Reflect IP doesn't work for HTTPS web sites when protocol detection is enabled


Article ID: 168491


Updated On:


ProxySG Software - SGOS


When the SSL proxy makes an upstream connection, <proxy> policy layers are not evaluated. While many policy activities can be performed in an <ssl> layer, reflect_ip cannot. 


This is a behavioral trait specific to the SSL Forward Proxy only.



To work around this limitation, you can use a rule in a <forward> layer to perform the IP reflection. 

Note: This applies only to explicit forward proxy deployments, does not apply to HTTPS Reverse proxy or any other application proxy. 

You have a virtual IP address (VIP) and have enabled protocol detection for the explicit HTTP service. For HTTP requests, your policy includes a <proxy> layer rule to reflect the VIP address that appears as follows:


As mentioned in the overview for this article, while HTTP requests will match the above rule, an SSL request will not.

To work around this limitation, create a forward layer as follows:


This will produce the desired result, and all traffic will be subjected to IP Reflection. 

Explicitly pointing the browser to the proxy VIP, then browsing to a secure website (e.g., a PCAP will show that the IP is not reflected to the virtual IP, until the forward layer rule is in place.