HTTPS Interception Causes Issues with Some Amazon CloudFront Service Sites

book

Article ID: 168855

calendar_today

Updated On:

Products

Asset Management Solution Data Center Security Monitoring Edition ProxySG Software - SGOS

Issue/Introduction

When the ProxySG appliance intercepts HTTPS, sites hosted by Amazon CloudFront service may not be accessible.

Cause

The ProxySG adds the "Cache-Control: max-stale=0" header when accessing URLs. When HTTPS traffic is intercepted, this header is added to that traffic. Some of the sites hosted by Amazon's CloudFront service return s 504 Gateway Time-out response, if the request contains "Cache-Control: max-stale=0".

 

Resolution



 

Workaround

Add policy to suppress cache control header.

sample policy

.....
<Proxy>
    url.domain="<URL_domain_name>" action.SuppressHeaders1(yes)    ; Rule 1
    

define action SuppressHeaders1
    delete(request.header.Cache-Control)
end action SuppressHeaders1
​.....