CacheGuard-OS
User's Guide - Version UF-2.2.2
SSL Mediation
CacheGuard appliance can decrypt HTTPS (encrypted) traffic in order to be able to inspect its content. After being inspected, the encrypted Web traffic can be cached or be blocked in case where a malware is detected in it. In this way, bandwidth consuming contents such as video chunks can be cached and malware blocked even in an encrypted format. Without the SSL mediation, such traffic handling would simply not be possible (as caching or inspecting encrypted traffic is simply not possible). The purified and/or cached traffic is then re-encrypted by CacheGuard-OS before being sent to Web clients. This feature is called SSL mediation on a CacheGuard appliance.
Please note that as decrypting an re-encrypting HTTPS traffic can be considered as a MITM (Man in the Middle) attack, you should ensure that activating the SSL mediation complies with laws in your country and/or organisation. Also be aware that activating the SSL mediation is fully under your responsibility. You are invited to read the CacheGuard-OS License Agreement for further information.
When the SSL mediation is activated, decrypted traffic is re-encrypted again before being sent to Web clients. To transmit re-encrypted traffic to Web clients, the Web proxy uses dynamically generated SSL certificates that are signed by a private CA (Certificate Authority) certificate. As Web clients would have to deal with HTTPS traffic that uses a private CA certificate (called system CA certificate), they must have confidence in that CA certificate. That's why prior to activating the SSL mediation, you must import CacheGuard CA certificate into your browsers. Otherwise the HTTPS communications will fail. You can decide to transparently intercept HTTPS traffic or not using the
sslmediate command. To activate the SSL mediation and configure it to transparently intercept HTTPS traffic, use the following command:
- mode transparent on
- mode sslmediate on
- sslmediate transparent on
- apply
The System CA
The CacheGuard CA certificate is called the system CA certificate and it's available at
http://<cacheguard-internal-ip>/ where
<cacheguard-internal-ip> is the internal IP address of your CacheGuard appliance. A default system CA certificate is generated the first time you turn on your CacheGuard appliance. It is recommended that you regenerate that CA certificate or import your own CA certificate into your CacheGuard appliance and set it as the system CA. You can use the following commands to generate the system CA certificate and its associated private RSA key:
- tls ca system generate
- apply
To import a CA certificate and its associated private RSA key into your CacheGuard appliance and set it as the system CA certificate, you must first put them on a trusted file server in a first step. A trusted file server is a file server allowed to exchange files with CacheGuard appliance (refer to the
access command to get help on how to declare a file server as trusted). The next step will then be to load them into your CacheGuard appliance from that trusted file server. Assuming that your CA certificate and its associated private key are respectively named
cg-ca.certificate and
cg-ca.key and are placed on a trusted SFTP file server having the
172.18.2.1 IP address, you can use the following commands to import them into your CacheGuard appliance:
- password file add sftp 172.18.2.1 john
- tls ca system load certificate sftp 172.18.2.1 cg-ca.certificate
- tls ca system load key sftp 172.18.2.1 cg-ca.key
- apply
Exception Lists
To remedy MITM attacks, some HTTPS websites use a technique called SSL pinning. The SSL pinning consists of hard coding the HTTPS certificate into the Web traffic content making any MITM attacks, and at the same time the SSL mediation, impossible.
Fortunately CacheGuard appliance can be configured to exceptionally bypass the SSL mediation for some predefined domain names (deny policy) or only operate on a predefined list of domain names (allow policy). You can create exceptions by directly specifying domain names (quick method) or by using URL lists. To manage URL lists, you can refer to the urllist command. As an example, to activate the SSL mediation for the example.com domain name only, you can use the following commands:
- sslmediate policy allow
- sslmediate exception urllist raz
- sslmediate exception domainname raz
- sslmediate exception domainname add example.com
- apply