Stay organized with collections
Save and categorize content based on your preferences.
Rule evaluation determines whether a web request should be allowed or denied by
using the rules that you set in your policy. It considers the following attributes
to make its decisions:
Priority of a rule: Lower integers indicate higher priorities.
SessionMatcher: Matches against the following session level attributes:
IP address of the source machine
Service account of the source machine
Secure Tag of the source machine
Hostname of the target machine
ApplicationMatcher: Matches against the following HTTP request attributes:
The highest priority rule that matches the SessionMatcher and
ApplicationMatcher attributes determines the action to be taken on
the traffic.
If the request does not match the SessionMatcher and ApplicationMatcher
attributes of that rule, the next rule with the highest priority is evaluated.
This process continues until a rule is found that matches the request, or all
the rules have been evaluated. If no match is found, the request is denied.
Before you configure TLS inspection
You must understand the following rule-evaluation scenarios before
you configure TLS inspection:
A client can send an HTTP request to the proxy server. The request
is then evaluated by using all the available data, including the hostname,
source identity, HTTP headers, and path.
If the request is allowed, the HTTP traffic is sent to the destination.
However, if the request is denied, the HTTP traffic is not allowed to pass.
A client can send the proxy an HTTP CONNECT request to establish a TCP
tunnel to the destination. This is done when the client wants to send
arbitrary TCP traffic or establish an end-to-end TLS connection with
the destination through the proxy, as with HTTPS.
If a rule has a matching SessionMatcher attribute and does not contain
an ApplicationMatcher attribute, and the rule evaluation results in
allowing the traffic, then a tunnel to the destination is established
and the traffic is TCP-proxied. This applies to HTTPS and TCP traffic.
If higher priority rules are unable to determine the action to be taken
on a request, then the rule evaluation continues. If the evaluation
proceeds to a rule with an ApplicationMatcher attribute, then the
tunneled traffic is interpreted as HTTP or HTTPS.
If the underlying data is not HTTP or HTTPS, then the connection fails.
If the underlying data is HTTP, then the requests are evaluated, including
the hostname, source identity, HTTP headers, and path. Based on the
evaluation result, the traffic is either allowed or denied.
For HTTPS traffic, a rule is evaluated only if it has the TLS inspection
flag enabled; otherwise, that rule is skipped.
For HTTPS traffic, a rule is inspected only if the following conditions are true:
The TLS inspection flag is enabled.
Traffic matches the SessionMatcher attributes.
Recommendations for configuring TLS inspection rules
If you want to allow TCP traffic, then the rule that allows TCP traffic
must have a higher priority than the rules that allow HTTP traffic.
Rules with the ApplicationMatcher attribute should be tightly scoped
by using the SessionMatcher attribute to minimize the interpretation
of unrelated flows as HTTP.
Rules that allow TLS (including HTTPS) traffic but do not perform TLS
inspection can be interpreted as TCP proxy rules.
To avoid unnecessary TLS inspection of traffic, TLS inspection rules
should be lower in priority than non-TLS inspection rules. Alternatively,
to fail fast for non-matching traffic, TLS inspection rules should be
tightly scoped by using the SessionMatcher attribute.
Examples of TLS inspection rule configurations
Consider the two rules in the following examples.
Example 1
In this example, we assume the presence of other lower priority rules.
Consider the following two rules:
In this example, Secure Web Proxy interprets the two rules as follows:
Allowing TCP traffic but disallowing a specific type of HTTP request
is mutually exclusive because the TCP traffic can contain a POST request.
Traffic in rule 2 is never allowed. It is denied because the traffic
from tag 12345 to example.com is intercepted and interpreted as HTTP
to evaluate the HTTP method.
For rule 2 to take effect, you can use either of the following solutions:
Recommended: Increase the priority of rule 2 to a higher level (priority: 5).
Scope rule 1 to avoid overlapping the allowed traffic with its SessionMatcher
attribute:
In this example, Secure Web Proxy interprets the two rules as follows:
All traffic, including that destined for bankofamerica.com, is
inspected for TLS to match the request.url() of the high priority rule 1.
To avoid TLS inspection in rule 2, you can use either of the following
solutions:
Increase the priority of rule 2 to a higher level (priority: 5).
As a result, rule 2 is applied before evaluating rule 1, and
traffic from bankofamerica.com is allowed without being TLS inspected.
Recommended: Narrow the scope of rule 1 to allow TLS inspection
specifically for the github.com domain. To narrow the scope,
add a targeted sessionMatcher attribute:
sessionMatcher: host() == 'github.com'
Limitations
You must consider these limitations before configuring TLS inspection:
Servers are only verified by using public root certificates. The root
certificate authority (CA) set is based on the
Mozilla Root Program.
