Reflect IP doesn't work for HTTPS web sites when protocol detection is enabled

book

Article ID: 168491

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

When the SSL proxy makes an upstream connection, <proxy> policy layers are not evaluated. While many policy activities can be performed in an <ssl> layer, reflect_ip cannot. 

Cause

This is a behavioral trait specific to the SSL Forward Proxy only.

Resolution

Workaround

To work around this limitation, you can use a rule in a <forward> layer to perform the IP reflection. 

Note: This applies only to explicit forward proxy deployments, does not apply to HTTPS Reverse proxy or any other application proxy. 


Example:
You have a virtual IP address (VIP) 10.105.1.29 and have enabled protocol detection for the explicit HTTP service. For HTTP requests, your policy includes a <proxy> layer rule to reflect the VIP address that appears as follows:

<proxy>
reflect_ip(10.105.1.29)


As mentioned in the overview for this article, while HTTP requests will match the above rule, an SSL request will not.

To work around this limitation, create a forward layer as follows:

<forward>
reflect_ip(10.105.1.29)


This will produce the desired result, and all traffic will be subjected to IP Reflection. 


Troubleshooting:
Explicitly pointing the browser to the proxy VIP, then browsing to a secure website (e.g. https://www.verisign.com), a PCAP will show that the IP is not reflected to the virtual IP, until the forward layer rule is in place.