I was working on a website that needed to severely limit membership access to a regional area. This was designed to protect the intellectual property being uploaded and shared on the site. On this basis I did a few things to limit IP exposure.

  1. Moved everything that needed protecting to S3 buckets only allowing referrers from the domain.
  2. Add user expiring use based tokens to each link that only lasted 60 seconds upon page load.
  3. Install a firewall to geoblock access outside of the country.

I locked the site down pretty good (a little too good) which lead to an interesting learn in firewall control. There are a  few definitions below

WEB APPLICATION FIREWALL (WAF): An intermediary that sifts all traffic to and from FRSLearn.com and any user, agent or host attempting to connect to the site.

TRANSPORT LAYER SECURITY (TLS): Encryption between the host (where the website lives) and anyone communicating with the server.

GEO BLOCKING: Using the intermediary firewall to block traffic from regions, or countries.

PARTIAL HTTPS: Only have TLS on connections between the WAF and the website.

FULL HTTPS: TLS on each stage of the connection: Users <-> WAF, WAF <-> website.

The TLS certificates I installed auto renew every 90 days (Let’s Encrypt). Which helps to keep the website safe by renewing the encryption cipher between user and the website frequently. This makes things hard for bad actors that may try to get their hands on the private key of the cipher which is stored on the server protecting the links to the sensitive data. With the cipher a bad actor can intercept and read traffic between a website and it’s users. By renewing this cipher frequently we mitigate long standing data eavesdropping.

The site was offline for 3 days due to the certificate attempting to renew after it’s 90 days were up, and this connection being blocked by the WAF. The WAF was installed between the last certificate being issued and the server attempting to renew and get a new cipher. The site is geared up to only allow traffic to and from the site directly from IP addresses and ranges located within the United Kingdom. What this large sweeping firewall did in this instance, was block the server from communicating with the certificate authority and stopped the site from renewing their ciphers (that server is in the USA).

I had a choice to move to what’s called “Partial HTTPS” where the only encrypted connection is between users and the WAF, as this is a separate TLS not on the websites servers. The choice was made to not allow a partial HTTPS as any traffic from the WAF to the website would not be encrypted. This blocking resulted in too many “requests” from our server to the TLS certificate server which resulted in a freeze on requests for 3 days.

The site was simply left in-accessible for three days to allow the situation to resolve itself once the certificates issuing server address was white listed to bypass the firewall.

The infographic was designed to help you understand what happened.

What I learned is that it is important to speak with people to identify all dependent services on making their website run safely before building an iron wall of impenetrability. (pro tip: only a static website has any real security, as soon as you have any server side language and external libraries you open yourself up to risk)