I have an F5 load-balanced 4-server cluster environment that I'm building, so I'm looking to centralize our certificates to prevent needing to install them all on every server. Windows 2012 / IIS 8 seems to have centralized certificates, but that is only to secure my endpoint in IIS for inbound traffic.
What about for outbound traffic? They all will be initiating TLS transactions to external entities, so I need a way to store all these on a single server and have each of the IIS boxes "tap into" that cert store for the private and public keys that are necessary to send that TLS message.
Any suggestions?
You're looking for an HSM which the F5 will support and IIS also supports a few major vendors (Thales and Safe-Net both have IIS supported HSMs). They're not cheap from what I remember but that's exactly what you're looking for.
If you don't want to go that route, you can opt for the dirty solution of using the BIG-IP as your cert store and rely on self-signed certs on the IIS pool members.
Inbound: Incoming traffic terminates on BIG-IP using the valid CA-signed cert SSL Client profile. BIG-IP re-encrypts to IIS using a generic SSL server profile. Not pretty but it works.
Outbound: You would have to use the BIG-IP as the default gateway of the IIS server so you can direct the outbound TLS from BIG-IP instead of IIS directly.
Devcentral: SSL Acceleration - Can I encrypt outbound traffic
Hope this helps.
-Chase
Related
I have a server that has a web server on it. I have setup wireguard vpn between me and server.
Do I need to serve my web server with https for security or wireguard is enough?
You should be fine as long as your web server is listening on the Wireguard interface only (i.e. it is bound to the IP address of the Wireguard interface) so that it is not reachable from outside the VPN. You do not technically need to wrap everything in another encryption layer such as HTTPS, as the only way to establish a connection to the web server is through the VPN, which already provides encryption and authentication.
Beware though that VPN + HTTP does not offer exactly the same security features that VPN + HTTPS does, there are some subtleties. For example, in case your private VPN key is leaked, it could be used to perform a Man-In-The-Middle attack on your connection, whereas using VPN + HTTPS a potential attacker would also need to break through HTTPS, which means either getting privileged access to your machine (since a new private key is generated by your browser on each TLS handshake) or a way to forge a valid CA-signed certificate for your web server's domain (generally not possible). Whether or not you care about this additional layer of security is up to you really.
Say, I have two app service (HTTPS only is enabled):
https://myapp1.azurewebsites.net
https://myapp2.azurewebsites.net
I can call both app service endpoints using HTTPS successfully.
Then I created a traffic manager and add above two endpoints to traffic manager, say:
myapps.trafficmanager.net
After the traffic manager is created and endpoint added, the trafficmanger host name myapps.trafficmanager.net is also automatically added into custom domains of two app services. But without SSL binding to traffic manager host name.
Then if I call traffic manager endpoint using HTTPS: https://myapps.trafficmanager.net, I will got untrusted SSL cert error/warning. That is expected.
Since traffic manager just works on DNS level, the real request is actually send to the app service endpoint which has correct SSL cert binding. My question is:
From security point of view, is it safe to call the non-cert binding traffic manager endpopint using HTTPS in my code (say, using .NET HttpClient) but just ignore the cert error?
I recently set one of these up as well and fought with it for a bit. The short answer is that it is probably safe, but it sounds like you may be using the Traffic Manager incorrectly. You shouldn't be using the URL in the Traffic Manager as your end point if you want to use SSL. Instead configure your vanity domain name, mycoolsite.com to point to myapps.trafficmanager.net, using a DNS CNAME record.
If you want to use SSL and a single URL you should configure the custom URL and install an SSL cert at the service level. It should be same custom URL on both app services. This must be configured at in the app service, not in Traffic Manager.
I had to read this a few times to understand how it works under the hood, but it was helpful.
So in summary, to set it up properly, the steps would be:
Configure custom/vanity domain on both app services
Install the SSL cert on both app services
Setup and configure the Traffic Manager
Point the custom/vanity URL to the traffic manager using a DNS CNAME record
There is no need to bind a cert with traffic manager since the server certificate is not validated when using traffic manager health probes via HTTPS. Moreover, the traffic manager works at the DNS level. The clients connect directly to the selected endpoint, not through Traffic Manager.
In this case, you could use HTTPS for endpoints and use health probe via HTTPS. Even you could not bind a cert with traffic manager, you could make sure that the monitoring port is configured correctly in Traffic Manager (e.g. 443 instead of 80) and also your monitoring path points to a valid page for your service.
Another SO answer explains this more details. If you still want to make this warning disappearing, you can get a free SSL from letsencrypt.org and add that to your custom domain with the *.trafficmanager.net.
In our scenario, we are providing SaaS platform which will automatically create customer specific traffic manager (xxxx.trafficmanager.net) each time when customer onboard our platform.
The traffic manager will points to app service cross regions.
The problem is, that if customer calls the traffic manager with HTTPS, the CERT warning will be shown. I know we can bind the cert to each of customer's traffic manager and upload the cert to azure. But since the traffic manager is automatically created in runtime, how can we automatically get a cert and bind to xxx.trafficmanager.net?
Traffic Manager works at the DNS level. It sends DNS responses to direct clients to the appropriate service endpoint. Clients then connect to the service endpoint directly, not through Traffic Manager. You will bind your cert to the endpoint, not Traffic Manger. If the endpoint is an Azure Web App, you can use the CLI or Powershell to bind the cert.
Therefore, Traffic Manager does not provide an endpoint or IP address for clients to connect to.
Traffic Manager supports probing over HTTPS. Configure HTTPS as the protocol in the monitoring configuration.
Traffic manager cannot provide any certificate validation, including:
Server-side certificates are not validated
SNI server-side certificates are not supported
Client certificates are not supported
I am having trouble with getting SSL/HTTPS working on a Azure WAF (ApplicationGateway) (http / port:80 is working fine)
I will explain the scenario as basic as possible:
The developer has made two websites (for this example: let’s say X.com and Y.com) both on a Linux Front End server in AZURE which sit behind a NSG as well as a Azure Application Gateway WAF
The developer points DNS records of X.com and Y.com to the WAF's single IP (appGatewayFrontendIP)
Users can browse through to both websites http / port:80 with no problem.
The trouble now lies with how to get SSL working, so far:
The developer has applied SSL certificates to both websites on the Linux Web Server in Azure
How does one get SSL working on the WAF?
I have been looking through MS Docs all day but not really sure how to get this to work (https://learn.microsoft.com/en-us/azure/application-gateway/create-ssl-portal)
I see we need to put a PFX certificate inside - I am assuming a selfsigned one is NOT the way to go. However I am non the wiser as to what I do in this scenario -
How do I get a PFX certificate and how does this work when you have 2 websites on a single Front End Linux Server -
Do I need to take off the SSL Certs on the Front End Linux server and instead of .cert get a .PFX cert and upload via Azure Portal?
Any help truly welcome! :)
Thanks
If you want the front-end (ie public IP) to serve up HTTPS you'll need the PFX certificate assigned to the listener of the appropriate back-end site.
For example:
XPfxCert should be assigned to the listener that directs traffic to the X.com app
YPfxCert should be assigned to the listener that directs traffic to the Y.com app
This will encrypt traffic between your customers and the WAF. You'll need to obtain one from a certificate authority (eg. comodoca.com) to ensure your end user does not get one of those errors like you'd see here if you used self-signed: https://self-signed.badssl.com/
In addition you'll need different certs for the back-end. This will encrypt traffic between the WAF and your apps (even though they're all in Azure you'll still need this). It gets assigned in the HTTPSettings. You may be able to get away with self-signed here; however, at our work we use CA provided certs for both.
Lastly, if the goal is to host both X.com and Y.com on the same VM you should be able to configure path based rules that would direct traffic appropriately. As an alternative you could have multiple NICs on your VM and configure multiple back-end pools to direct traffic to the appropriate site.
References:
https://vincentlauzon.com/2017/07/17/azure-application-gateway-anatomy/
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-end-to-end-ssl-powershell
Assuming you have two different certificates for X.com and Y.com, then you should associate these certificates with the corresponding multi-site listeners which you would have created listening on port 443. The you should create two new rules which associate these listeners to corresponding backend pools using HTTP setting. Please remember to delete any other rules apart from the 4 rules (2 for HTTPS listener and 2 for HTTP listener).
At this point you should be able to send traffic to these listeners which would terminate SSL and run WAF rules. Since your backend is already configured to listen on port 80, it should work as is with existing HTTP Settings. The backend communication is over HTTP.
If you want to enable end to end SSL - ie rencrypt the traffic to backend then you should follow documentation on enabling end to end SSL on the above setup.
Regarding this MSDN article; https://msdn.microsoft.com/en-us/magazine/mt793270
Scale Unit Network Configuration sections has below sentences;
In the case of IP-based SSL, a given application is allocated a dedicated IP address for only inbound traffic, which is associated with the Cloud Service deployment. Please note: Front ends terminate SSL connection for all HTTPS requests for all applications and any type of certificate. The front end then forwards the request to the designated worker for a given application.
But, when Please note: Front ends terminate SSL connection for all HTTPS requests for all applications and any type of certificate happens?
Is this happened right after that we configure IP-based SSL?
or, is this happened to all traffics always under IP-based SSL?
or else?
It happens for all traffics. All https traffic irrespective of whether you are using a ip-based SSL, SSL cert from external CA's or using internal Azure SSL (azurewebsites.net) the SSL traffic is terminated at the front-end each scale unit has and from front-end to worker will always be http traffic. In return the same is encrypted back at front-end before traffic goes out using the SSL uploaded for specific domain/azure provided SSL cert.