Implementing A Https (Ssl) Server - F-SECURE INTERNET GATEKEEPER FOR LINUX 4.01 Administrator's Manual

10.5.3 Implementing a HTTPS (SSL) Server

F-Secure Internet Gatekeeper for Linux cannot scan HTTPS (SSL) data because they are encrypted.
To scan a connection from a specific HTTP (SSL) server, decrypt the data with a SSL proxy or SSL
accelerator first, and then scan the data with the product.
For example, if you use Apache, set Apache to function as a SSL proxy and place F-Secure Internet
Gatekeeper for Linux in the HTTP communication section.
The Apache-SSL proxy, Internet Gatekeeper, and the web server can be used on separate computers
or on the same computer.
The following diagram illustrates the Apache configuration file when the product is used with a SSL
proxy and a web server.
Apache-SSL settings
In the following example, port 443 is used first to listen to data. Afterwards, port 9080 is relayed to
decrypt data.
Settings
# https access
Listen 443
<VirtualHost _default_:443>
AddDefaultCharset Off
ProxyPass / http://127.0.0.1:9080/
ProxyPassReverse / http://127.0.0.1:9080/
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
# SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>
F-Secure Internet Gatekeeper for Linux/Administrator's Guide
Internet Gatekeeper server
443
Internet
Apache-SSL proxy
9080
Internet Gatekeeper
80
Web server
130