CacheGuard-OS
User's Guide - Version UF-2.0.2
SSL Mediation
The SSL mediation allows you to decrypt HTTPS traffic at the gateway point in order to cache, inspect its contents and possibly block unwanted contents. Please note that as HTTPS aims to give users privacy and security, its decrypting in the middle (before reaching the final client) may violate ethical norms and may be illegal in your jurisdiction.
When the SSL mediation is activated the system re-encrypts decrypted traffic before forwarding it to the end-user. To do so it dynamically generates SSL certificates and signs them using its own CA (Certificate Authority) certificate. Of course to make this work the system's CA certificate should be imported to the end-user Web navigator prior any attempts to access an HTTPS website.

Assuming that the internal network interface of the appliance has the IP address 10.20.0.254, the CA certificate of the appliance is available in DER format at
http://10.20.0.254. To implement the appliance as a transparent SSL mediator use the following commands:
- mode router on
- mode web on
- mode transparent on
- mode sslmediate on
- sslmediate transparent on
- apply
CA certificate
A default system CA certificate is generated during the installation but we highly recommend that you generate your own CA certificate. To do so use the following commands:
- tls ca system generate
- apply
Alternatively you can import your existing CA into your CacheGuard system. Assuming that your CA certificate and its associated private key are respectively named
cg-ca.certificate and
cg-ca.key and are placed on a TFTP file server reachable at 172.18.2.1 use the following commands:
- tls ca system certificate load tftp 172.18.2.1 cg-ca.certificate
- tls ca system key load tftp 172.18.2.1 cg-ca.key
- apply
Exceptions lists
The appliance can be configured to bypass the SSL mediation for some websites (
deny policy) or only act as an SSL mediator for some given websites (
allow policy). To activate the SSL mediation for
example.com only use the following commands:
- mode sslmediate on
- sslmediate policy allow
- sslmediate exception urllist raz
- sslmediate exception domainname raz
- sslmediate exception domainname add example.com
- apply
Copyright (C) 2009-2023 CacheGuard - All rights reserved