The Sophos Web Appliance is breaking up HTTPS connections even though HTTPS scanning is disabled. This article describes the behavior of the SWA with HTTPS connections if a website/path is configured in the local site list. The following sections are covered:
Applies to the following Sophos products and versions Sophos Web Appliance
A customer complains that the SWA is breaking up HTTPS connections even though HTTPS scanning is disabled. The customer is aware that URIs blocked by the SWA will have SWA-signed certificates. However, there are websites with SWA-signed certificates that are allowed according to the policy.
When accessing https://ads.google.com/jsapi, a categorization lookup of the host (ads.google.com), will show Advertisements & Pop-ups as the category. As expected, the default policy finds that it is a category block.
In either of these cases, the SSL connection is broken because we either need to serve a block page or continue to serve the rest of the page because of the LSL exception.
If the website that is being accessed includes a path/query parameter, and the website is otherwise blocked for any reason, the appliance may need to decrypt the HTTPS traffic even if HTTPS scanning is turned off in order to apply the correct policy.
If it is not done, path/query URLs will not work. You cannot do LSL exceptions that has a path/query for HTTPS connections.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.