Skip to main content

SSL Proxy Setup

The Control Zero SSL-inspecting proxy provides Data Loss Prevention (DLP) for browser-based AI chat applications. It intercepts HTTPS traffic to configured AI domains, inspects content for policy violations, and enforces DLP rules before data leaves your network.

How It Works

  1. The proxy terminates TLS connections to inspected domains using a CA certificate you deploy to endpoints.
  2. Outbound requests to AI chat services (ChatGPT, Claude, Gemini, and others) pass through the proxy.
  3. The proxy inspects request payloads against your DLP policies.
  4. Based on the configured mode, the proxy detects, blocks, or masks sensitive content.
  5. Allowed traffic is re-encrypted and forwarded to the destination.

CA Certificate Generation

The proxy needs a CA certificate that endpoints in your network trust. You can use an existing enterprise CA or generate a dedicated one.

Generate a new CA certificate

czctl generate-ca --domain <your-domain> --output config/certs/

This creates the following files:

FilePurpose
config/certs/proxy-ca.pemPublic CA certificate (deploy to endpoints)
config/certs/proxy-ca-key.pemPrivate key (keep secure, used by proxy only)

Use an existing enterprise CA

If your organization already has a CA, place the certificate and key in the certs directory:

cp /path/to/your-ca.pem config/certs/proxy-ca.pem
cp /path/to/your-ca-key.pem config/certs/proxy-ca-key.pem

Ensure the private key file permissions are restricted:

chmod 600 config/certs/proxy-ca-key.pem

Deploying the CA Certificate to Endpoints

Endpoints must trust the proxy CA certificate for the SSL inspection to work without browser warnings.

Windows (Group Policy)

  1. Open Group Policy Management Console
  2. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities
  3. Import proxy-ca.pem
  4. Apply the GPO to the target organizational units
  5. Run gpupdate /force on endpoints or wait for the next policy refresh

macOS (MDM)

  1. Upload proxy-ca.pem to your MDM solution (Jamf, Kandji, Mosyle, or similar)
  2. Create a certificate payload with the trust setting "Always Trust"
  3. Deploy the profile to managed devices

Linux

# Debian/Ubuntu
sudo cp proxy-ca.pem /usr/local/share/ca-certificates/controlzero-proxy.crt
sudo update-ca-certificates

# RHEL/CentOS
sudo cp proxy-ca.pem /etc/pki/ca-trust/source/anchors/controlzero-proxy.pem
sudo update-ca-trust

Browser-Specific Trust

Most browsers use the operating system certificate store. Firefox maintains its own store and requires separate configuration:

  1. Open Firefox Settings > Privacy and Security > Certificates > View Certificates
  2. Import proxy-ca.pem under the Authorities tab
  3. Check "Trust this CA to identify websites"

For managed deployments, use the security.enterprise_roots.enabled Firefox policy to inherit the OS trust store.

DLP Modes

Configure the proxy operating mode in config/proxy.yml:

dlp:
  mode: detect # Options: detect, block, mask
ModeBehavior
detectLog policy violations but allow traffic to pass through. Use this mode during initial rollout to understand traffic patterns before enforcing.
blockBlock requests that contain policy violations. The user sees an error page explaining that the request was blocked by policy.
maskRedact sensitive content (PII, credentials, proprietary terms) from the request before forwarding to the AI service. The user's session continues but sensitive data is replaced with placeholder tokens.

Inspected Domains

Configure which domains the proxy inspects in config/proxy.yml:

inspected_domains:
  - chat.openai.com
  - chatgpt.com
  - claude.ai
  - gemini.google.com
  - copilot.microsoft.com
  - poe.com
  - perplexity.ai

Traffic to domains not on this list passes through without inspection.

Adding custom domains

If your organization uses additional AI services, add their domains to the list:

inspected_domains:
  - chat.openai.com
  - claude.ai
  - internal-llm.yourcompany.com

Privacy Considerations

  • Scope is limited. Only traffic to explicitly configured domains is inspected. All other HTTPS traffic passes through unmodified.
  • No content storage. The proxy does not store request or response payloads. Policy violation events are logged with metadata only (timestamp, domain, violation type, user identity if available).
  • Audit trail. All proxy decisions (allow, block, mask) are recorded in the audit log with the same structured format as gateway decisions.
  • Transparency. Users can be notified of the proxy via your organization's acceptable use policy. The blocked-request error page can be customized in config/proxy-block-page.html.