Why can't I access HTTPS URLs that contain an IP address?

Article #:

Product

Castle

1818

All

All

Summary

You have an application which is attempting to access HTTPS URLs containing an IP address which are missing their SNI header.

You may be seeing HTTP code 0 in the Smoothwall logs.

Problem

You have created a transparent web proxy authentication policy, with either Allow Transparent HTTPS incompatible sites or Allow Transparent HTTPS incompatible sites and filter other using name from certificate as selected Behavior. But users are still unable to browse to HTTPS sites that have a IP address in the URL.

As the URL lacks an SNI header, by default, Guardian will not send the request upstream because it cannot be verified.

Solution

It is possible to add these URLs to the inbuilt SNI bypass category.

1. Run a WHOIS query for the IP address and note the CIDR block that it is in — see https://help.smoothwall.net/Latest/Content/cgi-bin/admin/whois.htm.
2. Use a CIDR calculator such as the CIDR utility tool to generate a regular expression for the IP address in question.

For example: 132\.245(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){2}

3. From the Smoothwall administrative user interface, go to Guardian > Policy objects > Categories.
4. Edit the Transparent HTTPS Incompatible Sites category (under Standard Categories).
5. Add the calculated regular expression to URL patterns.

Attribution:

Last updated:

Author:

Contributions by:

23 August 2016

 

DMT

 

Copyright © 2000-2016 Smoothwall All rights reserved.