We recently had an issue where a few of our Blue Coat ProxySG appliances were having issues connecting to a specific URL. We would continually get the “TCP Error” banner from the Blue Coat proxy servers trying to connect to this website. We had no issues connecting directly (outside of the ProxySG appliances) so the proxy servers were assumed to be the immediate suspect in the problem.
Thankfully there’s a way to quickly and easily test access a specific URL from the CLI interface of the Blue Coat ProxySG appliances.
SG800#test http get ? <url>
So I performed a quick test from the CLI interface;
SG800#test http get http://someurlsomewhere.com Type escape sequence to abort. Executing HTTP get test * HTTP request header sent: GET http://someurlsomewhere.com HTTP/1.0 Host: someurlsomewhere.com User-Agent: HTTP_TEST_CLIENT * HTTP response header recv'd: HTTP/1.1 503 Service Unavailable Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Proxy-Connection: close Connection: close Content-Length: 1329 Measured throughput rate is 0.03 Kbytes/sec HTTP get test passed
It was easy to immediately see that the web server was returning a 503 error to the proxy server, something that was impossible to see from the client browser and difficult to locate from the log files.
The hosting company for the server in question eventually resolved the issue when they removed the automatic blacklisting that had been automatically placed on the proxy server’s public IP address after too many people failed to authenticate properly (because the website in question had a password on it).
Here’s the test when it worked properly returning a 401 error requiring the user to authenticate;
SG800#test http get http://someurlsomewhere.com Type escape sequence to abort. Executing HTTP get test * HTTP request header sent: GET http://someurlsomewhere.com HTTP/1.0 Host: someurlsomewhere.com User-Agent: HTTP_TEST_CLIENT * HTTP response header recv'd: HTTP/1.1 401 Authorization Required Date: Wed, 11 Aug 2010 15:40:31 GMT Server: Apache/2.2.3 (CentOS) WWW-Authenticate: Basic realm="For Acme Health only..." Content-Type: text/html; charset=iso-8859-1 Cache-Control: proxy-revalidate Content-Length: 479 Connection: close Proxy-support: Session-based-authentication Measured throughput rate is 4.50 Kbytes/sec HTTP get test passed
Cheers!
Hi, Mickael !
I have a question for you maybe you have the answer…
We have a problem with our bluecoats with a simple reverse proxy with SSL configuration.
Just to explain, we have a server in our production network with a web server running on port 8080 in single http.
This server need to be available from internet but with SSL.
But the problem is, when we connect to the site in https and we authenticate, the web site just do nothing (like we refresh the page) weird…
I followed the standard configuration provided by bluecoat, at the end of the document, they are talking about Two way url rewriting but I’ve don’t understand it.
Can you explain this to me ? Did you have this problem too ?
Thanks for your help and sorry for my poor english (i’m French BTW)
Regards.
Hi Yannick,
Your English is quite good so no worries there. The Blue Coat ProxySG appliance can act as a reverse proxy and even terminate SSL sessions allowing you to offload the SSL encryption from the web server.
You’re probably referring to this document from Blue Coat; Reverse Proxy with SSL – ProxySG Technical Brief
You need to rewrite the URLs returned by the web server so the client will be able to communicate with the proxy server. In the technical note they provide you a basic example of how to rewrite the URL https://www.example.com to http://www.examplewebserver.com. This will work but only for the very basic of web servers / web applications. If you have a complex web application and/or content you’ll need to investigate other solutions that allow you to publish “internal” web applications to Internet clients.
We currently use the Juniper SSL VPN appliance in core re-writer mode as a reverse proxy on steriods The Juniper SSL VPN appliance takes care of all the URL rewriting and all the things involved in publishing internal applications.
Cheers!
Hi Michael,
I want to upgrade my bluecoat with model 800 & 400 series but i can’t do it because my license is already expired. Can you provide me the URL of the SGOS 5.4.5.1 , 5.5.4.1 & 6.2.2.1 (both 400 & 800). Thanks in advance. Ronaldo
Hi Ronaldo,
I don’t provide any software for any of the equipment I work with. You’ll need to take up your issue with your Blue Coat sales team.
Sorry!
Can Blue Coat appliance do HTTPS / SSL caching?
would like to cach large files and images on Bluecoat at remote locations for Event Hosting. Files are HTTPS. Is there any way to cache files for local user access?
Regards,
Tim
Hi Tim,
I don’t believe it can perform caching of HTTPS/SSL traffic, I believe this is also true of the actual web browsers – there’s no caching of encrypted objects. The Blue Coat ProxySG appliances due support SSL intercept where they can proxy the HTTPS/SSL connection and provide “filtering”.
Cheers!
You will get caching within HTTPS if you do SSL offloading or termination on the SG. The S part of HTTPS is just to secure the communication channel. It wont influence the way caching is performed by both the browser and the proxy. They will just follow the cache directives as described in the HTTP RFC’s 0.9/1.0 and 1.1
I’m sorry my english not very good
I have a problem with my network
my infrastructure (nat) -> firewall (rules) -> reverse proxy -> loadbland (web application).
Many of the connection from the HTTP/1.1 400 Bad Request error
I’m seeing in the proxy logs that are malformed package but not getting the solution has anyone had this problem
Very difficult without seeing some real data… what are you using to reverse proxy, Blue Coat?
Cheers!