Proxy

This scenario shows how to configure service traffic-proxy to intercept and proxy SSL traffic.

../../../_images/proxy.svg

Test Traffic-Proxy Interception

Description

This example demonstrates how to configure the device to intercept and proxy SSL traffic. For this purpose, the service traffic-proxy is bound to the port 3128, where the SSL traffic is being diverted by a traffic policy.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 vif 100 address 192.168.1.1/24
set interfaces ethernet eth0 vif 100 traffic policy in TPROXY
set interfaces ethernet eth1 vif 200 address 10.0.0.1/24
set service traffic-proxy TRAFFIC_PROXY mode ssl
set service traffic-proxy TRAFFIC_PROXY port 3128
set service traffic-proxy TRAFFIC_PROXY x509 ca-cert 'running://test.crt'
set service traffic-proxy TRAFFIC_PROXY x509 ca-key 'running://test.key'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set traffic policy TPROXY rule 5 action proxy tcp 3128
set traffic policy TPROXY rule 5 selector TCP_TRAFFIC
set traffic selector TCP_TRAFFIC rule 1 destination port 80,443,8080,4430
set traffic selector TCP_TRAFFIC rule 1 protocol tcp

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 vif 100 address 192.168.1.2/24
set protocols static route 0.0.0.0/0 next-hop 192.168.1.1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Set the following configuration in DUT2:

set interfaces ethernet eth0 vif 200 address 10.0.0.2/24
set protocols static route 0.0.0.0/0 next-hop 10.0.0.1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Ping IP address 10.0.0.2 from DUT1:

admin@DUT1$ ping 10.0.0.2 count 1 size 56 timeout 1
Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=63 time=0.566 ms

--- 10.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.566/0.566/0.566/0.000 ms

Step 5: Ping IP address 192.168.1.2 from DUT2:

admin@DUT2$ ping 192.168.1.2 count 1 size 56 timeout 1
Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=63 time=0.401 ms

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.401/0.401/0.401/0.000 ms

Note

The traffic-proxy server is configured to only intercept WAN traffic if the destination port is one of these values: 80,443,8080,4430; otherwise, traffic should only be forwarded. We can execute the command service traffic-proxy TRAFFIC_PROXY show stats to check that stats remain at 0.

Step 6: Initiate a ssl connection from DUT1 to DUT2 and try to send some messages between both endpoints

admin@DUT2$ monitor test connection server 1234 ssl cert running://test.crt key running://test.key
admin@DUT1$ monitor test connection client 10.0.0.2 1234 ssl source-port 1234

Step 7: Run command service traffic-proxy TRAFFIC_PROXY show stats at DUT0 and check if output matches the following regular expressions:

intercepted\s+0\s+0
Show output
Statistics for instance "TRAFFIC_PROXY":

-----------------------------
name           packets  bytes
-----------------------------
queue - reply        0      0
queue - orig         0      0
intercepted          0      0
error                0      0

Note

Now, traffic will be generated using one of the aforementioned values as the destination port. Stats should be incremented.

Step 8: Initiate a ssl connection from DUT1 to DUT2 and try to send some messages between both endpoints

admin@DUT2$ monitor test connection server 443 ssl cert running://test.crt key running://test.key
admin@DUT1$ monitor test connection client 10.0.0.2 443 ssl source-port 1234

Step 9: Run command service traffic-proxy TRAFFIC_PROXY show stats at DUT0 and check if output does not match the following regular expressions:

intercepted\s+0\s+0
Show output
Statistics for instance "TRAFFIC_PROXY":

-----------------------------
name           packets  bytes
-----------------------------
queue - reply        0      0
queue - orig         0      0
intercepted         13   1237
error                0      0

Test Traffic-Proxy Interception From Bridged Network

Description

This example demonstrates how to configure the device to intercept traffic coming from multiple bridged interfaces.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces bridge br0 vif 100 address 192.168.1.1/24
set interfaces bridge br0 vif 100 traffic policy in TPROXY
set interfaces bridge br0 vlan 100
set interfaces ethernet eth0 bridge-group bridge br0
set interfaces ethernet eth0 bridge-group vlan 100
set interfaces ethernet eth1 vif 200 address 10.0.0.1/24
set service traffic-proxy TRAFFIC_PROXY mode ssl
set service traffic-proxy TRAFFIC_PROXY port 3128
set service traffic-proxy TRAFFIC_PROXY x509 ca-cert 'running://test.crt'
set service traffic-proxy TRAFFIC_PROXY x509 ca-key 'running://test.key'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set traffic policy TPROXY rule 5 action proxy tcp 3128
set traffic policy TPROXY rule 5 selector TCP_TRAFFIC
set traffic selector TCP_TRAFFIC rule 1 destination port 80,443,8080,4430
set traffic selector TCP_TRAFFIC rule 1 protocol tcp

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 vif 100 address 192.168.1.2/24
set protocols static route 0.0.0.0/0 next-hop 192.168.1.1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Set the following configuration in DUT2:

set interfaces ethernet eth0 vif 200 address 10.0.0.2/24
set protocols static route 0.0.0.0/0 next-hop 10.0.0.1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Ping IP address 10.0.0.2 from DUT1:

admin@DUT1$ ping 10.0.0.2 count 1 size 56 timeout 1
Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=63 time=0.766 ms

--- 10.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.766/0.766/0.766/0.000 ms

Step 5: Ping IP address 192.168.1.2 from DUT2:

admin@DUT2$ ping 192.168.1.2 count 1 size 56 timeout 1
Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=63 time=0.327 ms

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.327/0.327/0.327/0.000 ms

Step 6: Initiate a ssl connection from DUT1 to DUT2 and try to send some messages between both endpoints

admin@DUT2$ monitor test connection server 443 ssl cert running://test.crt key running://test.key
admin@DUT1$ monitor test connection client 10.0.0.2 443 ssl source-port 1234

Step 7: Run command service traffic-proxy TRAFFIC_PROXY show stats at DUT0 and check if output does not match the following regular expressions:

intercepted\s+0\s+0
Show output
Statistics for instance "TRAFFIC_PROXY":

-----------------------------
name           packets  bytes
-----------------------------
queue - reply        0      0
queue - orig         0      0
intercepted         14   1277
error                0      0