Scanning HTTPS (SSL) traffic

This article provides information about scanning HTTPS (SSL) traffic by using F-Secure Internet Gatekeeper for Linux.

Because HTTPS (SSL) traffic is encrypted, F-Secure Internet Gatekeeper for Linux cannot scan the contents of a file. However, by using the setup described in this article, HTTPS (SSL) transactions can be handled.

To protect internal clients

If you use this product to protect internal clients, HTTPS transfer can be handled. But, in this case, because it is transferred as encrypted data, it is not possible to scan its contents. In this case, traffic between the product and the client is SSL over HTTP-proxy using RFC-2817's CONNECT method:

Client
      |(SSL(HTTPS) over HTTP-proxy, Port 9080)
   This product
      | (HTTPS, Port 443)
   Internet
      | (HTTPS, Port 443)
   Web server

To protect a web site

If you use this product to scan connections to specific web servers, you need to scan after SSL decryption. Place the product between the web server and SSL-proxy/SSL-accelerator, and run the product as reverse proxy to scan. In this case, the connection flow is the following:

Client
      | (HTTPS, Port 443)
   Internet
      | (HTTPS, Port 443)
   SSL proxy/SSL accelerator
      | (HTTP, Port 80)
   This product
      | (HTTP, Port 80)
   Web server

For example, by putting Apache as an SSL proxy as in the following and by placing the product in the HTTP connection part, viruses can be scanned:

Client
      | (HTTPS)
   Internet
      | (HTTPS)
   Apache-SSL proxy
      | (HTTP)
   This product
      | (HTTP)
   Web server

The Apache-SSL proxy, this product, and the Web server can also be put on a different server. If you use Apache as an SSL proxy, the following configuration (as an example) can be written on the Apache configuration file:

[Example "httpd.conf" to run Apache as SSL proxy]
(This is the case if the product and Apache-SSL are installed on the same server.)
===================================================================
# https access
Listen 443

        AddDefaultCharset Off
        ProxyPass / http://127.0.0.1:9080/
        ProxyPassReverse / http://127.0.0.1:9080/
        SSLEngine on
        SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
        SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
        SSLOptions +StdEnvVars
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
===================================================================

If the product and the web server are installed on the same server, you need to set the product in the Web UI as follows:

[Proxy settings]=[HTTP]=[Parent server]: Enabled
    Hostname: Web server's address (Ex: 127.0.0.1)
    Port: Web server's port(Ex: 80)
Pricing & Product Info

For product info and pricing please go to the F-Secure product page

Version history
Revision #:
9 of 9
Last update:
4 weeks ago
Updated by:
 
Labels (2)