search cancel

Web Security Service block for Websocket traffic

book

Article ID: 201849

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

A number of internal users should be allowed to access WebSocket based applications, yet most should be blocked.

Can define a policy that blocks access to each domain, but wanted a more generic rule to block all web socket based applications

Every policy change made allowed all users to access websocket applications instead of blocking 

 

Environment

WSS access via WSSA and Explicit

Have Management Center for configuration and using VPE for creating rules 

Resolution

1. Must make sure that SSL interception is enabled for all Websocket sites and

2. Modified CPL to add force_deny on the http.websocket check as shown below 

<Proxy>
http.websocket=yes force_deny

Additional Information

From the Content Policy Language reference guide, the following http.websocket check can be used to determine whether a web socket upgrade in existing request is happening.

http.websocket=

The WebSocket protocol provides simultaneous two-way communications channels over a single TCP connection by detecting the presence of a proxy server and tunneling communications through the proxy. To upgrade an HTTP connection to a newer HTTP version or use another protocol such as WebSocket, a client sends a request with Upgrade, Connection, and other relevant headers. Previous versions of SGOS did not allow WebSocket handshakes to complete, but supported versions allow the handshake to complete successfully. Supported versions also detect WebSocket traffic and allow you to perform specific policy actions.

Syntax

http.websocket=yes|no

Layer and Transaction Notes

• Use in , , and layers.
• Applies to HTTP and HTTPS transactions.

See Also
• Conditions: client.protocol=

Example

The following example blocks all WebSocket traffic to testsite.com. url.domain=testsite.com http.websocket=yes DENY

<proxy>
url.domain=testsite.com http.websocket=yes DENY