Explicit Proxy Best Practices

For explicit HTTP proxies, protocol detection may be disabled by default depending on version. Make sure that protocol detection is enabled to ensure SSL Proxy Best Practices are applied correctly for SSL traffic in explicit HTTP proxy mode.

To enable protocol detection through the CLI, enter configuration mode and type the following commands:
#(config) proxy-services
#(config proxy-service) edit explicit_HTTP_service_name
#(config explicit_HTTP_service_name) attribute detect-protocol enable
ok

The following example uses protocol detection with SSL policy:

<ssl>
  client.connection.negotiated_cipher.strength=(medium || low) FORCE_DENY

<ssl>
  server.connection.negotiated_ssl_version=(SSLV3, SSLV2, TLSV1, TLSV1.2) FORCE_DENY

<proxy>
  detect_protocol(all)

<ssl>
  client.connection.negotiated_cipher.strength=(medium|| low) FORCE_DENY

<ssl>
  server.connection.negotiated_ssl_version=(SSLV3, SSLV2, TLSV1, TLSV1.2) FORCE_DENY

<proxy>
  detect_protocol(ssl)

Functionality and expected behavior of the detect protocol feature.

Note: In version 7.3.2, protocol detection is enabled by default for newly created HTTP proxy services.