IBM Security Verify

 View Only
  • 1.  Configuring an outbound HTTP Proxy and its exceptions

    IBM Champion
    Posted Fri November 20, 2020 04:12 AM
    Hello all,
    We are giving internet access to our ISAM's so we can make use of OCSP endpoints as well as OIDC metadata/JWKS endpoints.

    For that we are configuring an outgoing Http Proxy via the "Runtime parameters" HTTP(S) PROXY attributes.
    We also added an exception list in the "Advanced Tuning parameters" with the following value : -Dhttp.nonProxyHosts="*.myinternal.domain.lu|*.mydomain.lu|*.myotherdomain.post.lu|localhost^|127.0.0.1^"

    It seems the calls to DSess ignore this configuration, because we are encountering the following calls every 30 seconds at our internet proxy:
    - "http://127.0.0.1:2026/DSess/services/DSess"     with user agent "Apache CXF 2.6.2"


    Does anyone have any idea on what is wrong in our configuration ? Has someone configured an outgoing http proxy and ran into similar issues ?


    Thank you


    ------------------------------
    André Leruitte
    ------------------------------


  • 2.  RE: Configuring an outbound HTTP Proxy and its exceptions

    Posted Fri November 20, 2020 06:56 AM
    Hi André,

    You probably know this area better than me but I'm intrigued by the use of ^ in your patterns (especially since related to the 127.0.0.1 address you're having trouble with.  I can't find any indication of what this symbol does.

    Also, do you have other Java components communicating successfully with 127.0.0.1 (or localhost) without using the proxy?  It's a bit odd because I thought that by default Java always bypassed proxy for localhost and 127.0.0.1.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: Configuring an outbound HTTP Proxy and its exceptions

    IBM Champion
    Posted Fri November 20, 2020 08:25 AM
    Hi Jon,

    As a matter of fact, while investigating on this java option, I found some posts that used the "127.0.0.1^" notation (regex style), so I also tested it. The same behavior is observed from the calls to DSess either with or without the ^.

    But while writing this answer, I thought of one additional possibility to test, even if it doesn't make sense : adding the port. (127.0.0.1:2026).
    And surprise : no more requests to 127.0.0.1 going through our internet proxy.

    I then replaced the entry 127.0.0.1:2026 by 127.0.0.1*, and the behavior is still correct.


    So for anyone wanting to configure an http(s) outgoing proxy, pay attention to the syntax used for the exceptions and do not forget to add "localhost*" and "127.0.0.1*" to cover all the loopback cases.


    ------------------------------
    André Leruitte
    ------------------------------



  • 4.  RE: Configuring an outbound HTTP Proxy and its exceptions

    IBM Champion
    Posted Fri November 20, 2020 08:34 AM
    Unfortunately it was a false victory :(

    For some reason ISAM stopped sending that particular request to the DSess during 20 minutes. It just started again, and the traffic still goes through our internet proxy.
    I'm going to test additional combinations for the "exception" optio to try to find one that will keep all requests to 127.0.0.1 local to ISAM.

    ------------------------------
    André Leruitte
    ------------------------------



  • 5.  RE: Configuring an outbound HTTP Proxy and its exceptions

    IBM Champion
    Posted Fri November 20, 2020 09:39 AM
    It seems that the "exception" option has now the correct format:
    -Dhttp.nonProxyHosts="*.mydomain.xyz.lu|*.xyz.lu|*.xyz.post.lu|localhost^|127.0.0.1*|127.0.0.1:2026"

    For the last 60 minutes, no 127.0.0.1 request from ISAM was sent through the internet proxy. We will continue monitoring in the next days to make sure no unwanted request is sent through the internet proxy.

    ------------------------------
    André Leruitte
    ------------------------------