ProxySG & Advanced Secure Gateway

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

SSL interception based on url category returned by icap request

  • 1.  SSL interception based on url category returned by icap request

    Posted Mar 07, 2019 03:58 AM

    Hi,

    I have a bluecoat ASG used as explicit proxy . Url filtering is done by the way of icap requests to an Olféo external solution .

    I wrote a CPL script to intercept a category :

    <ssl-intercept>
    icap_reqmod.header.X-Olfeo-Category="Autres" ssl.forward_proxy(yes)

    But this error occurs :

    Error: Late condition guards early action

    Why is this condition not possible in this layer ? Is it possible to intercept or no SSL based on categories returned by ICAP requests .

     

    Best regards

     

     

     



  • 2.  RE: SSL interception based on url category returned by icap request

    Posted Mar 09, 2019 01:07 AM
    Hi Pierre, The variation in trigger and property timings implies that within a policy rule a conflict is possible between a condition that can only be tested relatively late in the evaluation sequence and a property that must be set relatively early in the evaluation sequence. Such a rule results in a compile-time error. The error which you have got is compile time error. Icap_method.header.header_name= 1. Can only be Use in <proxy>, <cache>, and <exception> layers. 2. Applies to all HTTP transaction. If you are Filtering the URL based on Olfeo-category, Then you can intercept the connection based on category. You can also use client hostname, ip address, etc... for ssl-interception You can't intercept any connection based on their header. I hope this is been informative for you. BR, Raunak Tiwari