The Security Principles
Quoting from the World Wide Web Consortium (W3) :
- The Web’s trustworthiness has become critical to its success
- Furthermore, confidentiality — while arguably not always strictly necessary — is often needed
- The Web platform should be designed to actively prefer secure communication
- Barriers to adopting “https://” should be removed where feasible
- The end-to-end nature of TLS encryption must not be compromised on the Web
- Educating and interacting with users regarding security is notoriously difficult. 🙄 (Emoticon mine)
- Cryptography will not solve all security problems in the Web platform
There’s a massive push in the industry to make all Websites on the Public Web secure. The latest Chrome version websites as non-secure if served over HTTP, see below:
Let’s encrypt to the Rescue
The service aims to provide certificates for FREE to anyone. It delivers close t0 600,000 certificates per day.
Fantastic, my setup is as follows:
- An IaaS scaleset of 2 VMs runing a website on IIS. These boxes are not publicly accesible
- A Web Application Firewall tier (WAF) using the Azure Application Gateway
First, the good news: It is possible to get a Let’s encrypt TLS certificate an install it in the Azure WAF
The not so good news: It’s tricky and it is like this because only domain validated certificates are issued. This means that the host requesting the certificate must be publicly accesible. Only domain-validated certificates are being issued, since they can be fully automated. Organization Validation and Extended Validation Certificates are not available.
I set it up not precisely in the most seamless way for a production environment. The intention was to prove the point: Having Free Certificates in this configuration.
The elements I used for this lab:
- 1 Windows ScaleSet in Azure with 2 VMs
- I installed the public certificates here on the IIS. Do not map the name on the IIS these can cause connection issues.
- A public DNS service. Any service does the job
- 1 Linux Box
- I ran the Let’s Encrypt Bot from this box and the DNS A record was pointing to it.
- Once the Certificate was issued, I exported the .cer and the .pfx
- 1 Azure Application Gateway
- Firewall Enabled
- Firewall mode set to Prevention
- Configured as WAF
- Listener configured over HTTPs
- Rule Set OWASP 3.0
- The public (.cer) for the back-end and private (.pfx) for the front-end certs
How does it look
The Published website:
It is possible and works perfectly.
Doing some googling there seems to be a less complicated way; which I haven’t tried: