0

We have a WAF in front of our environnement. Let's say now

  1. the client ask for example.com
  2. The waf make a redirect (303) saying https://example.com

Now the communication is established between the client and the WAF.

If now, my back-end have a rule saying "everything comming on port 80 must be redirected to www.example.com"

For precisions, the WAF and the back-end can only communicate with the port 80

My question:

  1. The client send his request https://example.com
  2. The waf send it to the back-end (http://example.com)
  3. The bak-end answer http://www.example.com

Will the WAF will overwrite www.example.com by https://example.com

Warok
  • 125
  • 1
  • 5

1 Answers1

1

If I understand your question correctly you are basically asking if the WAF will handle the redirect send by the backend locally by issuing a new request to the backend, or if the WAF will pass the redirect through to the original client.

While there is no single type of WAF I would expect the WAF to pass the redirect to the client since it might otherwise break functionality. Such redirects are often used to store some state in the client, like a cookie or in case of a permanent redirect the preference to use HTTPS instead of HTTP or to use a different domain or to use a client-specific path. Since is important that the client keeps this (often client-specific) state the redirect needs to be passed through to the client.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
  • It's not a security breach? If you ask for example.com and you get a response www.example.com, this mean you could also have something like malicious.example.com. And this also means, some WAF might will remove the "www" from the url? – Warok Feb 03 '20 at 09:18
  • @Warok: Sorry, I cannot follow your arguments. As I said the WAF passes through the redirect to the client so that the client will do the redirect and not the WAF. Therefore the client will not get the content of www.example.com when asking for example.com but it will get only the redirect. – Steffen Ullrich Feb 03 '20 at 09:36
  • @Stefen, Yes, know I understand how this works. Thanks for the help :) – Warok Feb 03 '20 at 10:56