Scanning HTTPS (SSL) traffic This article provides information about scanning HTTPS (SSL) traffic by using F-Secure Internet Gatekeeper for Linux.
Because HTTPS (SSL) traffic is encrypted, F-Secure Internet Gatekeeper for Linux cannot scan the contents of a file. However, by using the setup described in this article, HTTPS (SSL) transactions can be handled.
To protect internal clients
If you use this product to protect internal clients, HTTPS transfer can be handled. But, in this case, because it is transferred as encrypted data, it is not possible to scan its contents. In this case, traffic between the product and the client is SSL over HTTP-proxy using RFC-2817's CONNECT method:
Client |(SSL(HTTPS) over HTTP-proxy, Port 9080) This product | (HTTPS, Port 443) Internet | (HTTPS, Port 443) Web server
To protect a web site
If you use this product to scan connections to specific web servers, you need to scan after SSL decryption. Place the product between the web server and SSL-proxy/SSL-accelerator, and run the product as reverse proxy to scan. In this case, the connection flow is the following:
Client | (HTTPS, Port 443) Internet | (HTTPS, Port 443) SSL proxy/SSL accelerator | (HTTP, Port 80) This product | (HTTP, Port 80) Web server
For example, by putting Apache as an SSL proxy as in the following and by placing the product in the HTTP connection part, viruses can be scanned:
Client | (HTTPS) Internet | (HTTPS) Apache-SSL proxy | (HTTP) This product | (HTTP) Web server
The Apache-SSL proxy, this product, and the Web server can also be put on a different server. If you use Apache as an SSL proxy, the following configuration (as an example) can be written on the Apache configuration file:
[Example "httpd.conf" to run Apache as SSL proxy] (This is the case if the product and Apache-SSL are installed on the same server.) =================================================================== # https access Listen 443 AddDefaultCharset Off ProxyPass / http://127.0.0.1:9080/ ProxyPassReverse / http://127.0.0.1:9080/ SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SSLOptions +StdEnvVars SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown ===================================================================
If the product and the web server are installed on the same server, you need to set the product in the Web UI as follows:
[Proxy settings]=[HTTP]=[Parent server]: Enabled Hostname: Web server's address (Ex: 127.0.0.1) Port: Web server's port(Ex: 80)