Unable to browse specific HTTPS site through proxy

Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems

Moderator: Qbik Staff

Unable to browse specific HTTPS site through proxy

Postby SpaceJelly » Mar 31 16 12:49 am

Hi There,

We have a problem accessing https://www.stsprofitlink.co.uk/ via the proxy. It'll sit there and eventually time out with a EMPTY_RESPONSE error. Adding this site to the proxy bypass list for testing and it loads fine however this is not an option for production as all machines are routed via the proxy.

SSL Inspection is on and the certificate used is installed as a trusted root cert on all client machines. This works great and there's no problems with any other HTTPS site (So far!)

Any ideas on where to look? Can't see anything obvious in the logs other than the GET entry.

Thanks!
SpaceJelly
 
Posts: 11
Joined: Dec 02 15 6:52 am

Re: Unable to browse specific HTTPS site through proxy

Postby adrien » Mar 31 16 1:43 am

Hi

I've been able to replicate this issue. The site seems to behave completely differently when WinGate makes the SSL connection to it, rather than the client.

It could be something like what TLS options or version are used.

You can whitelist specific sites for SSL inspection, so that you don't need to turn it off altogether. It's done with script in a policy on the WWW Proxy: ConnectRequest event

Code: Select all
Session.EnableSSLInspection = false


Will turn off inspection for the connection. So you can check the site, if it's in a list of sites you don't want to inspect, you hit this item (e.g. expression evaluator)
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Unable to browse specific HTTPS site through proxy

Postby SpaceJelly » Mar 31 16 2:23 am

Hi Adrien,

Thank you for the tips. I'm still learning how the policies work and we are just using the standard SSL connect handler script.

A little advise, do I create a new one or insert to the existing? Also there is java and lua scripting options, I'm familiar with both, lua more than java!

Thanks again,

Neil
SpaceJelly
 
Posts: 11
Joined: Dec 02 15 6:52 am

Re: Unable to browse specific HTTPS site through proxy

Postby adrien » Mar 31 16 3:13 am

HI

you can insert into an existing one, or create a new one (and maybe then even just call it from the main one) whichever you prefer.

Probably the most performant option is the expression evaluator, and check the box to not resolve it to true/false result. After that the JScript one I think is quicker than the Lua, as I'm not sure the Lua runtime precompiles the code whereas the Jscript one does.

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Unable to browse specific HTTPS site through proxy

Postby SpaceJelly » Mar 31 16 4:43 am

Hi Adrien,

Fantastic, it works!

As the SSL connect handler wasn't being used I modified that. Inserted a Check Whitelist immediately after the connect request. Yes goes to the new expression handler that you advised on with an allow out of that. No goes to the rest of the script unmodified. It's working nicely!

Thanks again for your help.

Neil
SpaceJelly
 
Posts: 11
Joined: Dec 02 15 6:52 am

Re: Unable to browse specific HTTPS site through proxy

Postby adrien » Mar 31 16 9:27 am

Great

it's handy to have a list for that, since then you can add banking sites etc.

You'll probably need to whitelist windows updates and itunes. We find those things don't work with SSL inspection either (I think they use client certs, or cert pinning).

Regards

Adrien de Croy
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Unable to browse specific HTTPS site through proxy

Postby adrien » Mar 31 16 2:20 pm

Hi

I did some packet capturing on this site. It's pretty badly behaved.

Wireshark is reporting that the server is using SPDY regardless of the fact that this wasn't negotiated.

When WinGate is doing SSL inspection, there's no NPN or ALPN option in the client hello message. That means the client is not advertising any support for any protocols other than http/1.1 over TLS.
When WinGate is not doing SSL inspection, the client sends an ALPN option indicating support for http/2.0 and spdy/3.1, however even in this case the server doesn't respond with an ALPN option in its ServerHello message (which it should have) and uses SPDY anyway....

When using IE8 client, which doesn't advertise ALPN either it works, but in this case it's doing TLS/1.0 whereas in the prior cases it's TLS/1.2

So it looks like the server is quite buggy, and is switching to SPDY or not based purely on TLS version rather than ALPN. I wonder whether the site has an accelerator in front of it, since it's advertising itself as IIS/7 which is Windows 2k8 I believe, and I don't even know if that supports SPDY.

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Unable to browse specific HTTPS site through proxy

Postby adrien » Mar 31 16 2:55 pm

maybe ignore that

wireshark appears to be exhibiting some parsing issues. I updated and it's no longer showing the client sending SPDY requests.

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Unable to browse specific HTTPS site through proxy

Postby royjm22 » Apr 23 17 8:26 pm

Dear Adrien,

I have wingate server with 100 users license ,so far it was working fine but still i am not even 1% familiar with the policies like how to create policies and how it works , now i need your support to create a policy to bypass the lync server because the users are not able to share their desktop and the issue because of the SSL/TLS , in your previous post i saw that if we bypass the specific website or IP then it will not use proxy server so please guide me or create a policy for me to bypass this issue.
royjm22
 
Posts: 21
Joined: Feb 08 16 1:08 am

Re: Unable to browse specific HTTPS site through proxy

Postby royjm22 » Apr 27 17 7:35 pm

Hi Adrien,

can you please support me i made a query but you did not give any reply .
royjm22
 
Posts: 21
Joined: Feb 08 16 1:08 am

Re: Unable to browse specific HTTPS site through proxy

Postby adrien » Apr 27 17 11:01 pm

HI

sorry for the delay in responding.

To get a client to not use a proxy for a site is beyond the control of the proxy. It's a client decision whether it uses a proxy or not to access a site.

To get a client to decide whether to use a proxy or not on a site by site basis you can do 1 of 2 things.

1. You can specify that the site is local, and to not use the proxy for local sites. This is in the connection settings in the browser.
2. You can use a proxy config file, which implements a function (FindProxyForURL) which you can use to specify different proxies, or direct connections on a per-site or per-protocol basis.

You can find more information about the 2nd option at http://findproxyforurl.com/. This may be your better option if there are several clients involved, since the PAC file can be centrally disseminated.

Regards

Adrien de Croy
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland


Return to WinGate

Who is online

Users browsing this forum: Google [Bot] and 23 guests

cron