0

we have had our firewall providers install an SSL certificate on the firewall and if we put an SSL certificate on the server ( website ) then will it conflict or it will run fine ?

Any advise on this will be highly appreciated.

Dhaval Chheda
  • 4,637
  • 5
  • 24
  • 44

1 Answers1

1

So how SSL works is probably not what you expect, according to your description there will be two distinct connections, from the user to the firewall and from the firewall to the webserver.

From the user point of view, only the firewall certificate matters, it will be this one used to crypt the data.

If you activate ssl on the webserver and add a certificate, the only one seeing this certificate will be the firewall, so it has to be valid for the firewall client itself (if the firewall doesn't know the authority which signed the certificate, you'll have a validation problem if you don't add this authority certificate into the firewall certificate store).

Mostly in this case your firewall act as a reverse proxy, doing the user's SSL termination and initiating another SSL session between itself and the webserver.

In bad ascii art this may be shown like this:

user <--using firewall's cert--> Firewall <--using server's cert--> webserver

Tensibai
  • 15,557
  • 1
  • 37
  • 57
  • hmmm .. ok now the real issue why we are planning to add a certificate to the site is that now our site is showing https but the forms have http and because of this the post is failing.. so we need a solution for tackling this and if we can do it without an additional certificate than that would be great – Dhaval Chheda Jun 29 '18 at 08:10
  • 1
    Setup your application to honor the X-Forwarded-Proto header **and** Forward header, the firewall should populate this header. – Tensibai Jun 29 '18 at 08:51
  • @Tensibai technically the application should either honor `X-Forwarded-Proto` **or** `Forwarded` header. A firewall should not set both and it will be a security issue if the application tries to read from both as one of the two might be spoofed and forwarded by the firewall. AWS load balancers for example send `X-Forwarded-*` headers and will forward the `Forwarded` header verbatim from the request – apokryfos Jun 29 '18 at 09:06
  • i have X-Forwarded-Proto: https showing in the request header in Network tab but still the site still has forms with http and not https. – Dhaval Chheda Jun 29 '18 at 09:11
  • @apokryfos In application point of view, you should support both without assuming which the reverse proxy ahead will give (that was the idea of saying support both) – Tensibai Jun 29 '18 at 09:17
  • @DhavalChheda your application should use this header in the action of the form. – Tensibai Jun 29 '18 at 09:17
  • @Tensibai the problem arises when the firewall sends `X-Forwarded-Proto` and the end user also spoofs it and your application ends up using the spoofed one instead of the correctly forwarded one. – apokryfos Jun 29 '18 at 09:19
  • @Tensibai the forms are still without http and I have set X-Forwarded-Proto : https and Forwaded: my ip and still the issue and have I done anything wrong – Dhaval Chheda Jun 29 '18 at 10:12
  • sorry forms are still without https and are loading as http only – Dhaval Chheda Jun 29 '18 at 10:24
  • @apokryfos I understand fully what you mean, I'd argue this affect only a sending client, so either it's a MITM attack and bets are done or it only affects response to this user and as such doesn't matter much, that's still the application responsibility to not return something weird to end user regardless of what comes in in my opinion, and that's only a human review of code that can ensure it ... – Tensibai Jun 29 '18 at 11:49
  • @DhavalChheda I don't know your app and I've no idea of your code, does it takes in account the header or not ? the presence of something your don't use won't solve your problem magically. In brief your app code seems to need a modification to take advantage of the header and set fully qualified url accordingly in what it returns – Tensibai Jun 29 '18 at 11:51