1

Consider a firewalled network with the high-level requirement that normal web browsing should work, but nothing else (e.g. ssh and skype are forbidden). (Incoming connections are denied as a matter of course.)

What should be done to HTTP CONNECT traffic? At one extreme, it could allow everything through, which would make the firewall ineffective. At the other extreme, it could be blocked: would this completely block HTTPS? (Assume the firewall is not going to play man-in-the-middle hoping that clients wouldn't notice the fake certificates.)

In other words, what is the practical “normal” use of CONNECT, and what is a good approximation of restricting its use to the “normal” cases?

Gilles 'SO- stop being evil'
  • 9,391
  • 1
  • 33
  • 48

1 Answers1

1

HTTP CONNECT is intended for tunnelling and is not required. Blocking CONNECT has no impact on normal sites which generally handle GET, HEAD, and POST requests. Blocking of this sort would assume deep inspection of packets. A web proxy might be a more appropriate tool for this than a firewall.

HTTPS will not be blocked by blocking CONNECT. The encryption wraps the connection and the requests passes over the encrypted channel. As a result you won't be able to block CONNECT requests within HTTPS connections.

BillThor
  • 27,737
  • 3
  • 37
  • 69
  • Thanks, you've answered the question I asked. Which I now realize is not at all the [question I meant to ask](http://serverfault.com/questions/185523/impact-of-http-connect-on-a-mandatory-web-proxy-policy). – Gilles 'SO- stop being evil' Sep 28 '10 at 18:40