A security warning when accessing a site through IP
- Apr 06, 2021
As you mentioned, this is expected because certificate common name or SAN name doesn't have IP address included. The warning shows that common name is having missmatch, but traffic would be still TLS encrypted.
If you want to avoid the cert warning, IP address can be added to the SAN but it's not a common practice.
If you want to block the access of the site using IP address you can use iRule, ltm policy or ASM feature. Most of the web servers also has option to whitelist the HOST header.
On F5:
iRule: To whitelist the HOST header
when HTTP_REQUEST { switch [string tolower [HTTP::host]] { "www.domain.com" { return } default { reject } } }
LTM Policy:
Condition:
HTTP host is not any of <www.domain.com> at http request time
Action:
Reset traffic at request
On Server: you can search for the options to mitigate this HOST header injection, based on the web server used (eg. IIS, nginx, Apache)