HTTPS inspection is a key part of On-Premise Appliance filtering. Generally, you should only exclude trusted sites from inspection and have a policy to Decrypt and Inspect everything else set up on your On-Premise Appliance.
What is HTTPS inspection?
Most web pages require HTTPS (Hypertext Transfer Protocol Secure) as it protects sensitive information by encrypting data sent between web browsers and websites.
By default, Smoothwall analyses only the header content of HTTPS websites, not the full site. Websites also use Encrypted Client Hello (ECH) to encrypt domain names.
When you use HTTPS inspection, Smoothwall can analyse the full URL, headers, and page content. HTTPS inspection enables you to:
- Dynamically scan the in-page content of HTTPS web requests and responses to filter inappropriate content on a site where the domain names appear safe.
- Block unsuitable material based on your Web Filter and Content Modification policies.
- Be sure that the website you are accessing is genuine and trusted.
Image 1: How HTTPS inspection works
How can HTTPS inspection be applied in Smoothwall?
There are three ways HTTPS Inspection Policies can be applied.
| Action | How does it work? | What certificate is used? |
| Do not inspect | Smoothwall won’t decrypt, inspect or check certificate validity. | The site's real certificate is used to encrypt the client-server connection. |
| Validate certificate only | Smoothwall won’t decrypt or inspect, but it will check if the destination server's Transport Layer Security (TLS) certificate is valid. Sites with self-signed, out-of-date or invalid certificates are blocked. | The site's real certificate is used to encrypt the client-server connection. |
| Decrypt and inspect | Smoothwall decrypts the traffic, inspects the contents, then re-encrypts it using a dynamic certificate signed by the Smoothwall Certificate Authority (CA) before sending the response back to the user. |
Smoothwall communicates with the website using the real public certificate used on the website’s hosting server. The Smoothwall CA certificate must be downloaded and installed on client devices, or users will see certificate warnings and might not be able to access certain websites. |
Why use HTTPS inspection in Smoothwall?
HTTPS inspection is needed for:
- Full URL filtering. Without HTTPS inspection, Smoothwall filters based on domain only. For example, it can only filter examplesite.co.uk/games based on your Web Filter Policies for examplesite.co.uk
- Real-time content filtering.
- Search term filtering. With HTTPS inspection, Smoothwall can decrypt the request and analyse the search string to decide whether to show or block the search results.
- Video or video playlist filtering. With HTTPS inspection, Smoothwall Appliance can analyse the video’s URL to compare it with your custom list to block or allow.
- Safeguarding Alerts and Reports for content that may not have been blocked but may warrant further investigation.
- Content Modification to block and remove specific website features.
Tip
You don’t need HTTPS Inspection with Cloud Filter, as it sees all information the user sees without needing to decrypt it.
How do we configure the HTTPS Inspection Policies?
To effectively use HTTPS inspection:
- Check your Default HTTPS Inspection Policies. The actions we recommend you take depend on what policies you currently have set up.
- Add new HTTPS Inspection Policies, and change the order, edit or delete your policies as needed. Smoothwall applies HTTPS Inspection Policies in order of priority, from top to bottom.