This article applies to our On-Premise Appliance Filter and Firewall product only, not to Cloud.
HTTPS inspection is a key part of On-Premise Appliance filtering. Generally, you should only exclude trusted sites from inspection and have a policy to Decrypt and Inspect everything else set up on your On-Premise Appliance.
What is HTTPS inspection?
Most web pages require HTTPS (Hypertext Transfer Protocol Secure) as it protects sensitive information by encrypting data sent between web browsers and websites.
By default, Smoothwall analyses only the header content of HTTPS websites, not the full site. Websites also use Encrypted Client Hello (ECH) to encrypt domain names.
When you use HTTPS inspection, Smoothwall can analyse the full URL, headers, and page content. HTTPS inspection enables you to:
- Dynamically scan the in-page content of HTTPS web requests and responses to filter inappropriate content on a site where the domain names appear safe.
- Block unsuitable material based on your Web Filter and Content Modification policies.
- Be sure that the website you are accessing is genuine and trusted.
Image 1: How HTTPS inspection works
How can HTTPS inspection be applied in Smoothwall?
There are three ways HTTPS Inspection Policies can be applied.
| Action | How does it work? | What certificate is used? |
| Do not inspect | Smoothwall won’t decrypt, inspect or check certificate validity. | The site's real certificate is used to encrypt the client-server connection. |
| Validate certificate only | Smoothwall won’t decrypt or inspect, but it will check if the destination server's Transport Layer Security (TLS) certificate is valid. Sites with self-signed, out-of-date or invalid certificates are blocked. | The site's real certificate is used to encrypt the client-server connection. |
| Decrypt and inspect | Smoothwall decrypts the traffic, inspects the contents, then re-encrypts it using a dynamic certificate signed by the Smoothwall Certificate Authority (CA) before sending the response back to the user. |
Smoothwall communicates with the website using the real public certificate used on the website’s hosting server. The Smoothwall CA certificate must be downloaded and installed on client devices, or users will see certificate warnings and might not be able to access certain websites. |
Why use HTTPS inspection in Smoothwall?
You must use HTTPS inspection for your On-Premise Appliance, or your filtering and content modification policies won’t apply to all content on the page. For example, HTTPS inspection is needed for:
- Search term filtering. Without HTTPS inspection, the search term would be encrypted in transit, and access wouldn’t be blocked. With HTTPS inspection, Smoothwall decrypts the requests, analyses the search string, and decides whether to show or block the search results.
- Generating Safeguarding Alerts and Reports for content that hasn’t been blocked but may warrant further investigation.
Tip
You don’t need HTTPS Inspection with Cloud Filter, as it operates within the browser. It sees all information the user sees without needing to decrypt it.
How do we configure the HTTPS Inspection Policies?
To effectively use HTTPS inspection:
- Check your Default HTTPS Inspection Policies. The actions we recommend you take depend on what policies you currently have set up.
- Add new HTTPS Inspection Policies, and change the order, edit or delete your policies as needed. Smoothwall applies HTTPS Inspection Policies in order of priority, from top to bottom.