The behavior of certificate verification is subject to change and
corresponds to how web browsers verify certificates.
Because backend verification is not possible at this time,
traffic to servers with private or self-signed certificates cannot be
intercepted.
Secure Web Proxy does not run certificate revocation list (CRL) checks.
For TLS inspection to work, clients must currently send Server Name
Indication (SNI). SNI is a TLS specification extension that is optional,
but most clients enable it by default.
TLS inspection does not work if the client requires
Encrypted Client Hello (ECH)
(formerly known as Encrypted SNI).
ECH is a draft IETF standard that allows clients to encrypt the beginning
of the TLS handshake by using a pre-established server key. Because TLS
inspection is acting as an intercepting proxy, it does not have access
to that pre-established server key. As a result, ECH does not function.
Clients must be configured to trust your private root certificate.
If you remove CAs from your private CA pool, you are served cached
certificates signed by that CA for up to 28 hours. To prevent using
the cached certificates, you can update your TLS inspection policy to
point to a new CA pool. As a result, Secure Web Proxy is forced to
generate new certificates.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Rule evaluation order\n\nRule evaluation determines whether a web request should be allowed or denied by\nusing the rules that you set in your policy. It considers the following attributes\nto make its decisions:\n\n- **Priority of a rule:** Lower integers indicate higher priorities.\n- **SessionMatcher:** Matches against the following session level attributes:\n - IP address of the source machine\n - Service account of the source machine\n - Secure Tag of the source machine\n - Hostname of the target machine\n- **ApplicationMatcher:** Matches against the following HTTP request attributes:\n - URL\n - Path\n - Request headers\n\nFor a list of all the `SessionMatcher` and `ApplicationMatcher` attributes, see\n[Available attributes in `SessionMatcher` and `ApplicationMatcher`](/secure-web-proxy/docs/cel-matcher-language-reference?cloudshell=false#available-attributes-in-sessionmatcher-and-applicationmatcher).\n\nHow rule evaluation works\n-------------------------\n\nThe rules are evaluated in the following order:\n\n1. High-priority rules are evaluated first.\n2. The highest priority rule that matches the `SessionMatcher` and `ApplicationMatcher` attributes determines the action to be taken on the traffic.\n3. If the request does not match the `SessionMatcher` and `ApplicationMatcher` attributes of that rule, the next rule with the highest priority is evaluated.\n4. This process continues until a rule is found that matches the request, or all the rules have been evaluated. If no match is found, the request is denied.\n\nBefore you configure TLS inspection\n-----------------------------------\n\nYou must understand the following rule-evaluation scenarios *before*\nyou configure TLS inspection:\n\n- A client can send an HTTP request to the proxy server. The request\n is then evaluated by using all the available data, including the hostname,\n source identity, HTTP headers, and path.\n\n If the request is allowed, the HTTP traffic is sent to the destination.\n However, if the request is denied, the HTTP traffic is not allowed to pass.\n- A client can send the proxy an HTTP CONNECT request to establish a TCP\n tunnel to the destination. This is done when the client wants to send\n arbitrary TCP traffic or establish an end-to-end TLS connection with\n the destination through the proxy, as with HTTPS.\n\n- If a rule has a matching `SessionMatcher` attribute and does not contain\n an `ApplicationMatcher` attribute, and the rule evaluation results in\n allowing the traffic, then a tunnel to the destination is established\n and the traffic is TCP-proxied. This applies to HTTPS and TCP traffic.\n\n- If higher priority rules are unable to determine the action to be taken\n on a request, then the rule evaluation continues. If the evaluation\n proceeds to a rule with an `ApplicationMatcher` attribute, then the\n tunneled traffic is interpreted as HTTP or HTTPS.\n\n If the underlying data is not HTTP or HTTPS, then the connection fails.\n\n If the underlying data is HTTP, then the requests are evaluated, including\n the hostname, source identity, HTTP headers, and path. Based on the\n evaluation result, the traffic is either allowed or denied.\n- For HTTPS traffic, a rule is evaluated only if it has the TLS inspection\n flag enabled; otherwise, that rule is skipped.\n\n- For HTTPS traffic, a rule is inspected only if the following conditions are true:\n\n - The TLS inspection flag is enabled.\n - Traffic matches the `SessionMatcher` attributes.\n\nRecommendations for configuring TLS inspection rules\n----------------------------------------------------\n\n- If you want to allow TCP traffic, then the rule that allows TCP traffic must have a higher priority than the rules that allow HTTP traffic.