Https sites not working anymore, nothing changes in conf

Hi, i have a small situation, seens for one website, but possibly impact others

i'm using a community forum in https
for a long time, work fine, but for no reason, since 2 days, don't work anymore, got a connexion reset from the firewall.

main website works in https, but not the forum
forum work in http but weird appearance.

here's traffic monitor :
from main website https, website works fine
2023-03-28 08:57:23 Member1 Allow 10.0.3.123 188.166.203.108 https/tcp 59459 443 Reseau local FO-SFR ProxyAllow: HTTPS domain name match (HTTPS-Inspect-TEST-00) proc_id="https-proxy" rc="590" msg_id="2CFF-0003" proxy_act="HTTPS-TEST.1" geo_dst="NLD" rule_name="Default" sni="www.canardpc.com" ipaddress="188.166.203.108"

from https forum, got a connexion reset

2023-03-28 08:57:51 Member1 Allow 10.0.3.123 163.172.102.71 https/tcp 59468 443 Reseau local FO-SFR ProxyAllow: HTTPS domain name match (HTTPS-Inspect-TEST-00) proc_id="https-proxy" rc="590" msg_id="2CFF-0003" proxy_act="HTTPS-TEST.1" geo_dst="FRA" rule_name="Default" sni="forum.canardpc.com" ipaddress="163.172.102.71"
2023-03-28 08:57:51 Member1 Deny 10.0.3.123 163.172.102.71 https/tcp 59468 443 Reseau local FO-SFR HTTPS Request (HTTPS-Inspect-TEST-00) proc_id="https-proxy" rc="548" msg_id="2CFF-0000" app_id="0" app_cat_id="0" proxy_act="HTTPS-TEST.1" action="drop" geo_dst="FRA" sent_bytes="517" rcvd_bytes="4756" tls_version="TLS_V12" tls_profile="TLS-Viry" sni="forum.canardpc.com" cn="forum.canardpc.com" cert_issuer="CN=R3,O=Let's Encrypt,C=US" cert_subject="CN=forum.canardpc.com" sig_vers="18.256"
2023-03-28 08:57:51 Member1 Allow 10.0.3.123 163.172.102.71 https/tcp 59469 443 Reseau local FO-SFR ProxyAllow: HTTPS domain name match (HTTPS-Inspect-TEST-00) proc_id="https-proxy" rc="590" msg_id="2CFF-0003" proxy_act="HTTPS-TEST.1" geo_dst="FRA" rule_name="Default" sni="forum.canardpc.com" ipaddress="163.172.102.71"
2023-03-28 08:57:51 Member1 Deny 10.0.3.123 163.172.102.71 https/tcp 59469 443 Reseau local FO-SFR HTTPS Request (HTTPS-Inspect-TEST-00) proc_id="https-proxy" rc="548" msg_id="2CFF-0000" app_id="0" app_cat_id="0" proxy_act="HTTPS-TEST.1" action="drop" geo_dst="FRA" sent_bytes="517" rcvd_bytes="4756" tls_version="TLS_V12" tls_profile="TLS-Viry" sni="forum.canardpc.com" cn="forum.canardpc.com" cert_issuer="CN=R3,O=Let's Encrypt,C=US" cert_subject="CN=forum.canardpc.com" sig_vers="18.256"

