HTTP CONNECT method on the ProxySG appliance changed

book

Article ID: 168532

calendar_today

Updated On:

Products

Asset Management Solution ProxySG Software - SGOS

Issue/Introduction

In SGOS 6.5.5.x and later, the behavior of the appliance has changed to handle the HTTP CONNECT request on port 80. Now the proxy allows CONNECT requests on port 80.
Previous to SGOS 6.5.5.x, using any port other than 443 for CONNECT requests with detect protocol disabled results in the request being denied.

See the following for examples:

CONNECT request behavior on port 80 in SGOS 6.5.4.4:

CONNECT tcp://www.google.de:80/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
user: unauthenticated
authentication status='not_attempted' authorization status='not_attempted'
EXCEPTION(connect_method_denied): CONNECT to a port other then 443 (the default HTTPS port) are not permitted
url.category: Search Engines/[email protected] Coat


CONNECT request behavior on port 80 in SGOS 6.5.5.7:

connection: service.name=Explicit HTTP client.address=10.167.7.233 proxy.port=8080
time: 2015-02-24 20:04:18 UTC
CONNECT tcp://www.google.de:80/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
user: unauthenticated
authentication status='not_attempted' authorization status='not_attempted'
url.category: Search Engines/[email protected] Coat
total categorization time: 0
static categorization time: 0
server.response.code: 0
client.response.code: 200


This behavior was updated for WebSocket support in SGOS 6.5.5.2 (to prevent plain WebSocket from failing).
In explicit mode, HTTP proxy would receive a HTTP CONNECT on HTTP port (port 80 as a plain WebSocket).