Enabling SSL Tunneling through a Proxy Server
If your proxy service connects to a back-end server through a proxy server, you can enable secure socket layer (SSL) tunneling through the proxy server to prevent any intermediate proxy services from interfering with the communication. SSL tunneling is available when your proxy service uses either the HTTP PassThrough transport or the HTTP-NIO transport .
The following section walks you through the steps to enable SSL tunneling through a proxy server. Here we will use Squid as the caching and forwarding HTTP web proxy.
Setting up Squid
Follow the steps below to set up Squid:
- Install Squid as described here.
Add the following lines in the
<SQUID_HOME>/etc/squid3/squid.conf
file:acl SSL_ports port 443 8443 8448 8248 8280 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025–65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/basic_pw auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl ncsa_users proxy_auth REQUIRED http_access allow ncsa_users http_port 3128
Configuring SSL tunneling
Follow the steps below to configure SSL tunneling through the proxy server:
In theÂ
<ESB_HOME>/repository/conf/axis2/axis2.xml
file, add the following parameters to thetransportSender
configuration forÂPassThroughHttpSender
,PassThroughHttpSSLSender
,HttpCoreNIOSender
, andHttpCoreNIOSSLSender
:<parameter name="http.proxyHost" locked="false">hostName</parameter>
whereÂ<parameter name="http.proxyPort" locked="false">portNumber</parameter>
hostName
 andÂportNumber
specify the host name and port number of the proxy server.
- Uncomment the following parameter in the
PassThroughHttpSSLSender
andHttpCoreNIOSSLSender
configurations and change the value toAllowAll
.<parameter name="HostnameVerifier">AllowAll</parameter>
Note that changing theÂ
HostnameVerifier
parameter as mentioned above causes security vulnerabilities such as "network poisoning".
For example, if the host name and port number of proxy server is localhost:8080
, your transportSender
configurations for PassThroughHttPSender
and PassThroughHttpSSLSender
would be as follows:
<transportSender name="http" class="org.apache.synapse.transport.passthru.PassThroughHttpSender"> <parameter name="non-blocking" locked="false">true</parameter> <parameter name="http.proxyHost" locked="false">localhost</parameter> <parameter name="http.proxyPort" locked="false">8080</parameter> </transportSender>
<transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender"> <parameter name="non-blocking" locked="false">true</parameter> <parameter name="keystore" locked="false"> <KeyStore> <Location>repository/resources/security/wso2carbon.jks</Location> <Type>JKS</Type> <Password>wso2carbon</Password> <KeyPassword>wso2carbon</KeyPassword> </KeyStore> </parameter> <parameter name="truststore" locked="false"> <TrustStore> <Location>repository/resources/security/client-truststore.jks</Location> <Type>JKS</Type> <Password>wso2carbon</Password> </TrustStore> </parameter> <parameter name="http.proxyHost" locked="false">localhost</parameter> <parameter name="http.proxyPort" locked="false">8080</parameter> <parameter name="HostnameVerifier">AllowAll</parameter> </transportSender>