HTTPS Decryption and WebSockets

Question: If we enable HTTPS decryption websockets connections start to fail. Why? It is possible to automatically exclude all websocket connections from decryption?

Answer: The websockets connection happens after a tunnel from the browser to the proxy server has been already established, so it is not possible to automatically prevent tunnels from being decrypted.

After a tunnel is decrypted the proxy would look into the incoming request and process it – only after processing the response for that request from origin server the proxy would know that this was indeed a websocket connection. But it was already decrypted at that time.

So – it is not possible to automatically exclude all websocket connections from decryption and have HTTPS decryption in place. But it is still possible to automatically exclude websocket connections for specific origin servers - for that, just add the server to the global exclusions.