F-Secure Internet Gatekeeper for Linux/Administrator’s Guide
130
10.5.3
Implementing a HTTPS (SSL) Server
F-Secure Internet Gatekeeper for Linux cannot scan HTTPS (SSL) data because they are encrypted.
To scan a connection from a specific HTTP (SSL) server, decrypt the data with a SSL proxy or SSL
accelerator first, and then scan the data with the product.
For example, if you use Apache, set Apache to function as a SSL proxy and place F-Secure Internet
Gatekeeper for Linux in the HTTP communication section.
The Apache-SSL proxy, Internet Gatekeeper, and the web server can be used on separate computers
or on the same computer.
The following diagram illustrates the Apache configuration file when the product is used with a SSL
proxy and a web server.
Internet Gatekeeper server
Internet Gatekeeper
Web server
80
9080
Internet
Apache-SSL proxy
443
Apache-SSL settings
In the following example, port 443 is used first to listen to data. Afterwards, port 9080 is relayed to
decrypt data.
Settings
# https access
Listen 443
<VirtualHost _default_:443>
AddDefaultCharset
Off
ProxyPass / http://127.0.0.1:9080/
ProxyPassReverse / http://127.0.0.1:9080/
SSLEngine
on
SSLCertificateFile
/etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile
/etc/pki/tls/private/localhost.key
# SSLCertificateFile
/etc/httpd/conf/ssl.crt/server.crt
# SSLCertificateKeyFile
/etc/httpd/conf/ssl.key/server.key
SSLOptions
+StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>