Why is only HTTP in your logs when the ProxySG intercepts the calls and changes them to HTTPS?

book

Article ID: 167591

calendar_today

Updated On:

Products

Reporter

Issue/Introduction

Why is only HTTP in your logs when the ProxySG intercepts the calls and changes them to HTTPS?
Why do I only see HTTP recorded in my logs when the Blue Coat ProxySG intercepts the calls and changes them to HTTPS?
Are HTTP redirects to HTTPS sites in the access log?
You want to know why you only see HTTP your logs when the ProxySG intercepts the calls and changes them to HTTPS

Resolution

When you get an HTTP CONNECT the HTTP Proxy application on the SG appliance will run protocol detection on it (if enabled), to see if the CONNECT request contains SSL traffic. If so it will hand off the connection to the SSL Proxy. At that point HTTP's job is done, so it will record TCP in the access log. At this time this is correct because the HTTP proxy only knew about the TCP characteristics of this request. If this request was given to the SSL Proxy application on the SG appliance, two things can happen:

  • If a policy tells it to tunnel this connection the SSL proxy will use the URL scheme ssl://
  • If a policy tells it to intercept this request then the URL scheme will be https://

Once the SSL proxy is done with the request it will log it to the SSL access log. So if you look at the SSL access log and feed that to Reporter you will see a better classification of that traffic as either SSL (when tunneled by SSL Proxy) or HTTPS (when intercepted by the SSL Proxy).

There are three types of optimized log formats for Reporter.

  • bcreportermain_v1, for general HTTP traffic.
  • bcreporterssl_v1, for HTTPS traffic.
  • bcreportercifs_v1, for CIFS traffic.

Blue Coat recommends you upload all log formats and create profiles for each.