Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Server with HTTPS encryption showing different responses from both internal and external network

Jason Roble

We have a new SSL certificate installed in Sophos for a website we are hosting. When I configure the web server with an HTTP encryption, there is no issue. But when I change it to HTTPS encryption, these are the issues we are having:

From internal network, it shows: 

Proxy Error

The proxy server could not handle the request

Reason: Error during SSL Handshake with remote server

From external network, it shows:

This site can’t provide a secure connection

domain.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

What are we missing out something to make this work properly?



This thread was automatically locked due to age.
  • 0

    Hello,

    is this new certificate showing up as "trusted" under Certificates in the Sophos System?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

    • 0 in reply to PhilippRusch

      Yes it has a green check on the Trusted column.

      • 0 in reply to Jason Roble

        Are we talking about WAF here?

        Can you show us your rules?

        Mit freundlichem Gruß, best regards from Germany,

        Philipp Rusch

        New Vision GmbH, Germany
        Sophos Silver-Partner

        If a post solves your question please use the 'Verify Answer' button.

        • 0 in reply to PhilippRusch

          Yes this is about WAF. This is the WAF configuration

          and this is the Web Server config

          • +1 in reply to Jason Roble

            Does the downstream Web Server (IP_DMZ_CSI-SVR03) also supports HTTPS?

            Looking by the error given by WAF, the downstream Web Server is only available through plain-text HTTP.

            I recommend you to change from HTTPS to HTTP on the Web Server configuration. (Maintaining the same port 8080.)

            Jason Roble said:
            When I configure the web server with an HTTP encryption, there is no issue. But when I change it to HTTPS encryption, these are the issues we are having:

            It's because the downstream Web Server (IP_DMZ_CSI-SVR03) doesn't support HTTPS.

            You should leave the WAF to handle the encryption with the client and send the traffic to downstream though plain-text HTTP. (There's no need for the WAF to encrypt all traffic again with downstream, unless you don't trust your own internal network.)

            If a post solves your question use the 'Verify Answer' button.

            Ryzen 5600U + I226-V (KVM) v21 MR1 @ Home

            Sophos ZTNA (KVM) @ Home

            • 0 in reply to Prism

              Regarding the downstream web server, I am not sure but I guess it doesn't support HTTPS.

              So as long as the WAF's encryption method is HTTPS, the Web Server's encryption type is insignificant if the server is internal? I thought I need to make both WAF and Web Server's encryption method to be HTTPS to make it secured.

              • 0 in reply to Jason Roble

                It highly depends on how your current network is configured, and on what compliance's you need to meet.

                It's common to have a WAF terminating TLS on the edge then transmitting data through plain-text for higher performance (and caching on some other scenarios), but depending on how your internal network is currently configured this can be either insecure or secure.

                The important part for you is having a secure connection between the client and the WAF.

                PS; If the connection from the WAF to the Web Server is encrypted through HTTPS, the IPS will have no effect as It can't inspect the encrypted data, making It useless.

                If a post solves your question use the 'Verify Answer' button.

                Ryzen 5600U + I226-V (KVM) v21 MR1 @ Home

                Sophos ZTNA (KVM) @ Home

                • 0 in reply to Prism

                  Got it. Thank you for the clarification ! Slight smile

              Unfiltered HTML