
directions without intervening in the secure transaction. This process is
known as SSL tunneling, and is illustrated in the following figure.
Figure 5–1 SSL Connection
To use SSL tunneling with HTTPS
URLs, the client must support both SSL and HTTPS. HTTPS is implemented using
SSL with normal HTTP. Clients without HTTPS support can still access HTTPS
documents using the Proxy Server’s HTTPS proxying capability.
SSL tunneling is a lower-level activity that does not affect the application
level (HTTPS). SSL tunneling is just as secure as SSL without proxying. The
existence of the proxy in between does not in any way compromise security
or reduce the functionality of SSL.
With SSL, the data stream is encrypted, so the proxy has no access to
the actual transaction. Consequently, the access log cannot list the status
code or the header length received from the remote server. This process also
prevents the proxy, or any other third party, from eavesdropping on the transactions.
Because
the proxy never sees the data, it cannot verify that the protocol used between
the client and the remote server is SSL. Therefore the proxy also cannot prevent
other protocols from being passed through. You should restrict SSL connections
to only well-known SSL ports, namely port 443 for HTTPS and 563 for SNEWS,
as assigned by the Internet Assigned Numbers Authority (IANA). If sites run
the secure server on some other port, you can make explicit exceptions to
allow connections to other ports on certain hosts by using the connect. * resource.
The SSL tunneling capability is actually a general, SOCKS-like capability
that is protocol independent, so you can also use this feature for other services.
Proxy Server can handle SSL tunneling for any application with SSL support,
not just the HTTPS and SNEWS protocols.
How to set up an HTTPS proxy server – GoDaddy
Your digital middleman
Privacy is a perennial hot topic online. Many internet users have no idea how to safeguard their information, but savvy web professionals can implement an HTTPS proxy server to do the job.
An HTTPS proxy server you to maintain your privacy while still being able to browse the internet unrestricted. This alone is a major selling point. Plus, connecting to HTTPS through proxy can bring even more benefits, and can easily become a vital part of your development workflow.
In this piece, we’ll first answer the question: What is a proxy server? We’ll then discuss what you’ll need to get one up and running, before showing you how to set up a proxy server of your own. Let’s get started!
What is a proxy server (and why you need one)
In layman’s terms, a proxy server acts as a “middleman” between your browser and the website you’re visiting. It can get complex under the hood, but you don’t need to know too much about how it works to carry out day-to-day tasks. You should know that, much like with any other website, the data a proxy server passes along can also be encrypted by HTTPS.
There are definite benefits to using HTTPS through proxy, starting with the privacy and anonymous browsing it offers. However, an HTTPS proxy server can help you with many more things, including security and ad blocking functions, geolocation testing, and even caching.
Rather than seeing it simply as a way to obfuscate your online identity, you can view your HTTPS proxy server as a valuable development tool.
With that in mind, let’s take a look at what you’ll need to get started.
The essential elements you’ll need to set up an HTTPS proxy server
GoDaddy provides all manner of SSL certificates to help secure and encrypt your data.
While on the surface setting up an HTTPS proxy server might seem costly, it can be actually quite cheap to implement one. The first element you’ll need is a suitable web host with the following traits:
An Apache server with at least PHP 5 installed, along with cURL support.
Write access to public_html.
The ability to set up a proxy.
(Fortunately, GoDaddy’s Business Hosting, VPS, and Dedicated Server hosting plans meet these requirements. )
Moving on, you’ll need a way to encrypt the data that passes through your proxy. Much like with a standard website, you’ll need to employ a suitable SSL certificate. There are many options and vendors available, and you can find a plethora of different certificates at competitive prices.
Finally, you’ll need a suitable proxy script. They’re usually coded with PHP, and a quick Google search will uncover a wealth of choices. However, beware: free scripts are sometimes released by developers with ulterior motives, so you should carefully consider your options. That said, both Glype and Squid are suitable free proxy scripts, and the latter is also a stellar proxy caching solution.
Squid is one of the top free caching proxies available.
Five steps to set up an HTTPS proxy server
Once you’ve gathered what you’ll need to create your HTTPS proxy server (and made sure your server is suitably prepared), the final step is performing the actual setup. Fortunately, this process should be simple for most web professionals.
1. Set up a subdomain with SSL
Set up a subdomain, and make sure your SSL certificate is up and running for that particular URL.
2. Download your proxy script
Download your chosen proxy script and unpack the compressed archive file if necessary.
3. Upload files to subdomain’s folder
Upload the files via File Transfer Protocol (FTP) to the subdomain’s folder. If you have no preferred FTP manager, we recommend FileZilla.
4. Tweak subdomain admin settings
Browse to the proxy subdomain’s administration screen (usually by appending your URL with), and tweak the settings as appropriate based on your requirements and chosen proxy script.
5. Check for security signals
Finally, check that you can see the indicators of a secure website: the green padlock and the designation in the browser bar.
That’s all it takes. All being well, you should have a working, secure HTTPS proxy server up and running in around 15 minutes!
Conclusion
While online privacy continues to be a pressing issue, there’s no quick and easy way to protect your online movements while not restricting your options. However, for the skilled web professional, connecting to HTTPS through proxy is probably your best bet.
In this article, we’ve discussed what an HTTPS proxy server is, and explained why you’d want one. We then walked you through the elements you’ll – including proper hosting and a suitable PHP script – before finally showing you how to set up a proxy server. By following our advice, you should be up and running in minutes.
Meet the 27-hour day.
We built The Hub by GoDaddy Pro to save you time. Lots of time. Our members report saving an average three hours each month for every client website they maintain. Are you adding that kind of time to your day?
Sign up for Free
Image by:
Frequently Asked Questions about what is ssl proxy server
How does SSL work with proxy servers?
When you are running a Proxy Server (proxy) in the forward direction and a client requests an SSL connection to a secure server through the proxy, the proxy opens a connection to the secure server and copies data in both directions without intervening in the secure transaction.
How do I setup a SSL proxy server?
Five steps to set up an HTTPS proxy serverSet up a subdomain with SSL. Set up a subdomain, and make sure your SSL certificate is up and running for that particular URL.Download your proxy script. … Upload files to subdomain’s folder. … Tweak subdomain admin settings. … Check for security signals.Aug 21, 2017
Why do I need a proxy certificate?
SSL proxy server not only increases trust in the website and shows that an Internet presence is really what it claims to be. An SSL certificate also helps to close security gaps. A certificate, for example, makes it possible to transmit data encrypted between the server and the user.Apr 2, 2020