Summary
You have an application which is attempting to access HTTPS URLs containing an IP address which are missing their SNI header. You may be seeing HTTP code 0
in the Smoothwall logs.
Problem
You have created a transparent web proxy authentication policy, with either Allow Transparent HTTPS incompatible sites or Allow Transparent HTTPS incompatible sites and filter other using name from certificate as selected Behavior. But users are still unable to browse to HTTPS sites that have an IP address in the URL.
As the URL lacks an SNI header, by default, the Smoothwall Filter will not send the request upstream because it cannot be verified.
Solution
It is possible to add these URLs to the inbuilt SNI bypass category.
- Run a
WHOIS
query for the IP address and note the CIDR block that it is in see our help topic, Identifying malicious hosts. - Use a CIDR calculator such as the CIDR utility tool to generate a regular expression for the IP address in question. For example:
132\.245(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){2}
- Edit the Transparent HTTPS Incompatible Sites category (under Standard Categories).
- Add the calculated regular expression to URL patterns.