Reflect IP doesn't work for HTTPS web sites when protocol detection is enabled
book
Article ID: 168491
calendar_today
Updated On:
Products
ProxySG Software - SGOS
Issue/Introduction
When the SSL proxy makes an upstream connection, <proxy> policy layers are not evaluated. While many policy activities can be performed in an <ssl> layer, reflect_ip cannot.
Cause
This is a behavioral trait specific to the SSL Forward Proxy only.
Resolution
Workaround
To work around this limitation, you can use a rule in a <forward> layer to perform the IP reflection.
Note: This applies only to explicit forward proxy deployments, does not apply to HTTPS Reverse proxy or any other application proxy.
Example: You have a virtual IP address (VIP) 10.105.1.29 and have enabled protocol detection for the explicit HTTP service. For HTTP requests, your policy includes a <proxy> layer rule to reflect the VIP address that appears as follows:
<proxy> reflect_ip(10.105.1.29)
As mentioned in the overview for this article, while HTTP requests will match the above rule, an SSL request will not.
To work around this limitation, create a forward layer as follows:
<forward> reflect_ip(10.105.1.29)
This will produce the desired result, and all traffic will be subjected to IP Reflection.
Troubleshooting: Explicitly pointing the browser to the proxy VIP, then browsing to a secure website (e.g. https://www.verisign.com), a PCAP will show that the IP is not reflected to the virtual IP, until the forward layer rule is in place.