Https traffic to http

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Https traffic to http

Hi Guys,

 

I have a webserver hosted for public access using http. Now I want to know is it possible to NAT traffic entering to palo alto as https from outside to http as inside.

 

So user will try to connect server using public IP on port 443 their port would get transalated to port 80 and go to internal destination server using destination NAT.

 

IN Nat rule, I need to specify the public IP with port 443 and destination translation will local IP with port 80 right.

 

In access rule, I need to all https only to that public IP right.

 

Will this work?

 

Regards

Venky

 

 

7 REPLIES 7

L4 Transporter

Yes, you can do this, but not the way you think.  You don't NAT the traffic (well, you do, to translate IPs, but not to convert between HTTP and HTTPS).  You proxy it.

 

You need to configure SSL Decryption on the firewall, using an SSL certificate for the server.  That way, incoming HTTPS connections on port 443 are intercepted by the firewall, the SSL connectection is terminated, the packets are decrypted, then forwarded through to the server as normal HTTP.

The destination server is webserver only having service http not https. So it’s not possible to ssl inbound inspection I think.

 

correct me if I’m wrong

 

 

Oh, wait, you're right, I'm confusing things.  The firewall intercepts the SSL traffic from the client and becomes the end-point for the SSL connection, but it also opens an SSL connection to the web server to forward the re-encrypted traffic along to the web server.  If the web server doesn't support HTTPS, the the SSL Decryption setup on the firewall wouldn't work.

 

You'll need to configure an actual proxy server (like Nginx or even Apache) in a reverse proxy setup.  That will allow SSL traffic in to the proxy server, and the proxy will use normal HTTP traffic to the actual web server.

 

But, once that is setup, you could enable SSL Decryption for the traffic going through to the proxy server.  🙂  And get the best of all worlds.

this is for traffic coming from outside to inside . How can I make the traffic coming from outside to inside to go as http

 

 

You install Nginx onto a server.  You configure it as a reverse proxy, add all your SSL certificates to it, and configure it to accept incoming SSL connections for servername.mydomain.com (the domain of your actual webserver).  Then you configure it to use standard HTTP to connect to your real webserver.

 

On the firewall, you allow SSL traffic through to the Nginx server.  You NAT the public IP of the webserver to the private IP of the Nginx server.

 

Client connects to https://servername.mydomain.com which sends SSL traffic to the public IP.  The firewall NAT's that to the Nginx private IP.  Nginx is the end-point for the SSL connection, using the SSL certificates for servername.mydomain.com.  Then it opens an HTTP connection to the private IP of the actual webserver.  As far as the client knows, it's connected to the webserver using encrypted HTTPS.  As far as the webserver knows, it's connected to the client using plain HTTP.  And everyone is happy and gets the data they want.  🙂

I can install nginix in same web server or I need to setup different server for Nginx 

as per @fjwcash 

 

we use Apache on CentOS-7 to reverse proxy HTTPS to HTTP.

 

we have the reverse proxy on a seperate server in a DMZ, this prevents direct access to our web servers on the private network.

this can also be achieved on some load balancers. 

 

 

  • 9301 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!