HTTPS request being allowed/denied incorrectly after implementing SSL Intercept in Explicit Proxy Deployment

book

Article ID: 166541

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

In Explicit Proxy Deployment with SSL Intercept implemented, HTTPS request is not matching the policy rule with conditions that should be matched; for example, the following rules are configured to match request "https://ssl.gstatic.com/gb/images/b_8d5afc09.png":

define condition gstatic
url.host=ssl.gstatic.com url.path.exact=/gb/images/b_8d5afc09.png
end

<ssl-intercept>
ssl.forward_proxy(https) ssl.forward_proxy.issuer_keyring(SSLCertificate)

<Proxy>
ALLOW condition=gstatic

<Proxy>
client.address=10.10.10.10 trace.request(yes) trace.rules(all) trace.destination(Trace)


The request would be denied and the policy trace would indicate two things:

1. The HTTPS request would not be evaluated against the Web Access Layer rule that should match the request itself.
2. Trace of the CONNECT request would come AFTER the HTTPS request, which also would not match the rule because the request has not been SSL intercepted yet.

start transaction -------------------
  CPL Evaluation Trace: transaction ID=37002
           <Proxy>
    MATCH:     client.address=10.10.10.10 trace.request(yes) trace.rules(all) trace.destination(Trace)
  connection: service.name=Explicit HTTP client.address=10.10.10.10 proxy.port=80
  time: 2014-02-08 00:00:01 UTC
  GET https://ssl.gstatic.com/gb/images/b_8d5afc09.png
  user: unauthenticated
  DENIED: Default secure policy mode
  application.name: none
  application.operation: none
  DSCP client outbound: 65
  DSCP server outbound: 65

stop transaction --------------------
start transaction -------------------
  CPL Evaluation Trace: transaction ID=37000
           <Proxy>
    miss :     condition=gstatic
           <Proxy>
    MATCH:     client.address=10.10.10.10 trace.request(yes) trace.rules(all) trace.destination(Trace)
  connection: service.name=Explicit HTTP client.address=10.10.10.10 proxy.port=80
  time: 2014-02-08 00:00:00 UTC
  CONNECT tcp://ssl.gstatic.com:443/
  user: unauthenticated
  DENIED: Default secure policy mode
  application.name: none
  application.operation: none
  DSCP client outbound: 65
  DSCP server outbound: 65

stop transaction --------------------

Resolution

In Explicit deployement of ProxySG, the HTTP CONNECT request is send to ProxySG before SSL Interception, that is before the ProxySG can see the HTTP payload. Therefor the ProxySG cannot perform access control base on the content. To work around this, the customer can add policy rule to allow only the CONNECT request in a layer separate from the existing layers of rules to ensure its execution. Below is a sample policy.

define condition gstatic
url.host=ssl.gstatic.com url.path.exact=/gb/images/b_8d5afc09.png
end

define condition CONNECT
http.method=CONNECT
end

<ssl-intercept>
ssl.forward_proxy(https) ssl.forward_proxy.issuer_keyring(SSLCertificate)

<Proxy>
ALLOW condition=gstatic

<Proxy>
ALLOW http.method=CONNECT

<Proxy>
client.address=10.10.10.10 trace.request(yes) trace.rules(all) trace.destination(Trace)


now the HTTPS request would match the specific rule's condition:

start transaction -------------------
  CPL Evaluation Trace: transaction ID=37381
           <Proxy>
    miss :     condition=Google_HTTP
    miss :     condition=gstatic
           <Proxy>
    MATCH:     ALLOW http.method=CONNECT
           <Proxy>
    MATCH:     client.address=10.10.10.10 trace.request(yes) trace.rules(all) trace.destination(Trace)
  connection: service.name=Explicit HTTP client.address=10.10.10.10 proxy.port=80
  time: 2014-02-08 00:10:00 UTC
  CONNECT tcp://ssl.gstatic.com:443/
  user: unauthenticated
  application.name: none
  application.operation: none
  DSCP client outbound: 65
  DSCP server outbound: 65

stop transaction --------------------
start transaction -------------------
  CPL Evaluation Trace: transaction ID=37383
           <Proxy>
    miss :     condition=Google_HTTP
    MATCH:     ALLOW condition=gstatic
           <Proxy>
    miss :     http.method=CONNECT
           <Proxy>
    MATCH:     client.address=10.10.10.10 trace.request(yes) trace.rules(all) trace.destination(Trace)
  connection: service.name=Explicit HTTP client.address=10.10.10.10 proxy.port=80
  time: 2014-02-08 00:10:00 UTC
  GET https://ssl.gstatic.com/gb/images/b_8d5afc09.png
  user: unauthenticated
  application.name: none
  application.operation: none
  DSCP client outbound: 65
  DSCP server outbound: 65

stop transaction --------------------


in addition, request that doesn't have the specific HTTP content would not be matched:

start transaction -------------------
  CPL Evaluation Trace: transaction ID=37384
           <Proxy>
    miss :     condition=Google_HTTP
    miss :     condition=gstatic
           <Proxy>
    miss :     http.method=CONNECT
           <Proxy>
    MATCH:     client.address=10.10.10.10 trace.request(yes) trace.rules(all) trace.destination(Trace)
  connection: service.name=Explicit HTTP client.address=10.10.10.10 proxy.port=80
  time: 2014-02-08 00:10:01 UTC
  GET https://ssl.gstatic.com/favicon.ico
  user: unauthenticated
  DENIED: Default secure policy mode
  application.name: none
  application.operation: none
  DSCP client outbound: 65
  DSCP server outbound: 65

stop transaction --------------------


customer may choose to enforce the rule to allow CONNECT method by specifying domains as destination condition if needed.