SSL modes for the Web Application Firewall (WAF)
This article helps to determine which SSL mode is required for your site. Once this has been determined, you can change the SSL Mode for your Web Application Firewall (WAF).
The Web Application Firewall (WAF) provides two modes for SSL connections: Partial HTTPS and Full HTTPS.
The connection is safe (HTTPS) between your visitor and the WAF, however when reaching your server, the connection uses cleartext HTTP, which is not secure.
Although your visitor will see the website as safe, Partial HTTPS is known for causing redirect loops and could suffer from man-in-the-middle (MitM) attacks. Use it only if completely necessary.
The safest way of configuring the SSL Mode, Full HTTPS is designed to make the whole connection encrypted.
This method requires an SSL certificate on the server side. Beware that your visitors will never see the hosting SSL certificate, only the WAF itself does. Your visitors will always see the SSL certificate uploaded on the WAF.
The hosting SSL certificate could be a self-signed SSL certificate or even an expired SSL certificate (you do not need to renew your server SSL certificate). The WAF will continue to accept the server SSL certificate and always provide your visitors the SSL certificate within the WAF. However, in case you want a Strict SSL mode so the WAF always checks if the server SSL certificate is valid, please open a Product Support ticket.
Note: For HTTPS requests, when using Partial HTTPS, the WAF will reach your server at port 80; when using Full HTTPS, the WAF will reach your server at port 443. This is hard coded and cannot be customized.
- The WAF provides an SSL certificate that is installed automatically once the WAF is activated. To replace this SSL certificate with your own, check out Configure my SSL certificate to work with the Web Application Firewall (WAF).
- Change the SSL Mode for my Web Application Firewall (WAF)