FireWall-1 as a reverse HTTP proxy

[BarryStiefel]

FireWall-1 as a reverse HTTP proxy



You can sort of do this, though it's not as extensive as Netscape's Proxy server and will require you to use Authentication. HTTPS is not supported until FireWall-1 4.0. If you go to Policy Properties and go to the "Security Servers" tab, you will see "HTTP Servers". Users will specify the firewall as the "host" part of the URL and, depending on what "logical server" they reference as the "path" part of the URL, they will be automagically be redirected to another internal server. To the user, it looks like one big site requiring authentication.



Let's say my firewall has the DNS name firewall.foo.com and I create three "logical server" definitions: Logical Server URL Port main(N) http://internal.foo.com 80 graphics http://graphics.foo.com 80 cgi http://cgi.foo.com 8000



The (N) here siginifies that I've checked the checkbox entitled "Server for Null Requests" in the Logical Server definition.

This means the following:

1. http://firewall.foo.com/index.html will be fetched from http://internal.foo.com/index.html ("Internal" is the server for Null Requests and will take everything that is not under /graphics or /cgi).
2. http://firewall.foo.com/graphics/dots/red-blinker.gif will be fetched from http://graphics.foo.com/dots/red-blinker.gif
3. http://firewall.foo.com/cgi/process-form.pl will be fetched from http://cgi.foo.com:8000/process-form.pl

Assuming your web pages use relative links, it should all be transparent to the end user and look like one, big, happy site.

The rule to enable this access is:

Source Destination Service Action Users@Any InternalHTTPServers HTTP User Auth

In the properties for User Auth, you should specify "allow pre-defined servers only" and also insure that the HTTP Security Server is enabled in $FWDIR/conf/fwauthd.conf.

-- GuyR - 18 Jan 2004

FAQForm FAQs.Class: ServicesFAQs FAQs.OS: FAQs.Version: