0

When a browser connects to my website by entering it's FQDN the connection is encrypted using the site's SSL Certificate.

However it has come to my attention that it is possible to bypass the SSL and initiate an unencrypted connection by entering the load balancer IP Address (in which case you get an error saying it could not be encrypted).

The link below suggests that I could solve this with a redirect.

Apache reverse proxy so that SSL browser requests for IP of server are redirected to FQDN

Is this good practice or should I really be tying the certificate to the IP address in addition to the FQDN?

Huw Evans
  • 101
  • 1
  • I don't understand exactly what your problem or misconfiguration is, but in general it is considered to be best practice to configure your web server to not serve any real content over plain HTTP on port 80, but only use port 80 to redirect to https. When you don't have a certificate for the IP-address simply don't (generate a) redirect to `https://` but to `https://www.example.com` and you should be fine. Or you can consider HTTP requests without a (valid) domain/hostname as erroneous and simply respond with a suitable error response. – Rob Apr 19 '22 at 14:14
  • IMHO, if you have a load balancer, it should handle redirecting http to https. And if you consider the connections between the load balancer to be trusted - you can go a step further and let the load balancer handle all the SSL processing and pass the traffic to the web servers unencrypted. Then you only have to maintain the single certificate on the LB. – Brandon Xavier Apr 19 '22 at 14:16
  • @Rob I am aware of this and definitely didn't intend for anything to be served over plain HTTP on port 80. The issue is that if you put https:// it serves the page with a 'failed to encrypt' error. I dont' know how to change this. – Huw Evans Apr 19 '22 at 14:44
  • @BrandonXavier Yes it does redirect http to https but only for the FQDN. The setup is as you describe at the moment although I am considering end to end encryption as an option. – Huw Evans Apr 19 '22 at 14:46
  • For reference this is the guide I followed to set up the load balancer. https://docs.digitalocean.com/products/networking/load-balancers/how-to/ssl-termination/ – Huw Evans Apr 19 '22 at 14:49

0 Answers0