This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

It it possible for WAF to arbitrarily rewrite a URL?

I have a web server protected by webserver protection on a UTM running 9.506-2.  The software vendor is claiming that in some cases while using the website, when users make a connection to our webserver from the Internet, our webserver protection is somehow rewriting the URL, so that instead of the users browser trying to access https://external.domain.com, it uses https://internal_IP_of_real_web_server.

I claim this is simply not possible.  Not only does the webserver protection not arbitrarily re-write a URL.  But even if it did, it would NEVER put the internal IP address of the web server into the URL.  It simply isn't routable on the Internet.  Not to mention that by doing so, it is now publishing our internal IP to external users (as users see an error message stating they cannot reach https://internal_IP_of_real_web_server)

I've asked the vendor to check with their developer to determine where the users are getting that URL from (likely from the application), and why it is using an IP address and not a hostname.

I just wanted to check with people here to see if it's even possible to configure the webserver protection in such a way that an intended URL is re-written to use the Internal IP of a real webserver.  I can't see how.  But I want to make sure I'm not going crazy.

Let me know if you need more details.  Any thoughts would be greatly welcome.



This thread was automatically locked due to age.
Parents
  • It sounds like your real web server serves web pages with absolute URLs pointing to itself. Enable "Rewrite HTML" in the "Advanced" section of the virtual web server so that WAF rewrites the internal IP address with its own domain name.

Reply
  • It sounds like your real web server serves web pages with absolute URLs pointing to itself. Enable "Rewrite HTML" in the "Advanced" section of the virtual web server so that WAF rewrites the internal IP address with its own domain name.

Children
  • Thanks   Although this wasn't the solution I ended up having to implement, it did lead me down the write path.  Ultimately I had to enable "Pass host header" on the virtual web server.  After doing so, everything work as intended.  Thanks again.

    -------------------------------

    Interesting [in-ter-uh-sting, -truh-sting, -tuh-res-ting]

    A word typically used by IT technicians to describe an issue they didn't expect, or never encountered, and don't know how to fix.