How to allow HTTPS-only sites while denying HTTP sites in explicit mode

book

Article ID: 168292

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

In explicit mode, all traffic from the client to the ProxySG appliance comes in initially as HTTP on port 80 or 8080. When an HTTPS website is accessed, the initial CONNECT messages come in as HTTP and ultimately the HTTPS request is made. For example, launching a browser with the home page set to https://www.google.ca includes the following messages (the first is HTTP; the second is HTTPS):

CONNECT tcp://www.google.ca:443/     
GET https://www.google.ca/favicon.ico   

If the appliance has default policy of deny but allows HTTPS traffic in the Visual Policy Manager (Rule > Service = All HTTPS, Same Rule > Action = Allow) and assuming there are no other rules to allow HTTP traffic, the HTTPS GET is allowed but the HTTP CONNECT is denied. Overall, the connection is denied with an exception page displayed saying Policy Denied. The only way to remedy this may be to allow HTTP by adding a new layer with a rule to do so (New Layer > Rule > Service = All HTTP, Action = Allow), but you cannot allow HTTPS sites while denying HTTP sites since in explicit mode, all HTTPS sites have an HTTP element in them. If youe deny access to HTTP, then HTTPS is denied because it involves HTTP elements.

In transparent mode, it may be easier because when an HTTPS website is accessed by the client, it is HTTPS traffic incoming on port 443 on the proxy that happens. There may not be any HTTP traffic involved. In explicit mode, HTTP traffic is always involved.

Resolution

Look at the destination ports in policy.

If an attempt to access an HTTPS website is made by the client, even though it may have HTTP elements in it in the beginning, these HTTP elements will request a connection on port 443, as in the previous example:

CONNECT tcp://www.google.ca:443/     
GET https://www.google.ca/favicon.ico    

If you allow traffic on destination port 443, then the TCP or HTTP CONNECT is allowed. The HTTPS GET is also allowed by default. Overall, the connection is allowed and the HTTPS site can be accessed. If a request comes in to a pure HTTP website, it will not request port 443 but port 80. This is denied by default.

Add the following rule in the Visual Policy Manager:

Web Access Layer > Rule > Destination > Destination Host/Port, Port = 443

The content policy language (CPL) is as follows:

<Proxy>
ALLOW url.port=443