The Forum Sentry API Gateway is often used as a secure replacement for Apache reverse proxies.
Sentry administrators may already be familiar with building policies for Web Services traffic (SOAP, XML, REST, JSON, etc..) but encounter some issues when trying to pass web browser traffic through Sentry.
I. Content Policies and Message Type Filters - Use an HTML Policy for Web Browser Based Traffic
There are different Content Policies in Sentry designed to handle different types of traffic. For instance, XML policies are built for XML traffic, REST policies for RESTful web services, and HTML policies for HTML or other web browser based traffic.
Technically any supported data types can be passed through any of the Content Policies. So for example, you can pass HTML traffic over an XML policy. However, each Content Policy has default configuration options for specific types of data and message flows. Specifically, each Content Policy has unique Message Type Filters enabled (associated to the virtual directory) which specify the Content-Type and HTTP Methods expected for each type of traffic flow. If data hits a virtual directory and the wrong Content-Type or Method is used, no Message Type Filter will be matched an a default IDP rule will trigger and block the message.
With web browser traffic, there may be multiple Content-Types and HTTP methods in use and the filtering of these may not be important. Therefore the Message Type filters for HTML policies are more open. Contrast this to a WSDL policy, where the HTTP method should always be a POST and the Content-Types are known entities.
If you see the Invalid HTTP Message failure, see: FAQ: Triggering the "Invalid HTTP Message" IDP Rule in Forum Sentry -https://helpdesk.forumsys.com/entries/39885696
II. Configuring the Virtual Directories for the HTML Policy - Using a root directory and modifying the Filter Expression
Note that when Sentry is simply acting as an HTTP proxy for browser based traffic, there are often many more requests/responses (transactions) than with web service calls. All of the calls for images, and other files needed by the browser to render the page correctly are potentially Sentry transactions.
If all of these requests and responses will go through Sentry they need to be explicitly allowed. These many request messages may use different URIs, specifically different paths. Therefore using a root virtual directory with just / for the virtual path will process all requests that come into a directory that are not explicitly defined.
In many form post / cookie based SSO use cases, there may be multiple virtual directories in a single HTML policy. For example:
/login/login.html - a public directory used to proxy the browser request to the login page behind Sentry
/login - where the form post credentials are submitted to and consumed by Sentry, which then generates a cookie, then redirects to /
/ - the root directory that is requiring a cookie authentication then proxying all requests to the remote web servers. If auth fails, redirect to /login/login.html
/ logout - where the cookie can be logged out and the session terminated
In addition to the path, the characters allowed at the end of the URL are also filtered by default with Sentry policies. This is the Filter Expression field on the virtual directory page and you may need to adjust the from the default of (/.*)? to just .* which is a wild card. Leave the Replace Expression as $0 if you want Sentry to keep all characters that the browser sends in the URL.
III. Redirects - Ensuring traffic is not bypassing Sentry
Many times the back-end web servers will issue redirects which could force the browser to bypass Sentry. If the use case calls for ALL traffic to be processed by Sentry, the redirects that are returned to the browser must redirect the browser to a Sentry policy.
Additionally, if the taffic between Sentry and the remote server is HTTP, the location header set by the server may list an HTTP endpoint. However, the Sentry listener may be using HTTPS.
If the redirects set by the web server do not redirect to a valid Sentry virtual directory, there are 2 options.
Option 1: Configure Sentry to modify the Location Header set by the web server with a Task List.
Option 2: Reconfigure the web server to use the correct host name in the Location Header returned with the redirect
For option 1 see: https://helpdesk.forumsys.com/entries/80539993-How-To-Modify-the-HTTP-Location-Header-on-Redirect-Issued-by-Remote-Server
IV. SSL Policies and Security - A Primary Benefit of using Sentry for Browser Based Traffic
Forum Sentry does not use OpenSSL and therefore is not vulnerable to the many and widespread OpenSSL vulnerabilities such as Heartbleed. Many Sentry customers have replaced older unsecured Apache reverse proxies with Sentry. Forum Systems always recommends doing SSL Termination at Sentry rather than at the upstream load balancer. Many popular load balancers use OpenSSL are impacted by all known and future OpenSSL vulnerabilities.
