HTTPS Interception Causes Issues with Some Amazon CloudFront Service Sites

Article Id: 168855

Status: Published

Updated On: 13-05-2017 12:05

Legacy Id: TECH245591

Products:

Asset Management Solution Data Center Security Monitoring Edition ProxySG Software - SGOS

Issue/Introduction:

When the ProxySG appliance intercepts HTTPS, sites hosted by Amazon CloudFront service may not be accessible.

Cause:

The ProxySG adds the "Cache-Control: max-stale=0" header when accessing URLs. When HTTPS traffic is intercepted, this header is added to that traffic. Some of the sites hosted by Amazon's CloudFront service return s 504 Gateway Time-out response, if the request contains "Cache-Control: max-stale=0".

Resolution:

Workaround

Add policy to suppress cache control header.

sample policy
.....
<Proxy>
   url.domain="<URL_domain_name>" action.SuppressHeaders1(yes)   ; Rule 1


define action SuppressHeaders1
   delete(request.header.Cache-Control)
end action SuppressHeaders1
.....