Managing HTTP CONNECT Method Support

The HTTP protocol supports a number of different access methods, such as GET, POST, and CONNECT.

The CONNECT method is normally used to establish a tunneled connection through which encrypted SSL traffic can be sent.


How the CONNECT Method Works

When proxy servers receive CONNECT requests, they are expected to establish a tunneled connection to a specified DNS host or IP address on a specified port. This allows the tunneled connection to be set up to any address and port.


An Unverified CONNECT Connection Is a Security Risk

It is not safe to assume that all CONNECT requests received by proxy servers are actually for SSL traffic. Outsiders frequently scan the Internet for proxies on port 8080 and other commonly used proxy ports to discover proxy servers that are accessible to them.


Outsiders Can Use Proxies to Attack Other Machines Inside a Firewall

If a proxy server that supports the CONNECT method is inside a firewall and the proxy server is accessible from outside the firewall, outsiders can request a tunneled connection to any address and port inside the firewall.

The proxy will set up the connection, thus allowing the outsider to have access to machines inside the firewall which would normally be inaccessible.

To the machines inside the firewall, it appears that the connection is originating from the proxy server address inside the firewall rather than from outside the firewall.

Outsiders are known to have used this capability to break through the protection normally provided by firewalls.


Attackers Can Hide Their Location

Attackers can use the CONNECT method to request that a publicly accessible proxy server set up a tunneled connection which passes through the proxy. This hides the real address of the attacker.

Attackers can then chain through several proxies by having the first proxy connect to the second, the second connect to the third, and so on, making it very difficult for law enforcement to discover where the attack is actually originating.


How Excelerator Protects Your Network

By default, Excelerator enables the CONNECT method for forward proxy services and disables it for transparent proxy services because:

For proxy services that require CONNECT method support, Excelerator monitors the data flowing through the tunneled connection. If the data is not SSL-related, Excelerator immediately tears down the tunneled connection and doesn't forward the data requests. This prevents outsiders from gaining access through firewalls and attackers from establishing chains to hide their identity.


Configuring Excelerator to Meet Your CONNECT Method Requirements

As explained in How Excelerator Protects Your Network, Excelerator is configured by default to use the CONNECT method only when necessary and to verify CONNECT method requests to protect your network against security risks.

We recommend you use the default CONNECT method settings whenever possible.

If you have special configuration requirements and are considering a non-default CONNECT method configuration, consider the following points: