After upgrading to a version of SGOS 6.7.4 with ssl.forward_proxy(https) configured in policy, some sites that users were allowed to access before the upgrade are now denied.

In 6.7.4, when ssl.forward_proxy(https) is configured in policy, some force_deny and force_exception policy rules might deny requests that were allowed in earlier versions of SGOS. 

These requests are denied because the following happens when the ProxySG appliance evaluates policy:

1. The ProxySG appliance intercepts SSL connections using HTTPS forward proxy.
2. The appliance evaluates a policy condition that requires information from an HTTP request; however, during SSL interception, HTTP request information is unavailable.
3. Because the appliance cannot retrieve the HTTP request information, it enforces the force_deny or force_exception rule.

In previous versions, the policy condition was not evaluated during SSL.

Example

The following is an example of policy that allows requests from Chrome in SGOS 6.7.3 and earlier, but denies them in SGOS 6.7.4.

  <ssl-intercept>
      ssl.forward_proxy(https)

  <proxy>
   request.header.User-Agent.substring="Chrome" allow
   force_deny

To prevent HTTP requests from being denied unintentionally, add a guard to policy layers that have force_deny or force_exception rules for HTTP request conditions. The guard ensures the layer is not evaluated during SSL interception. The following is an example of a guard:

  <ssl-intercept>
     ssl.forward_proxy(https)

  <proxy> client.protocol=!ssl
      request.header.User-Agent.substring="Chrome" allow
      force_deny