search cancel

Security Best Practices

book

Article ID: 253059

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Explicit Proxy Best Practices

Resolution

For explicit HTTP proxies, protocol detection may be disabled by default depending on version. Make sure that protocol detection is enabled to ensure SSL Proxy Best Practices are applied correctly for SSL traffic in explicit HTTP proxy mode.

To enable protocol detection through the CLI, enter configuration mode and type the following commands:
#(config) proxy-services
#(config proxy-service) edit explicit_HTTP_service_name
#(config explicit_HTTP_service_name) attribute detect-protocol enable
ok

The following example uses protocol detection with SSL policy:

<ssl>
  client.connection.negotiated_cipher.strength=(medium || low) FORCE_DENY

<ssl>
  server.connection.negotiated_ssl_version=(SSLV3, SSLV2, TLSV1, TLSV1.2) FORCE_DENY

<proxy>
  detect_protocol(all)

<ssl>
  client.connection.negotiated_cipher.strength=(medium|| low) FORCE_DENY

<ssl>
  server.connection.negotiated_ssl_version=(SSLV3, SSLV2, TLSV1, TLSV1.2) FORCE_DENY

<proxy>
  detect_protocol(ssl)

Additional Information

Functionality and expected behavior of the detect protocol feature.

Note: In version 7.3.2, protocol detection is enabled by default for newly created HTTP proxy services.