search cancel

Browser doesn't display CAPTCHA validation form in explicit proxy deployment


Article ID: 169031


Updated On:


Data Center Security Monitoring Edition ProxySG Software - SGOS


When the ProxySG appliance is in an explicit proxy deployment and CAPTCHA validation policy is installed, the browser does not present the CAPTCHA validation form to users. In some cases, the browser displays an error message.

Note: CAPTCHA policy was introduced in SGOS 6.6.4. Refer to the SGOS Administration Guide and the Content Policy Language Reference for details.


When the proxy opens HTTPS connections, browsers configured for explicit proxy send a CONNECT message. The message contains the origin content server (OCS) hostname and informs the proxy that the client is about to open a tunnel to that host. What happens next depends on the authentication mode specified in policy:
  • If form-cookie mode is in use (or when no authentication mode is specified), the proxy does not return a redirect. The browser does not present the CAPTCHA form, and users cannot complete validation. 
  • If form-cookie-redirect is in use, the proxy returns a redirect; however, browsers do not follow redirects sent in response to a CONNECT message. The browser displays an error message, and users cannot complete validation.
Note: Because CONNECT messages are meant for the proxy and not the OCS, they do not contain cookies.


Intercept SSL connections and bypass CAPTCHA validation for HTTP CONNECT messages. Validation is thus performed on the first HTTP request that is sent inside the tunnel. Refer to the following example:
; intercept SSL traffic using the HTTPS forward proxy

; if request is not HTTP CONNECT tunneled and URL category is shopping,
; connect using the specified validator
  http.connect=no category=("shopping") validate(captcha_1)