Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

A security warning when accessing a site through IP

THE_BLUE
Cirrostratus
Cirrostratus

When I go to ex:

https://xyz.com/
, everything works normal. As soon as I access the same site using its IP address ex: (66.66.66.66) , I get a security warning (even if I write something like
https://66.66.66.66/
). but still with https .. so is that mean my connection will not be encrypted?

i know this is because the certificate not include the public ip but is that risky? and how to solve it from Server or WAF side?

1 ACCEPTED SOLUTION

SanjayP
MVP
MVP

As you mentioned, this is expected because certificate common name or SAN name doesn't have IP address included. The warning shows that common name is having missmatch, but traffic would be still TLS encrypted.

If you want to avoid the cert warning, IP address can be added to the SAN but it's not a common practice.

If you want to block the access of the site using IP address you can use iRule, ltm policy or ASM feature. Most of the web servers also has option to whitelist the HOST header.

On F5:

iRule: To whitelist the HOST header

when HTTP_REQUEST {
 switch [string tolower [HTTP::host]] {
 "www.domain.com" 
  {
   return
  }
 default { 
   reject
  }
 }
}

LTM Policy:

Condition:

HTTP host is not any of <www.domain.com> at http request time

Action:

Reset traffic at request

On Server: you can search for the options to mitigate this HOST header injection, based on the web server used (eg. IIS, nginx, Apache)

View solution in original post

2 REPLIES 2

SanjayP
MVP
MVP

As you mentioned, this is expected because certificate common name or SAN name doesn't have IP address included. The warning shows that common name is having missmatch, but traffic would be still TLS encrypted.

If you want to avoid the cert warning, IP address can be added to the SAN but it's not a common practice.

If you want to block the access of the site using IP address you can use iRule, ltm policy or ASM feature. Most of the web servers also has option to whitelist the HOST header.

On F5:

iRule: To whitelist the HOST header

when HTTP_REQUEST {
 switch [string tolower [HTTP::host]] {
 "www.domain.com" 
  {
   return
  }
 default { 
   reject
  }
 }
}

LTM Policy:

Condition:

HTTP host is not any of <www.domain.com> at http request time

Action:

Reset traffic at request

On Server: you can search for the options to mitigate this HOST header injection, based on the web server used (eg. IIS, nginx, Apache)

Clear , many thanks