Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Webserver IP visible in website links when published through WAF

Just curious to see if anyone else has had this issue.  I'll apologise in advance for any errors because I'm not a Web Dev  :)

I'm starting to test using WAF to reverse proxy internal websites.  I have a software UTM running v9.411-3.

I've published a couple of websites and they work fine but one site wouldn't load up the css style config when testing from my android phone.  I asked the Web Devs to check it out and they spotted something that's pretty worrying.

He found out that his phone was trying to load internal resources using the ip address, ie: @import url("https://"WEBSERVERIP"/modules/comment/comment.css?on3ztz but if he tested from in internal pc it would be @import url("www.DOMAIN/.../comment.css certificate is for the domain, so it doesn’t load the css.

For info, internal access isn't reverse proxied so that's just a windows pc accessing an internal website directly from the wenserver.

What worries me is that UTM is apparently allowing public visibility of the webserver internal IP address.  I'm assuming that this is a configuration on the webserver but it probably means that the Web Devs will have to check every single site that we have for IP addresses in links before I can migrate them from TMG rev proxy to UTM WAF.

I'm not using Rewrite HTML (the site also used javascript) and I'm testing with a custom WAF firewall policy that's just Basic profile + Block clients with bad reputation - Cookie signing.  My Virtual Webservers are using Encrypted (HTTPS) & redirect over port 443.  Curiously an SSL Labs site check gives the site an A rating



This thread was automatically locked due to age.
Parents
  • "What worries me is that UTM is apparently allowing public visibility of the webserver internal IP address."

    I doubt that.  You could do a packet capture on the external interface to prove it, but my guess is that even if some WAF<->webserver traffic included the local IP, that wouldn't ever go to the external client as it would "break" the browsing session.

    Cheers - Bob

  • thanks for the reply Bob.

    My web dev tested accessing the rev proxied site through his smart phone over his personal phone connection i.e. not touching or internal networks.  He then connected his phone to his pc using USB and ran the dev tools in Google Chrome from his pc to view the browser data on the phone and this is where he saw the IPs.

    https://developers.google.com/web/tools/chrome-devtools/remote-debugging/

    Now I'm assuming that this browser data would still have been collected over his personal mobile phone carriers network and not somehow starting to connect to the internal network through his pc?

Reply
  • thanks for the reply Bob.

    My web dev tested accessing the rev proxied site through his smart phone over his personal phone connection i.e. not touching or internal networks.  He then connected his phone to his pc using USB and ran the dev tools in Google Chrome from his pc to view the browser data on the phone and this is where he saw the IPs.

    https://developers.google.com/web/tools/chrome-devtools/remote-debugging/

    Now I'm assuming that this browser data would still have been collected over his personal mobile phone carriers network and not somehow starting to connect to the internal network through his pc?

Children