\n- Rules with the `ApplicationMatcher` attribute should be tightly scoped by using the `SessionMatcher` attribute to minimize the interpretation of unrelated flows as HTTP.\n- Rules that allow TLS (including HTTPS) traffic but do not perform TLS inspection can be interpreted as TCP proxy rules.\n- To avoid unnecessary TLS inspection of traffic, TLS inspection rules should be lower in priority than non-TLS inspection rules. Alternatively, to *fail fast* for non-matching traffic, TLS inspection rules should be tightly scoped by using the `SessionMatcher` attribute.\n\nExamples of TLS inspection rule configurations\n----------------------------------------------\n\nConsider the two rules in the following examples.\n\n### Example 1\n\nIn this example, we assume the presence of other lower priority rules.\nConsider the following two rules:\n\n- Rule 1\n\n description: do not allow POST requests\n priority: 10\n basicProfile: DENY\n sessionMatcher: true\n tlsInspectionEnabled: true\n applicationMatcher: request.method == 'POST'\n\n- Rule 2\n\n description: allow TCP proxying from tag 12345 to example.com\n priority: 20\n basicProfile: ALLOW\n sessionMatcher: source.matchTag('tagValues/12345') && host() == 'example.com'\n\nIn this example, Secure Web Proxy interprets the two rules as follows:\n\n- Allowing TCP traffic but disallowing a specific type of HTTP request is mutually exclusive because the TCP traffic can contain a POST request.\n- Traffic in rule 2 is never allowed. It is denied because the traffic from tag 12345 to example.com is intercepted and interpreted as HTTP to evaluate the HTTP method.\n- For rule 2 to take effect, you can use either of the following solutions:\n\n - Recommended: Increase the priority of rule 2 to a higher level (priority: 5).\n - Scope rule 1 to avoid overlapping the allowed traffic with its `SessionMatcher`\n attribute:\n\n `sessionMatcher: !(source.matchTag('tagValues/12345') && host() == 'example.com')`\n\n We do not recommend this solution because it becomes difficult to\n maintain many overlapping rules.\n\n### Example 2\n\nConsider the following two rules:\n\n- Rule 1\n\n description: allow to specific GitHub repository (TLS inspect to match specific path)\n priority: 10\n basicProfile: ALLOW\n sessionMatcher: true\n tlsInspectionEnabled: true\n applicationMatcher: request.url().startsWith('github.com/grpc/grpc')\n\n- Rule 2\n\n description: allow TCP proxying from tag 12345 to example.com\n priority: 20\n basicProfile: ALLOW\n sessionMatcher: host() == 'bankofamerica.com'\n\nIn this example, Secure Web Proxy interprets the two rules as follows:\n\n- All traffic, including that destined for `bankofamerica.com`, is inspected for TLS to match the `request.url()` of the high priority rule 1.\n- To avoid TLS inspection in rule 2, you can use either of the following\n solutions:\n\n - Increase the priority of rule 2 to a higher level (priority: 5). As a result, rule 2 is applied before evaluating rule 1, and traffic from `bankofamerica.com` is allowed without being TLS inspected.\n - Recommended: Narrow the scope of rule 1 to allow TLS inspection\n specifically for the `github.com` domain. To narrow the scope,\n add a targeted `sessionMatcher` attribute:\n\n `sessionMatcher: host() == 'github.com'`\n\nLimitations\n-----------\n\nYou must consider these limitations *before* configuring TLS inspection:\n\n- Servers are only verified by using public root certificates. The root\n certificate authority (CA) set is based on the\n [Mozilla Root Program](https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/).\n The behavior of certificate verification is subject to change and\n corresponds to how web browsers verify certificates.\n\n Because backend verification is not possible at this time,\n traffic to servers with private or self-signed certificates cannot be\n intercepted.\n- Secure Web Proxy does not run certificate revocation list (CRL) checks.\n\n- For TLS inspection to work, clients must currently send Server Name\n Indication (SNI). SNI is a TLS specification extension that is optional,\n but most clients enable it by default.\n\n- TLS inspection does not work if the client requires\n [Encrypted Client Hello (ECH)](https://datatracker.ietf.org/doc/draft-ietf-tls-esni/)\n (formerly known as Encrypted SNI).\n\n ECH is a draft IETF standard that allows clients to encrypt the beginning\n of the TLS handshake by using a pre-established server key. Because TLS\n inspection is acting as an intercepting proxy, it does not have access\n to that pre-established server key. As a result, ECH does not function.\n- Clients must be configured to trust your private root certificate.\n\n- If you remove CAs from your private CA pool, you are served cached\n certificates signed by that CA for up to 28 hours. To prevent using\n the cached certificates, you can update your TLS inspection policy to\n point to a new CA pool. As a result, Secure Web Proxy is forced to\n generate new certificates."]]
