When the "Enable SSL interception with automatic protocol detection" SSL interception option is selected in SGOS 6, why is a URL with a path like https://www.bluecoat.com/support-services denied?


Article ID: 168702


Updated On:


ProxySG Software - SGOS


When performing SSL interception, two of the available options are:

  • Enable HTTPS interception

  • Enable SSL interception with automatic protocol detection

If you would like to allow https://www.bluecoat.com/support-services, and at the same time deny https://www.bluecoat.com, select the second option above, and use the following policy:
    ssl.forward_proxy(yes) detect_protocol(all) ssl.forward_proxy.issuer_keyring(default)

    ALLOW server_url.domain=//www.bluecoat.com/support-services
    DENY url.domain=//www.bluecoat.com/

The URL https://www.bluecoat.com/support-services will be denied.

However if you select the first option ("Enable HTTPS interception") and use the policy above, browsing to https://www.bluecoat.com/support-services will be allowed, which is expected.


The reason is, when you select the second option, the ProxySG appliance will use this URL:

​first to evaluate against the policy, before sending the actual URL: https://www.bluecoat.com/support-services.
When you select the first option ("Enable HTTPS interception"), the actual URL request: https://www.bluecoat.com/support-services was sent first to evaluate the policy.