From http forum, works with weird appearance

2023-03-28 08:58:20 Member1 Allow 10.0.3.123 163.172.102.71 https/tcp 59474 443 Reseau local FO-SFR ProxyAllow: HTTPS domain name match (HTTPS-Inspect-TEST-00) proc_id="https-proxy" rc="590" msg_id="2CFF-0003" proxy_act="HTTPS-TEST.1" geo_dst="FRA" rule_name="Default" sni="forum.canardpc.com" ipaddress="163.172.102.71"
2023-03-28 08:58:20 Member1 Deny 10.0.3.123 163.172.102.71 https/tcp 59474 443 Reseau local FO-SFR HTTPS Request (HTTPS-Inspect-TEST-00) proc_id="https-proxy" rc="548" msg_id="2CFF-0000" app_id="0" app_cat_id="0" proxy_act="HTTPS-TEST.1" action="drop" geo_dst="FRA" sent_bytes="517" rcvd_bytes="4756" tls_version="TLS_V12" tls_profile="TLS-Viry" sni="forum.canardpc.com" cn="forum.canardpc.com" cert_issuer="CN=R3,O=Let's Encrypt,C=US" cert_subject="CN=forum.canardpc.com" sig_vers="18.256"
2023-03-28 08:58:20 Member1 Allow 10.0.3.123 163.172.102.71 https/tcp 59475 443 Reseau local FO-SFR ProxyAllow: HTTPS domain name match (HTTPS-Inspect-TEST-00) proc_id="https-proxy" rc="590" msg_id="2CFF-0003" proxy_act="HTTPS-TEST.1" geo_dst="FRA" rule_name="Default" sni="forum.canardpc.com" ipaddress="163.172.102.71"
2023-03-28 08:58:20 Member1 Deny 10.0.3.123 163.172.102.71 https/tcp 59475 443 Reseau local FO-SFR HTTPS Request (HTTPS-Inspect-TEST-00) proc_id="https-proxy" rc="548" msg_id="2CFF-0000" app_id="0" app_cat_id="0" proxy_act="HTTPS-TEST.1" action="drop" geo_dst="FRA" sent_bytes="517" rcvd_bytes="4756" tls_version="TLS_V12" tls_profile="TLS-Viry" sni="forum.canardpc.com" cn="forum.canardpc.com" cert_issuer="CN=R3,O=Let's Encrypt,C=US" cert_subject="CN=forum.canardpc.com" sig_vers="18.256"
2023-03-28 08:58:20 Member1 Allow 10.0.3.123 163.172.102.71 https/tcp 59478 443 Reseau local FO-SFR ProxyAllow: HTTPS domain name match (HTTPS-Inspect-TEST-00) proc_id="https-proxy" rc="590" msg_id="2CFF-0003" proxy_act="HTTPS-TEST.1" geo_dst="FRA" rule_name="Default" sni="forum.canardpc.com" ipaddress="163.172.102.71"
2023-03-28 08:58:20 Member1 Allow 10.0.3.123 163.172.102.71 https/tcp 59477 443 Reseau local FO-SFR ProxyAllow: HTTPS domain name match (HTTPS-Inspect-TEST-00) proc_id="https-proxy" rc="590" msg_id="2CFF-0003" proxy_act="HTTPS-TEST.1" geo_dst="FRA" rule_name="Default" sni="forum.canardpc.com" ipaddress="163.172.102.71"
2023-03-28 08:58:20 Member1 Allow 10.0.3.123 163.172.102.71 https/tcp 59480 443 Reseau local FO-SFR ProxyAllow: HTTPS domain name match (HTTPS-Inspect-TEST-00) proc_id="https-proxy" rc="590" msg_id="2CFF-0003" proxy_act="HTTPS-TEST.1" geo_dst="FRA" rule_name="Default" sni="forum.canardpc.com" ipaddress="163.172.102.71"
+ multiple line saying the same

Can't understand why is behaving like that and what could possibly changes :/

  • weird thing is the rule HTTPS-Inspect-TEST is supposed to inspec only https on 443, not http on 80

Best Answer

  • Another option is to add a Allow exception on your HTTPS proxy action for forum.canardpc.com

Answers

  • The forum works for me on HTTPS & HTTP using Firefox, Chrome & Opera.
    I'm running Fireware V12.9.2.

    Note that the logs posted for HTTP above show HTTPS TCP port 443 log entries.

    Can you access the forum using a HTTPS packet filter correctly?
    If so, are you blocking some Content Types etc. and not logging it?
    The Deny log record suggests that something is being denied.

  • The logs came from traffic monitor, filtered on canardpc
    don't understand why http also have https traffic :/

    Thing is old admins left, i came to this job, they were already left, and i'm trying to get my hand on this firewall.
    not easy to understand web policy, there are several rules for web traffic, but the http-inpect-test is on top, so every web traffic goes by this rules.

    i'm still trying to figure how works proxy, web blocking, etc

    if i put a classic https rule with proxy and no webblocker, site work fine on https, but i can also acces porn or dangerous sites, not cool so :/
    something might mess with webblocker, or tls, can't find what.

  • In this new HTTPS policy - set the To: to the IP addr or FQDN of the forum site - forum.canardpc.com

    Make sure that this policy ends up above the HTTPS-Inspect-TEST policy.

    When a web site is Inspected, the HTTP proxy action specified on the HTTPS proxy action is used to process the packet contents, such as Content Types, URL Paths, etc.

  • With an exception it works fine.

Sign In to comment.