The HTTP protocol supports a number of different access methods, such as GET, POST, and CONNECT.
The CONNECT method is normally used to establish a tunneled connection through which encrypted SSL traffic can be sent.
When proxy servers receive CONNECT requests, they are expected to establish a tunneled connection to a specified DNS host or IP address on a specified port. This allows the tunneled connection to be set up to any address and port.
It is not safe to assume that all CONNECT requests received by proxy servers are actually for SSL traffic. Outsiders frequently scan the Internet for proxies on port 8080 and other commonly used proxy ports to discover proxy servers that are accessible to them.
If a proxy server that supports the CONNECT method is inside a firewall and the proxy server is accessible from outside the firewall, outsiders can request a tunneled connection to any address and port inside the firewall.
The proxy will set up the connection, thus allowing the outsider to have access to machines inside the firewall which would normally be inaccessible.
To the machines inside the firewall, it appears that the connection is originating from the proxy server address inside the firewall rather than from outside the firewall.
Outsiders are known to have used this capability to break through the protection normally provided by firewalls.
Attackers can use the CONNECT method to request that a publicly accessible proxy server set up a tunneled connection which passes through the proxy. This hides the real address of the attacker.
Attackers can then chain through several proxies by having the first proxy connect to the second, the second connect to the third, and so on, making it very difficult for law enforcement to discover where the attack is actually originating.
By default, Excelerator enables the CONNECT method for forward proxy services and disables it for transparent proxy services because:
For proxy services that require CONNECT method support, Excelerator monitors the data flowing through the tunneled connection. If the data is not SSL-related, Excelerator immediately tears down the tunneled connection and doesn't forward the data requests. This prevents outsiders from gaining access through firewalls and attackers from establishing chains to hide their identity.
As explained in How Excelerator Protects Your Network, Excelerator is configured by default to use the CONNECT method only when necessary and to verify CONNECT method requests to protect your network against security risks.
We recommend you use the default CONNECT method settings whenever possible.
If you have special configuration requirements and are considering a non-default CONNECT method configuration, consider the following points:
For most installations, only forward proxies need to support the CONNECT method. However, if you configure your transparent proxy to intercept traffic normally intended for a forward proxy (such as port 8080), then the transparent proxy might also need to allow the CONNECT method.
This protects your appliance and network against the establishment of tunneled connections that are not SSL-related. Not using this protection makes your installation vulnerable to the risks described in An Unverified CONNECT Connection Is a Security Risk.