Community
User Guides
Support
Community
Help Forums
English Forum
General
About our Community
General Discussion
News and Feedback
Products
F-Secure SAFE
F-Secure FREEDOME
F-Secure KEY
F-Secure SENSE Router
F-Secure ID PROTECTION
Other products
Beta programs
Feature Requests
Finnish Forum (Tukifoorumi)
Tuotteet Kotiin
F-Secure SAFE
F-Secure FREEDOME
F-Secure KEY
F-Secure SENSE Router
F-Secure ID PROTECTION
Muut tietoturvatuotteet
Support Articles
Language
English
Suomi
Deutsch
Français
日本語
Svenska
Dansk
Italiano
Nederlands
Norsk
Polski
中文 (繁體)
Products & Services
F-Secure TOTAL
F-Secure SAFE / Internet Security / Anti-Virus
F-Secure FREEDOME
F-Secure KEY
F-Secure SENSE Router
F-Secure ID PROTECTION
Other products
Common topics
User Guides
Support
Login
|
Register
Scanning HTTPS (SSL) traffic - F-Secure Community
<main> <article class="userContent"> <p> </p> Scanning HTTPS (SSL) traffic <p>This article provides information about scanning HTTPS (SSL) traffic by using F-Secure Internet Gatekeeper for Linux. </p> <p>Because HTTPS (SSL) traffic is encrypted, F-Secure Internet Gatekeeper for Linux cannot scan the contents of a file. However, by using the setup described in this article, HTTPS (SSL) transactions can be handled. </p> <p><strong>To protect internal clients</strong> </p> <p>If you use this product to protect internal clients, HTTPS transfer can be handled. But, in this case, because it is transferred as encrypted data, it is not possible to scan its contents. In this case, traffic between the product and the client is SSL over HTTP-proxy using RFC-2817's CONNECT method: </p> <pre class="code codeBlock" spellcheck="false">Client |(SSL(HTTPS) over HTTP-proxy, Port 9080) This product | (HTTPS, Port 443) Internet | (HTTPS, Port 443) Web server</pre> <p><strong>To protect a web site</strong> </p> <p>If you use this product to scan connections to specific web servers, you need to scan after SSL decryption. Place the product between the web server and SSL-proxy/SSL-accelerator, and run the product as reverse proxy to scan. In this case, the connection flow is the following: </p> <pre class="code codeBlock" spellcheck="false">Client | (HTTPS, Port 443) Internet | (HTTPS, Port 443) SSL proxy/SSL accelerator | (HTTP, Port 80) This product | (HTTP, Port 80) Web server</pre> <p>For example, by putting Apache as an SSL proxy as in the following and by placing the product in the HTTP connection part, viruses can be scanned: </p> <pre class="code codeBlock" spellcheck="false">Client | (HTTPS) Internet | (HTTPS) Apache-SSL proxy | (HTTP) This product | (HTTP) Web server</pre> <p>The Apache-SSL proxy, this product, and the Web server can also be put on a different server. If you use Apache as an SSL proxy, the following configuration (as an example) can be written on the Apache configuration file: </p> <pre class="code codeBlock" spellcheck="false">[Example "httpd.conf" to run Apache as SSL proxy] (This is the case if the product and Apache-SSL are installed on the same server.) =================================================================== # https access Listen 443 AddDefaultCharset Off ProxyPass / <a href="http://127.0.0.1:9080/" rel="nofollow">http://127.0.0.1:9080/</a> ProxyPassReverse / <a href="http://127.0.0.1:9080/" rel="nofollow">http://127.0.0.1:9080/</a> SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SSLOptions +StdEnvVars SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown ===================================================================</pre> <p>If the product and the web server are installed on the same server, you need to set the product in the Web UI as follows: </p> <pre class="code codeBlock" spellcheck="false">[Proxy settings]=[HTTP]=[Parent server]: Enabled Hostname: Web server's address (Ex: 127.0.0.1) Port: Web server's port(Ex: 80)</pre> </article> </main>