Enabling HTTPS web proxy
HTTPS web proxy allows caching content that’s SSL encrypted. HTTPS web proxy is required for YouTube caching. This topic includes:
Server Certificates are autogenerated and autorenewed based on a domain whitelist of the SCC. The decrypting key and certificate are stored on the secure store on the client-side SteelHead.
Prerequisites
These prerequisites are required for HTTPS web proxy:
• Certificate Authority (CA) service must be configured on the SCC.
• CA certificate must be trusted by the clients and browsers.
• CA certificate has a default validity of 365 days.
• CA certificates are automatically renewed when within two days of expiration.
• CA certificate validity checks occur every 24 hours.
• If a CA certificate can’t be renewed, the default behavior is to no longer serve the expired certificate.
• If renewal fails, an error is logged, and traffic isn’t decrypted for that domain.
YouTube caching
YouTube caching is enabled by default. Caching for YouTube uses a heuristic algorithm based on observed traffic flow that automatically learns the key to cache YouTube traffic. Because YouTube traffic is typically encrypted, HTTPS web proxy optimization must be enabled. You must add these domains to the HTTPS domain whitelist:
• *.googlevideo.com
• *.youtube.com
In SCC 9.8, you can view YouTube cache usage statistics. For more information, see
Viewing web proxy reports.YouTube caching is not supported on Firefox and mobile browsers.
In-path pass-through rule
There is a default pass-through rule for all secure ports traffic above the default in-path rule that prevents all traffic to port 443 from being intercepted.
If HTTPS proxying is required, then the pass-through rule must be added above the secure ports rule, to direct SSL traffic to the web proxy with these options:
• Type: Pass Through
• Web Proxy: Force
• Port: Any port or port-label specified is proxied. This value results in plain TCP proxying without optimizations if the traffic isn’t detected to be HTTP or HTTPS.
To enable HTTPS decryption and caching
3. Make sure that all domains defined in the web proxy whitelist have the CA configured on the client browser.
4. Choose Manage > Optimization: Web Proxy to display the Web Proxy page.
5. Select Enable HTTPS Optimization to enable HTTPS caching.
6. Click Save to save your setting permanently.
7. If necessary, define a pass-through rule for port 443 traffic and push it to appliances.
Adding domains to the whitelist for HTTPS
You add a list of domains that you want to decrypt for HTTPS caching. The domain names can either be hostnames (for example, myhost.riverbed.com) or wildcard domain names (for example, *.riverbed.com).
To add domains to the global HTTPs whitelist
1. Choose Manage > Optimization: Web Proxy to display the Web Proxy page.
2. Under Global HTTP Whitelist, click the + Add Domain to display the pop-up window.
3. Specify the domain name and click Add Domain. The domain appears in the global HTTPS whitelist table.
Important: For HTTPS web proxy, before adding domains, make sure that the SCC CA is trusted by all client browsers defined in the domain whitelist.
What happens to whitelist exceptions in 9.5 or later?
In SCC 9.5 or later, you can no longer configure exceptions to the whitelist. After an upgrade to 9.5 or later, all exceptions to the whitelist are treated as a separate profile.
Before you upgrade, the whitelist exceptions are listed in the Exceptions list.
Figure: Before upgrade exceptions list
After you upgrade to 9.5 all your whitelist exceptions are listed as such, in the Site and Site Type Profiles list.
Figure: After upgrade exceptions listed under profiles
