You have an application which is attempting to access HTTPS URLs containing an IP address which are missing their SNI header.
You may be seeing HTTP code
0 in the Smoothwall logs.
You have created a transparent web proxy authentication policy, with either Allow Transparent HTTPS incompatible sites or Allow Transparent HTTPS incompatible sites and filter other using name from certificate as selected Behavior. But users are still unable to browse to HTTPS sites that have a IP address in the URL.
As the URL lacks an SNI header, by default, Guardian will not send the request upstream because it cannot be verified.
It is possible to add these URLs to the inbuilt SNI bypass category.
- Run a
WHOISquery for the IP address and note the CIDR block that it is in — see https://help.smoothwall.net/Latest/Content/cgi-bin/admin/whois.htm.
- Use a CIDR calculator such as the CIDR utility tool to generate a regular expression for the IP address in question. For example:
- From the Smoothwall administrative user interface, go to Guardian > Policy objects > Categories.
- Edit the Transparent HTTPS Incompatible Sites category (under Standard Categories).
- Add the calculated regular expression to URL patterns.
|Last updated:||Author:||Contributions by:|
|23 August 2016||DMT|