The SSL policies in Sentry can be configured with or without client/server cert validation, with or without cert mapping to a user. You can also control which versions of TLS / SSL protocol to be used and which cipher suites are allowed.
SSL Policies are associated to the Network Policies. SSL Termination to HTTP Listener policies, and SSL Initiation to HTTP Remote policies.
At the layer 7 level, Sentry can protect against many other types of attacks. WAF rules are built for the OWASP top ten vulnerabilities and are used to protect against things like SQL injections and cross site scripting attacks. Sentry task lists can do query parameter filtering. URL rewriting, custom HTTP header processing, full pattern matching on request and response documents, target or general AV scanning, attachment processing or stripping, and much more.
To seamlessly redirect browser requests that come in via HTTP to HTTP, see:
V. Authentication Options - Sentry enables Single Sign-On for Browser Based Traffic Flows
In addition to securely proxying the browser based traffic, Sentry can be used to enable SSO through a variety of technologies. While there are many options for this, the most common for browser based traffic are:
- Form Post Authentication with FSSESSION Cookies
- OAuth 2.0
- SAML SSO Web Browser Profile
VI. Load Balancing - Routing Considerations for Browser Based Traffic Flows
Most Sentry deployments consist of multiple active instances where the load balancer routes the traffic to based on a specific load balancing strategy (ie: failover, round robin, etc.).
When there are multiple remote web servers behind Sentry, the Group Remote Policies in Sentry allow for load balancing to these servers. There are a variety of load balancing strategies available as well as the ability to set server affinity (stickiness).
Sentry also supports content based routing, so that a specific request can be routed to a specific server based on variety of criteria.. including the client IP, a header value, a query parameter value, a user attribute, etc.
VII. Using the Same HTTP/S Listener with Multiple Virtual Directories
The use case may call for securing multiple web sites using the same IP:Port combination (HTTP/S Listener Policy) with Forum Sentry. The HTTP/S Listener policies can be reused across multiple virtual directories, with the caveat that each virtual directory has some unique criteria. When Sentry receives a request it has to match the request to a defined virtual directory. If it cannot match, it will issue the "Server Error 404 The requested virtual directory was not found" error.
Sentry uses 3 criteria to match the incoming request URL to a virtual directory. One of these 3 has to be unique for each virtual directory:
Using the Request URL below as an example:
- Protocol://IP_Address:Port combination - the HTTP/S Listener. In the example above this is https://192.168.82.24:443.
- Virtual Path - everything following the Port number in the URL. In the example above, this is /login.
- Incoming Host Header - set by the client using the value of the hostname, DNS name, or IP entered to access the Sentry virtual directory. In the example above, this is 192.168.82.28.
When you want to have multiple virtual directories using the same IP:Port/VirtualPath, use the Virtual Host option on the virtual directory, specifying what the incoming Host header value will be. Sentry will now use this 3rd criteria to match the Request URL to the virtual directory. Note that the Sentry log at DEBUG level will show the full Request URL and which virtual directory it was matched to.
VIII. Summary - Essentials for Passing Browser Based Traffic through Sentry
- Use an HTML policy for browser based traffic flows
- Create the appropriate virtual directories correctly for the traffic flow and modify the Filter Expression on each
- Ensure that redirects don't allow the browsers to bypass Sentry
- Use SSL and other Sentry features for security
- Enable SSO with Sentry
- Use Sentry load balancing and dynamic routing options with multiple back-end web servers
- Use the Virtual Host option on the virtual directory to allow for using the same HTTP/S listener policy for multiple sites
If you have any questions or need assistance with configuration please open a new Helpdesk ticket here.