Forwarding the client to authenticate on the parent proxy for the HTTPS traffic is not working

book

Article ID: 168548

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Forwarding the client to authenticate on the parent proxy for the HTTPS traffic is not working with the proxy chain scenario in the explicit mode. The client sends a CONNECT request to the child proxy including the authentication credentials. The child proxy forwards the CONNECT request to upstream proxy but the upstream proxy responds with 407.  The configuration is working for the HTTP traffic but not the HTTPS.

Cause

The problem here is that when the client sends the CONNECT request to the child proxy the child proxy will return a 200 OK response, while due to the early interception option which is already enabled in the explicit HTTP (and we can't disable it), the child proxy will send the CONNECT to the parent proxy expecting the 200 OK as well but instead of the 200 OK the child proxy received the 407 from the parent proxy and that is why the CONNECT failed. 
 

Resolution

The resolution is:

1. Enable the SSL interception on the parent proxy. 

2. Disable the authentication for the CONNECT method on the parent proxy, by doing that we will make sure that the parent proxy will send the 200 OK for the CONNECT request and the authentication will happened after that (the HTTPS). To do that, please apply the following CPL in the local policy file: 

<Proxy> 
http.method=CONNECT authenticate(no) 


We might face an authentication pop up on the client side if we are not using an IP surrogate for the authentication on the parent and reflecting the client IP Address on the child. This is a different issue and we need to use the proxyIP or any IP surrogate authentication mode on the parent and reflect the client IP on the child.