Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 1653 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Scan HTTPS (SSL) Traffic

jreverman
Before updating to 7.504, Enabling this setting on our filter profiles allowed us to specify filter actions for HTTPS sites.

Example: We want to block https://mail.google.com, but want to allow Https://mail.google.com/gpi.us.

By enabling the Scan HTTPs for the profile, the web proxy would enumerate the full URL and Pass or block depending on the white list.

After the update, the proxy stops enumerating at Https://mail.google.com, completely ignoring anything after the .com. 

We are running two proxies, one at 7.503 and the other at 7.504, and the older version still works as intended.

Was there a change? 

Thanks,


This thread was automatically locked due to age.
  • 0
    I don't know if it was changed or not but until you find out I would suggest you separate this into 2 filter actions/assignments and add them both to the profile but making sure the longer url is on top of the other one.
    Don't know if that works though it might be worth a try.
    Anyone with more information?
  • 0 in reply to Krycek
    Yes, this was my initial thought also. The proxy simply will not enumerate beyond the .com when in SSL.

    This setup works fine when doing regular HTTP, but that wont work for us.

    Thanks for the response.
  • 0
    just a thought: does adding a "/" at the end change anything?

    I'm still guessing here... sorry [;)]
  • 0 in reply to Krycek
    Makes no difference. Something must have changed in the latest update.

    I am seeing other posts saying to create a packet filter and an exception, but I cant imagine that is how astaro meant for this to work.

    Or am I just doing it wrong?
  • 0
    I don't believe there's a way in 7.5 or before to put the allowance for the /gpi.us URL in the same profile with the .com/ URL block.  The only way you can do what you want is to put https://mail.google.com/ in 'Always Block' in the profile, and create an 'Exception' for the 'URL Filter' for https://mail.google.com/gpi.us.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Actually, in our 7.503 proxy setup it works perfectly using only the proxy Block and Allow settings:

    Block these URLs/sites
    mail.google.com


    Always allow these URLs/sites

    google.com/a/c/gpi.us

    mail.google.com/a/gpi.us

    google.com/calendar/hosted/gpi.us

    google.com/contacts/a/gpi.us

    google.com/support

    gpi.us
  • 0
    Interesting.  That's definitely worth submitting a ticket to see if it's 7.503 or 7.504 that's not working as intended.  I thought the blacklist check happened before the whitelist check, but maybe I just assumed that because the "Block" section is positioned above the "Allow" section.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA