I am trying to get approval for a firewall rule from an external Windows system into our company network to access a proxy to get back out to the Internet. My needs will involve use of a web browser, for example to provide username/password. My company requires all firewall rules have only encrypted traffic passing through them. While the transport to the proxy is itself unencrypted, the approvers have clarified that as long as the packets going through the firewall are themselves encrypted (e.g. accessing TLS-based (HTTPS) websites) it is acceptable.
My question is, how can I ensure that when browsing, only requests with HTTPS traffic are permitted?
The drastic solution is to only use curl and/or wget, parsing the HTML manually and sending requests manually based on the responses, ensuring each time that HTTPS is used. Beside the obvious amount of time this would take, it would also mean that javascript-enabled pages etc would not work as expected.
I am open to a range of solutions such as:
- Firefox/Chrome plugins
- Running a local proxy (such as CNTLM) on the external machine which only forwards to the remote proxy if the URL matches a pattern (I had a look at the CNTLM manual but I can't find it lists any command-line or configuration option to only allow certain URL patterns)
- Using a special browser which would provide this kind of option
- Is there a way to configure a proxy tunnel (bearing in mind it would have to be available on Windows) which encrypts the traffic on one side and decrypts it on the other side, then none of this would be necessary
Note that I don't need to worry about traffic sent by other applications than my web browser, as this is only applicable where I have specifically configured the proxy in that application
01 Answer
Is there a way to configure a proxy tunnel (bearing in mind it would have to be available on Windows) which encrypts the traffic on one side and decrypts it on the other side, then none of this would be necessary
Yes – most commonly you would use a VPN for this (such as IKEv2, OpenVPN, or some proprietary product) as it encrypts all IP traffic and isn't limited to just HTTP. It is very common for people on external networks to connect back to their company's LAN using VPN software.
There are also software which tunnel individual TCP connections over TLS, such as stunnel.
I would suggest that requiring a VPN or another secure transport is the best method because it enforces the policy on the company's side and avoids accidents such as the client losing/"forgetting" its configuration.
On the other hand, VPN'ing into the company network only secures traffic between you and the proxy, but does nothing to enforce that requests forwarded out by the proxy are secure. (I don't know if your policy is about incoming connections only or outgoing ones as well.) If that is a requirement, it should be implemented on the proxy itself.
Firefox/Chrome plugins
For manual configuration, Firefox supports separate proxy server addresses for HTTP and HTTPS ("SSL"); it used to have extensions for configuring this per-site.
Many browsers support a PAC file which can have custom logic for proxy selection based on URL.
3