Increasing number of secure websites are inaccessible

edited August 2021 in Firebox - Proxies

M270, Fireware 12.7
Here's another website I'm having problem accessing. Can anyone access this site with HTTPS proxy rule? https://drink.sparkletts.com/

I have no problem accessing it on my smartphone. It redirects me to https://login.water.com to sign in. On the PC, I got a blank page. It takes me nowhere and I see no errors in the log. I have added *.sparkletts.com and login.water.com in the exception list but I still get a blank page.

What should I do now?

additional info
I notice login.water.com uses TLS 1.3. Could this be the problem? Does my WG and Fireware support TLS 1.3?

Comments

  • I enabled Firefox Developer Tools (F12). It turns out the source of the problem is cdn.contentful.com domain.

    Here's one of the errors:

    OPTIONS /spaces/x1vbd41hpla5/environments/production/entries?content_type=marketingPromotions&fields.title%5Bin%5D=All%20Brands%2Csparkletts&fields.selfServe=true&include=10 HTTP/1.1
    Host: cdn.contentful.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: /
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Access-Control-Request-Method: GET
    Access-Control-Request-Headers: authorization,x-contentful-user-agent
    Referer: https://drink.sparkletts.com/
    Origin: https://drink.sparkletts.com
    DNT: 1
    Connection: keep-alive
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: cross-site

    So I added cdn.contentful.com in the Allow list and page now redirects to water.com sign in page.

  • no problem for me

  • No problem for me behind my T20-W running 12.7.1 firmware.

    Gregg Hill

  • me too M370 12.7.1

  • That is strange. I upgraded to 12.7.1 but that did not fix the problem. Adding cdn.contentful.com (to bypass inspection) fixes it. I don't get it.

  • flush dns on the PC

  • Shouldn't matter because I can access it now. I'm starting to have problem accessing quite a handful of secure websites. I keep adding them to the no inspection list to be able to access them.

  • It is and always will be a continual need of adding sites unless they come up with some new way of handling HTTPS DPI.

    Gregg Hill

  • edited August 2021

    I spoke too soon. Adding cdn.contentful.com only gets me to the sign in page at https://login.water.com but after signing in, I get a blank page. The site keeps redirecting/refreshing every second and takes me nowhere.

    I don't understand why you both don't have a problem using HTTPS Proxy to access drink.sparkletts.com but I can't access it without making some exceptions. Do you both enable everything in the Predefined Content Inspection Exceptions? I have a few that I don't enable such as Dropbox, Okta, Odrive, Adobe, KakaoTalk, CloudWiFi, Asana, Puffin Web Browser, Zoom, Discord, Logmein, Slack Browser*.

  • @Ron I think your problem is not the HTTPS-Proxy action, but the HTTP-proxy action you are using to do inspect.

    Within the HTTPS-Proxy action, you configure what websites are going to be inspected and what websites are not inspected.

    In the HTTP-Proxy action, you then configure what kind of inspecting is done to the websites.

    You are probably using and “old HTTP-Proxy action” that has many outdated configurations that aren’t really working anymore with modern websites.
    You could change to the new “HTTPS-Client.Standard” action, or copy these settings to your HTTP-Proxy action.
    See: https://www.screencast.com/t/FVp88gqu

  • Thanks for bringing that up, Kimmo. I do use HTTP-Client.Standard.1 which is a copy of HTTP-Client.Standard action. What is this old HTTP-Proxy action you're talking about?

    I'm using a TLS Profile with TLS 1.2 minimum protocol version. That shouldn't matter though.

  • edited August 2021

    I changed my Proxy action from HTTP-Client.Standard.1 to HTTP-Client.Standard (predefined action) and I can access the site. I must have changed something in the cloned action (HTTP-Client.Standard.1) that breaks it. I'm comparing the settings on predefined action and cloned action now.

  • I found the offending setting:

    HTTP-Client.Standard (predefined)
    HTTP Response - Header Fields - If matched: Allow, None matched: Allow

    HTTP-Client.Standard.1 (cloned - currently in use)
    HTTP Response - Header Fields - If matched: Allow, None matched: Strip

    When I change it to None matched: Allow, I can access the site.

    Is this safe? I'm wondering why that setting is there if both actions allow access to the site.

  • Nowadays, many modern websites use custom HTTP “X-” headers and if these custom headers are stripped these websites aren’t working correct anymore.

    So, I would use these new updated “Allowed” HTTP-Proxy actions 😊

    I would also increase the “Set the maximum URL path length to” 16384 from the default 4096 value, both in HTTP Request and HTTP Response General Settings.

    The idea is more to use the Firebox devices UTM security services to protect your networks and users from attacks and harmful data.

  • Yeah, stripping HTTP response headers which are not on the list seems to be the issue here. So allowing all headers is not a security issue? If stripping headers causes more pain, I'll allow all of them.

    Now, about HTTP Response - General Settings, which limits are you referring to, Max line length or Max total length? There are 2 settings there.

  • WG updated in 11.11.1 version (July 2016) default HTTP Proxy Actions to allow all HTTP Request and Response headers.
    I recommend reading all the What’s New in Fireware PPT guides… 😊
    https://www.watchguard.com/wgrd-help/documentation/xtm

    Security is achieved with the UTM security services, not by denying some HTTP headers.

    Proxy actions are powerful tools and better suited to example control web traffic by denying *.exe file downloads
    or denying with example on-line media content (w. headers), etc...

    For normal daily web browsing, I would use the default HTTP-Client.Standard action + UTM Security services!

    HTTP Request / General Settings / Set the maximum URL path length to 16384
    HTTP Response / General Settings / Set the maximum line length to 16384

  • Got it. Thanks again.

Sign In to comment.