HTTP CONNECT method on the Edge SWG (ProxySG) appliance changed
search cancel

HTTP CONNECT method on the Edge SWG (ProxySG) appliance changed

book

Article ID: 168532

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

In SGOS 6.5.5.x and later, the behavior of the appliance has changed to handle the HTTP CONNECT request on port 80. Now the proxy allows CONNECT requests on port 80.
Previous to SGOS 6.5.5.x, using any port other than 443 for CONNECT requests with detect protocol disabled results in the request being denied.

Note: This issue is applicable only if protocol detection is disabled. When protocol detection is enabled, we allow HTTP CONNECT on an arbitrary port, as long as the protocol detected inside is SSL. 

See the following for examples:

CONNECT request behavior on port 80 in SGOS 6.5.4.4:

CONNECT tcp://www.example.com:80/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
user: unauthenticated
authentication status='not_attempted' authorization status='not_attempted'
EXCEPTION(connect_method_denied): CONNECT to a port other then 443 (the default HTTPS port) are not permitted
url.category: Search Engines/Portals@Blue Coat


CONNECT request behavior on port 80 in SGOS 6.5.5.7:

connection: service.name=Explicit HTTP client.address=x.x.x.x proxy.port=8080
time: 2015-02-24 20:04:18 UTC
CONNECT tcp://www.example.com:80/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
user: unauthenticated
authentication status='not_attempted' authorization status='not_attempted'
url.category: Search Engines/Portals@Blue Coat
total categorization time: 0
static categorization time: 0
server.response.code: 0
client.response.code: 200


This behavior was updated for WebSocket support in SGOS 6.5.5.2 (to prevent plain WebSocket from failing).
In explicit mode, HTTP proxy would receive a HTTP CONNECT on HTTP port (port 80 as a plain WebSocket).

Resolution

If you need to use any other port other than 80 or 443 for CONNECT (with protocol detection disabled) then you can use the KB article below for the workaround. 

Error: "CONNECT to a port other than 443 (the default HTTPS port) is not permitted"