I have a webserver hosted for public access using http. Now I want to know is it possible to NAT traffic entering to palo alto as https from outside to http as inside.
So user will try to connect server using public IP on port 443 their port would get transalated to port 80 and go to internal destination server using destination NAT.
IN Nat rule, I need to specify the public IP with port 443 and destination translation will local IP with port 80 right.
In access rule, I need to all https only to that public IP right.
Will this work?
Yes, you can do this, but not the way you think. You don't NAT the traffic (well, you do, to translate IPs, but not to convert between HTTP and HTTPS). You proxy it.
You need to configure SSL Decryption on the firewall, using an SSL certificate for the server. That way, incoming HTTPS connections on port 443 are intercepted by the firewall, the SSL connectection is terminated, the packets are decrypted, then forwarded through to the server as normal HTTP.
The destination server is webserver only having service http not https. So it’s not possible to ssl inbound inspection I think.
correct me if I’m wrong
Oh, wait, you're right, I'm confusing things. The firewall intercepts the SSL traffic from the client and becomes the end-point for the SSL connection, but it also opens an SSL connection to the web server to forward the re-encrypted traffic along to the web server. If the web server doesn't support HTTPS, the the SSL Decryption setup on the firewall wouldn't work.
You'll need to configure an actual proxy server (like Nginx or even Apache) in a reverse proxy setup. That will allow SSL traffic in to the proxy server, and the proxy will use normal HTTP traffic to the actual web server.
But, once that is setup, you could enable SSL Decryption for the traffic going through to the proxy server.
You install Nginx onto a server. You configure it as a reverse proxy, add all your SSL certificates to it, and configure it to accept incoming SSL connections for servername.mydomain.com (the domain of your actual webserver). Then you configure it to use standard HTTP to connect to your real webserver.
On the firewall, you allow SSL traffic through to the Nginx server. You NAT the public IP of the webserver to the private IP of the Nginx server.
Client connects to https://servername.mydomain.com which sends SSL traffic to the public IP. The firewall NAT's that to the Nginx private IP. Nginx is the end-point for the SSL connection, using the SSL certificates for servername.mydomain.com. Then it opens an HTTP connection to the private IP of the actual webserver. As far as the client knows, it's connected to the webserver using encrypted HTTPS. As far as the webserver knows, it's connected to the client using plain HTTP. And everyone is happy and gets the data they want.
as per @fjwcash
we use Apache on CentOS-7 to reverse proxy HTTPS to HTTP.
we have the reverse proxy on a seperate server in a DMZ, this prevents direct access to our web servers on the private network.
this can also be achieved on some load balancers.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!