topic Https traffic to http in General Topics

Https traffic to http

Venkatesan_radhakrishnan — Tue, 10 Dec 2019 14:43:57 GMT

Hi Guys,

I have a webserver hosted for public access using http. Now I want to know is it possible to NAT traffic entering to palo alto as https from outside to http as inside.

So user will try to connect server using public IP on port 443 their port would get transalated to port 80 and go to internal destination server using destination NAT.

IN Nat rule, I need to specify the public IP with port 443 and destination translation will local IP with port 80 right.

In access rule, I need to all https only to that public IP right.

Will this work?

Regards

Venky

Re: Https traffic to http

fjwcash — Tue, 10 Dec 2019 17:04:09 GMT

Yes, you can do this, but not the way you think. You don't NAT the traffic (well, you do, to translate IPs, but not to convert between HTTP and HTTPS). You proxy it.

You need to configure SSL Decryption on the firewall, using an SSL certificate for the server. That way, incoming HTTPS connections on port 443 are intercepted by the firewall, the SSL connectection is terminated, the packets are decrypted, then forwarded through to the server as normal HTTP.

Re: Https traffic to http

Venkatesan_radhakrishnan — Tue, 10 Dec 2019 17:51:40 GMT

The destination server is webserver only having service http not https. So it’s not possible to ssl inbound inspection I think.

correct me if I’m wrong

Re: Https traffic to http

fjwcash — Tue, 10 Dec 2019 18:17:38 GMT

Oh, wait, you're right, I'm confusing things. The firewall intercepts the SSL traffic from the client and becomes the end-point for the SSL connection, but it also opens an SSL connection to the web server to forward the re-encrypted traffic along to the web server. If the web server doesn't support HTTPS, the the SSL Decryption setup on the firewall wouldn't work.

You'll need to configure an actual proxy server (like Nginx or even Apache) in a reverse proxy setup. That will allow SSL traffic in to the proxy server, and the proxy will use normal HTTP traffic to the actual web server.

But, once that is setup, you could enable SSL Decryption for the traffic going through to the proxy server. 🙂 And get the best of all worlds.

Re: Https traffic to http

Venkatesan_radhakrishnan — Tue, 10 Dec 2019 18:21:58 GMT

this is for traffic coming from outside to inside . How can I make the traffic coming from outside to inside to go as http

Re: Https traffic to http

fjwcash — Tue, 10 Dec 2019 18:32:47 GMT

You install Nginx onto a server. You configure it as a reverse proxy, add all your SSL certificates to it, and configure it to accept incoming SSL connections for servername.mydomain.com (the domain of your actual webserver). Then you configure it to use standard HTTP to connect to your real webserver.

On the firewall, you allow SSL traffic through to the Nginx server. You NAT the public IP of the webserver to the private IP of the Nginx server.

Client connects to https://servername.mydomain.com which sends SSL traffic to the public IP. The firewall NAT's that to the Nginx private IP. Nginx is the end-point for the SSL connection, using the SSL certificates for servername.mydomain.com. Then it opens an HTTP connection to the private IP of the actual webserver. As far as the client knows, it's connected to the webserver using encrypted HTTPS. As far as the webserver knows, it's connected to the client using plain HTTP. And everyone is happy and gets the data they want. 🙂

Re: Https traffic to http

Venkatesan_radhakrishnan — Tue, 10 Dec 2019 18:37:36 GMT

I can install nginix in same web server or I need to setup different server for Nginx

Re: Https traffic to http

Mick_Ball — Wed, 11 Dec 2019 12:54:39 GMT

as per @fjwcash

we use Apache on CentOS-7 to reverse proxy HTTPS to HTTP.

we have the reverse proxy on a seperate server in a DMZ, this prevents direct access to our web servers on the private network.

this can also be achieved on some load balancers.