HTTPS Inspection

From Secure Web Gateway
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Overview

This section allows you to configure the overall operation to handle scanning of connections under HTTPS (HTTP over SSL).

SSL (Secure Sockets Layer), is the standard security technology for encrypting a connection between a web server and a browser.

Once established, this connection will encrypt all traffic and ensure that all data passed between the web server and browser remains private

You must set this carefully, depending on the usage of web applications handling HTTPS requests, particularly web 2.0 applications.

All HTTPS requests are matched with the rules defined under the HTTPS scanning policies and actions taken based on the matching entry.

Prerequisites

Generate SSL certificates from self service portal

First you have to generate SSL certificates from self-service portal  before configuring HTTPS inspection. 

Setup your SSL certificates from self-service portal

Download SSL Certificate from SafeSquid User Interface

Enabling HTTPS inspection on SafeSquid User Interface

Access the SafeSquid interface

Go to Configure Page

Goto configure.png
 

Go to Real time content security

Go to real time content security.png
 
 

Go to HTTPS Inspection

HTTPS Inspection4.png

 

 

 

 

Global

Enabled

Enable or Disable this section.

  • TRUE : Enable HTTPS inspection section.
  • FALSE : Disable HTTPS inspection section.
HTTPS Inspection5.png
 
HTTPS Inspection6.png
 
HTTPS Inspection7.png
 
HTTPS Inspection8.png
 

Inspection Policies

Each CONNECT request is testedonly once for the applicability of the following entries. The first matching entry is applied, and the rest are ignored.

If the matching entry deems that a DeepScan should not be performed, the CONNECT request is handled WITHOUT inspecting the subsequent requests.

If, however the matching entry deems a DeepScan should be performed, the connection to the remote webserver is security checked for SSL properties as per the rule in the matched entry.

If the remote webserver fails to meet the desired standards, connection to that webserver is terminated.

Note: DeepScan should only be performed on encrypted connections, if the underlying application protocol is HTTP. Applications like Google drive, Subversion Client, WinScp etc., do not work if you attempt a DeepScan on them.

HTTPS Inspection9.png
 
HTTPS Inspection10.png
 

SafeSquid comes with some default Inspection policies as follows

  • Disable SSL scanning for specific websites. Add websites under BYPASS HTTPS category to bypass SSL inspection
  • Allow specific websites to be accessed with exceptions. SafeSquid may not have complete trusted CA certificates, in those cases websites can be accessed with exceptions.
  • Enforce SSL scanning for all websites.

Enable or Disable above policies as per the requirement or add new policy for new requirement

Enabled

Enable or Disable this entry

  • TRUE : Enable this entry.
  • FALSE : Disable this entry.

Comment

For documentation, and future references, explain the relevance of this entry with your policies.

That is, by reading the policies, a future user can understand the purpose of that entry.

Profiles

Specify the Profiles applicable for this entry.

This entry will be applicable only if the connection has any one of the specified profiles.

Leave it Blank, to apply for all connections irrespective of any applied profile.

To avoid application to a connection that has a profile, use negated profile (!profile).

DeepScan

Decide if you want to enable scanning within encrypted SSL connections matching this entry.

  • TRUE : Select this option to enable Deep Scanning.
  • FALSE : Select this option to disable Deep Scanning.

Block Access to Sites which do not have an SSL Certificate

Decide whether Sites that do not have SSL Certificate should be blocked or not.

  • TRUE : This is the default and safe option.
  • FALSE : Select this option only if you want to allow SSL access to web-sites without SSL certificates.

Acceptable Errors in SSL Verification

SafeSquid verifies the SSL certificate to remote SSL web-servers.

You can specify here, the acceptable level of error.

Only in specific or exceptional cases choose anything besides X509_V_OK.

Block domain mismatch in the web-site SSL certificate

Decide whether domain name mismatch is to be allowed or not.

SafeSquid validates the DNS and Common Name in the SSL certificates supplied by the remote web-server.

Only in exceptional cases set this as FALSE.

  • TRUE : This is the default and safe option.
  • FALSE : Select this option only if you want to allow SSL access to web-sites that are using certificates issued to domains other than the web-site.
 

Example

Rule#1

I want to allow websites which are self-hosted with self-signed certificates

Connection with profile “ALLOW SELF SIGNED CERT WEBSITES” will bypass SSL error ERR_SELF_SIGNED_CERT_IN_CHAIN

Slide1-HttpsInspection.png

Save Configuration 

Save config final.png
 

No configuration required in Setup tab

Note : In new versions of SafeSquid released after June-2017, setup tab is removed. You will see only three subsections in HTTPS inspection section.

Setup

List of Security Passphrase(s) or Server Policies required to generate or load an existing ROOT CA SSL Certificate (RCSC).

The first matching entry below is used and the remaining is ignored.

RCSC is automatically created if none exists already.

If an RCSC exists, passphrase in the applicable entry is used to load it.

The Private key of the generated RCSC can be used only with the passphrase used to generate it.

The passphrase prevents the private key of your RCSC from being stolen or fraudulent use.

After the RCSC has been successfully generated, the public key of your RCSC can be downloaded from http://safesquid.cfg/safesquid.cer

The public key must be installed on all the Web-Clients and browsers that are subjected to Deep Scan.

Click on Add below, to add a new entry.

Ssl-setup.jpg

 

Enabled

Enable or Disable this entry

  • TRUE : Enable this entry.
  • FALSE : Disable this entry.

Comment

For documentation, and future references, explainthe relevance of this entry with your policies.

Proxy Host

Please enter the host name of the proxy server as specified in the Startup Parameters.

Encrypted Password

Please enter the Encrypted password for disk based caching of SSL certificates.

 

Generate SSL certificates from self service portal

First you have to generate SSL certificates from self-service portal  before configuring HTTPS inspection. 

 

Setup your SSL certificates from self-service portal

 

SSL Certs/Cache

Download SSL Certificate from SafeSquid User Interface

Download : Download the SafeSquid certificate.

Upload : Upload the SafeSquid Certificate.

Cache Refresh : Refresh the cache.

 

Importing SafeSquid SSL certificate into your browser

Install SafeSquid SSL certificates into the browsers. If you did not install certificate into the browser and HTTPS inspection is enabled, then you will get an error while accessing the HTTPS websites.

 

Importing into  Mozilla Firefox

Importing into Internet Explorer Or Chrome Browser

Having HTTPS inspection feature some interesting things that you can do with this SafeSquid SWG

  • Block access to consumer Google accounts
  • Give Read only access to the Facebook, Twitter sites. Users can able to login into their accounts but they cannot able to do post or comment or like or chat.
  • Enforce safe search or safety mode based searches in Google, Bing and Yahoo search engines and also, we can enforce in any websites that are offering safety mode based search.
  • Block images over Google  
  • Filter text, Images over HTTP and HTTPS sites
  • Allow specified users to access or to login into specified HTTP and HTTPS sites and block others
  • Can use Virus scanning for both HTTP and HTTPS sites?
  • Blocking attachments to Gmail and Block Gmail Chat