Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

A security warning when accessing a site through IP

Go to solution
THE_BLUE
Cirrostratus
Cirrostratus

‎05-Apr-2021 23:00 - last edited on ‎05-Jun-2023 20:06 by Fog

When I go to ex: 

https://xyz.com/
, everything works normal. As soon as I access the same site using its IP address ex: (66.66.66.66) , I get a security warning (even if I write something like 
https://66.66.66.66/
). but still with https .. so is that mean my connection will not be encrypted?

i know this is because the certificate not include the public ip but is that risky? and how to solve it from Server or WAF side?

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
SanjayP
MVP
MVP

‎06-Apr-2021 00:17 - last edited on ‎04-Jun-2023 20:59 by Fog

As you mentioned, this is expected because certificate common name or SAN name doesn't have IP address included. The warning shows that common name is having missmatch, but traffic would be still TLS encrypted.

If you want to avoid the cert warning, IP address can be added to the SAN but it's not a common practice.

If you want to block the access of the site using IP address you can use iRule, ltm policy or ASM feature. Most of the web servers also has option to whitelist the HOST header.

On F5:

iRule: To whitelist the HOST header

when HTTP_REQUEST {
 switch [string tolower [HTTP::host]] {
 "www.domain.com" 
  {
   return
  }
 default { 
   reject
  }
 }
}

LTM Policy:

Condition:

HTTP host is not any of <www.domain.com> at http request time

Action:

Reset traffic at request

On Server: you can search for the options to mitigate this HOST header injection, based on the web server used (eg. IIS, nginx, Apache)

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
SanjayP
MVP
MVP

‎06-Apr-2021 00:17 - last edited on ‎04-Jun-2023 20:59 by Fog

As you mentioned, this is expected because certificate common name or SAN name doesn't have IP address included. The warning shows that common name is having missmatch, but traffic would be still TLS encrypted.

If you want to avoid the cert warning, IP address can be added to the SAN but it's not a common practice.

If you want to block the access of the site using IP address you can use iRule, ltm policy or ASM feature. Most of the web servers also has option to whitelist the HOST header.

On F5:

iRule: To whitelist the HOST header

when HTTP_REQUEST {
 switch [string tolower [HTTP::host]] {
 "www.domain.com" 
  {
   return
  }
 default { 
   reject
  }
 }
}

LTM Policy:

Condition:

HTTP host is not any of <www.domain.com> at http request time

Action:

Reset traffic at request

On Server: you can search for the options to mitigate this HOST header injection, based on the web server used (eg. IIS, nginx, Apache)

0 Kudos

Go to solution
THE_BLUE
Cirrostratus
Cirrostratus
In response to SanjayP

‎06-Apr-2021 00:56

Clear , many thanks

0 Kudos
Copyright © 2023 Khoros, LLC