Imperva Cyber Community

Expand all | Collapse all

Best practice for Transparent Reverse Proxy mode

  • 1.  Best practice for Transparent Reverse Proxy mode

    Posted 05-14-2021 06:11
    Hi there,
    I'm the new one to Imperva, and I have some questions, hope you guy can help me.
    Let's say I have a web model like this and I'm using Transparent Reverse Proxy mode on the Imperva.

    at the F5 and Web server, we're using the same certificate for the web (Cert A). On the Waf Imperva we have some different certificates, maybe the same as Cert A, or another Certs.

    My questions:
    1. Is it necessary if I check to Encrypt Sever Connection while at F5 and Web server I already used the Cert A for SSL connection.
        what happen if I check it?
    2. At the Certificate option, do I need to use the same Cert (Cert A) as F5 and Web server?
       what happen if I use a different Cert?
    3. About Client SSL Negotiation Settings and Server SSL Negotiation Settings when I have to use this option?
       does Client SSL Negotiation Settings option depend on the Cert used at Certificate option?
       dose Server SSL Negotiation Settings option depend on the Cert used at F5 and Web server?

    Thank you very much!
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Tho Nguyen Tien
    Security Operation Center Director
    HCM
    ------------------------------


  • 2.  RE: Best practice for Transparent Reverse Proxy mode

    Imperva Employee
    Posted 05-14-2021 09:53
    Hello,

    1.  In most cases, it is necessary to to check "encrypt server connection". If this box is left unchecked the WAF will send the traffic unencrypted to the F5 over the port specified under "server side port". 
    2.  It is not required to use the same cert, but can reduce administrative efforts and reduce troubleshooting efforts if the same cert is used. The 2 requirements that do exist for the cert(s) loaded on the WAF for TRP are that they: A.) Contain the full trusted certificate chain B.) Contain the appropriate CN or SAN within the cert. 
    3. It's not necessarily determined by the cert in use, but by the ciphers in use. For example, you could configure "stronger" encryption on the client side, and use ciphers that offer increased performance on the server side. (between the WAF and F5)


    Thanks.


  • 3.  RE: Best practice for Transparent Reverse Proxy mode

    Posted 05-16-2021 22:45

    Hello @Jaired Anderson,

    I have a question to your answer No.2.

    I can understand if this is a KRP. But for TRP, how would WAF handle the decryption and re-encryption if a different certificate is used? I was supposing that in TRP mode the SSL session was still maintained between the client and server (please correct me if this is not the case), and therefore the same certificate would be required at WAF such that the WAF can "transparently" decrypt the message and re-encrypt it.

    Thanks!

    ------------------------------
    Louis Tsoi
    Associate Consultant
    Cyberforce Limited
    ------------------------------



  • 4.  RE: Best practice for Transparent Reverse Proxy mode

    Imperva Employee
    Posted 30 days ago
    Hi Louis,

    In TRP mode, the connection is still terminated just as if it were KRP, the difference is the client thinks it still communicating directly with the server and server still thinks it is communicating directly with the client because the WAF has rewritten the packets. For this reason, there is no need for the transparent reverse proxy to append an x-forwarded-for header for the server to see the client IP as is required with KRP. This is why it's referred to as Transparent reverse proxy - neither party realizes there is a proxy in the middle.

    It is important to understand when TRP is enabled the WAF is actively presenting the certificate to the client and  participating in the SSL/TLS negotiation between the client and the WAF (connection 1), and the WAF and the back end server / load balancer (connection 2) as if it were KRP.


  • 5.  RE: Best practice for Transparent Reverse Proxy mode

    Posted 05-16-2021 23:07
    Dear Mr Jaired,

    Thank you very much for your kind explanations.
    About Q1 I'm still not very clearly about the connection between Waf and F5, you mentioned that If this box is left unchecked then the traffic will be unencrypted even though at F5 already using the SSL encryption?

    Best regrads,


    ------------------------------
    Tho Nguyen Tien
    Security Operation Center Director
    HCM
    ------------------------------



  • 6.  RE: Best practice for Transparent Reverse Proxy mode

    Imperva Employee
    Posted 30 days ago
    Hi @Tho Nguyen Tien,

    With the config posted in your screenshot, the following will occur:


    The client and WAF (TRP) will negotiate an SSL/TLS session over port 443. The communication between the client and WAF (TRP) will be encrypted.

    The WAF (TRP) will then send unencrypted (Encrypt Server Connection box is unchecked) traffic to the server / F5 (192.168.100.?) over port 443. (server side port)


    Thanks.