How to allow or deny HTTPS requests based on the Server Certificate hostname or the domain name
search cancel

How to allow or deny HTTPS requests based on the Server Certificate hostname or the domain name

book

Article ID: 165956

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

 Without SSL interception, the existing Web access policy rules cannot be applied because HTTPS requests are encrypted and tunneled.

Resolution

For HTTPS requests, without SSL interception, the ProxySG appliance cannot test URLs with Web Access policy rules because the transactions are encrypted and tunneled. In other words, there is no way that a ProxySG appliance can see and know the requested URL or other HTTP request header information.

However, by using the SSL Server Certificate hostname, you can Deny or Allow the HTTPS request. 

Visual Policy Manager Rule Configuration

  1. Add a new rule in a SSL Access Layer.
  2. Right-click on Destination > Set > New > Server Certificate > and enter the hostname in the Hostname field.
  3. Select the matching option (for example,. Exact Match, Domain, or Contains, etc.) > OK > OK.
  4. Right-click and select:  Action > Set > select Allow or Deny > OK.
  5. Install policy.

Content Policy Language

If you want to use CPL code instead of VPM, use the following CPL codes as examples, develop your policy rule, and add it in your local policy file or in a VPM CPL layer. 

<SSL>
server.certificate.hostname.exact="www.example.com" Allow   ; matching exact certificate hostname.
server.certificate.hostname=".example.com" Deny             ; matching domain
server.certificate.hostname.substring="example.com" Allow   ; matching contains

By the same token you can add a rule based on Server Certificate Categories.

VPM Rule Configuration

  1. Add a new rule in a SSL Access Layer.
  2. Right-click on Destination > Set > New > Server Certificate Category 
  3. Select and check categories > OK > OK.
  4. Right-click and select:  Action > Set > select Allow or Deny > OK.
  5. Install policy.

 

CPL

If you want to use CPL code instead of VPM, please use the following CPL codes as examples, and develop your policy rule and add it in your local policy file or in a VPM CPL layer. 

<SSL>
server.certificate.hostname.category="(Adult/Mature Content)" DENY   ; deny if certificate category matches Adult/Mature Content
server.certificate.hostname.category="(Education)" ALLOW             ; allow if certificate category matches Education

Powered by Wolken Software