search cancel

Allow specific HTTPS URL yet block access to its domain in an Explicit environment.

book

Article ID: 173829

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

ProxySG

The purpose of this article is to provide a way to allow traffic to a specific URL while at the same time blocking access to the domain the URL is part of. This only applies to Explicit scenarios, as the CONNECT method is only present in this kind of deployment.

This article assumes you are performing SSL Interception on the domain in question.

Resolution

Two rules will be needed, and one way of doing it is as follows:

  • Create a rule in a Web Access layer to allow the specific site when using the CONNECT method
  • Create a rule in a separate Web Access layer to allow traffic for a specific URL within that domain.
  • Create another rule below the one we’ve just created and set the domain you want to block, set the action to deny (this time without setting the CONNECT method).

Expected result:

The proxy will receive a CONNECT request from the client, it will go through policies and be allowed.

Then one of the following will happen:

  • If the encrypted request example.com/path.html – The request will be allowed.
  • If the encrypted request is anything other than the above on that domain, the request will be denied.
     

In CPL it would look as follows:

<proxy>
url.domain=”example.com” http.method=CONNECT Allow

<proxy>
url.domain=”example.com/path.html” Allow
url.domain=”example.com” Deny