Forum Discussion

THE_BLUE's avatar
THE_BLUE
Icon for Cirrostratus rankCirrostratus
Apr 06, 2021
Solved

A security warning when accessing a site through IP

When I go to ex:

https://xyz.com/
, everything works normal. As soon as I access the same site using its IP address ex: (66.66.66.66) , I get a security warning (even if I write something like
https://66.66.66.66/
). but still with https .. so is that mean my connection will not be encrypted?

i know this is because the certificate not include the public ip but is that risky? and how to solve it from Server or WAF side?

  • As you mentioned, this is expected because certificate common name or SAN name doesn't have IP address included. The warning shows that common name is having missmatch, but traffic would be still TLS encrypted.

    If you want to avoid the cert warning, IP address can be added to the SAN but it's not a common practice.

    If you want to block the access of the site using IP address you can use iRule, ltm policy or ASM feature. Most of the web servers also has option to whitelist the HOST header.

    On F5:

    iRule: To whitelist the HOST header

    when HTTP_REQUEST {
     switch [string tolower [HTTP::host]] {
     "www.domain.com" 
      {
       return
      }
     default { 
       reject
      }
     }
    }

    LTM Policy:

    Condition:

    HTTP host is not any of <www.domain.com> at http request time

    Action:

    Reset traffic at request

    On Server: you can search for the options to mitigate this HOST header injection, based on the web server used (eg. IIS, nginx, Apache)

2 Replies

  • As you mentioned, this is expected because certificate common name or SAN name doesn't have IP address included. The warning shows that common name is having missmatch, but traffic would be still TLS encrypted.

    If you want to avoid the cert warning, IP address can be added to the SAN but it's not a common practice.

    If you want to block the access of the site using IP address you can use iRule, ltm policy or ASM feature. Most of the web servers also has option to whitelist the HOST header.

    On F5:

    iRule: To whitelist the HOST header

    when HTTP_REQUEST {
     switch [string tolower [HTTP::host]] {
     "www.domain.com" 
      {
       return
      }
     default { 
       reject
      }
     }
    }

    LTM Policy:

    Condition:

    HTTP host is not any of <www.domain.com> at http request time

    Action:

    Reset traffic at request

    On Server: you can search for the options to mitigate this HOST header injection, based on the web server used (eg. IIS, nginx, Apache)