Just curious to see if anyone else has had this issue. I'll apologise in advance for any errors because I'm not a Web Dev :)
I'm starting to test using WAF to reverse proxy internal websites. I have a software UTM running v9.411-3.
I've published a couple of websites and they work fine but one site wouldn't load up the css style config when testing from my android phone. I asked the Web Devs to check it out and they spotted something that's pretty worrying.
He found out that his phone was trying to load internal resources using the ip address, ie: @import url("https://"WEBSERVERIP"/modules/comment/comment.css?on3ztz but if he tested from in internal pc it would be @import url("www.DOMAIN/.../comment.css certificate is for the domain, so it doesn’t load the css.
For info, internal access isn't reverse proxied so that's just a windows pc accessing an internal website directly from the wenserver.
What worries me is that UTM is apparently allowing public visibility of the webserver internal IP address. I'm assuming that this is a configuration on the webserver but it probably means that the Web Devs will have to check every single site that we have for IP addresses in links before I can migrate them from TMG rev proxy to UTM WAF.
I'm not using Rewrite HTML (the site also used javascript) and I'm testing with a custom WAF firewall policy that's just Basic profile + Block clients with bad reputation - Cookie signing. My Virtual Webservers are using Encrypted (HTTPS) & redirect over port 443. Curiously an SSL Labs site check gives the site an A rating
This thread was automatically locked due to age.
