Sucuri Firewall/Proxy Compatibility with NFO

[arslanone]

Hello,

We have a Sucuri website security account, that includes a Web Application Firewall (https://sucuri.net/website-firewall/)/proxy as well.

I've read these:

• viewtopic.php?f=106&t=14575&p=73807&hilit=proxy#p73807
• viewtopic.php?f=106&t=14576&p=73808&hilit=proxy#p73808

Can someone please confirm if Sucuri firewall won't work at all? If we lose Let's Encrypt, even then it won't work?

At present, the Sucuri team is unable to make it work. Below is the last message from their support team:

Hi there,

The changes are not working correctly, I have therefore reversed the changes we made.

I believe when we are changing the DNS records on their end to point at the firewall IP, this is breaking the Apache configuration for where the document root of your site is.
[...]
Can you please ask your hosting provider the correct way to setup your DNS via 'pointing', rather than via internal link to the document root of the server.

We can then point the domain at the firewall, the firewall will then forward on requests for the domain to the hosting server.

If it isn't possible to do so through their DNS, you may need to use our free DNS hosting to configure this correctly.

What happens exactly?

A little information of how our website in set-up on NFO:

• It's a WordPress website
• Installed in a subfolder inside /public/
• Uses the 'Folder' option as 'Type' in 'Domains' section

A little information on what Sucuri do:

• They go in the 'Domains' section, and change 'Type' to 'A'
• They change 'Target' for 'A' to 192.124.249.19

What happens is that after DNS changes are propagated, if we open our website we get the following:

---------------
No website is currently set up at this address.

If you just set this site up, there may be a slight delay of up to a minute while the new Apache configuration is loaded; try visiting the page again in a minute or two and clicking refresh in your browser.

Redirecting to our main rentals page in 5 seconds..
---------------

I'll appreciate any feedback, or ideas from someone on this. Thanks.

[Edge100x]

Changing the type away from 'Folder' would mean that you lose the Apache vhost configuration information on our end, so your site would no longer will display in browsers.

We don't support manually creating or modifying vhost files for customers. The workaround that CloudFlare uses (and that they seem to be suggesting you use when they say to "use [their] free DNS hosting") is to take over the DNS hosting duties so that customers can leave the control panel here set up with fake information that makes our system keep running it in the same way, while CF fiddles with the DNS records as it sees fit. Since we don't officially support that, it's not something that we can guarantee will always work, of course (we have considered adding a periodic name server verification check to improve security/verification).

I don't agree with their assertion that we're not doing things in the "correct" way. The way that we support websites in our system is valid and reasonable.

In general, we recommend against using a reverse proxy on top of our webhosting services, since they reduce DoS mitigation capabilities (making sites more vulnerable to some types of attacks), drop performance, break our stats parsing, add another point of failure, and generally just make hosting more complicated. You're welcome to do your own testing and make your own measurements, but from what I have seen, there is a very large marketing component to these services, with the marketing centering around a lack of specifics and the assumption that low-quality webhosting systems are in use.

[arslanone]

Hello Edge100x,

I thank you for your detailed reply.

I think I understand (most of it) and agree with what you are saying.

I believe the best way forward for me would be to skip their firewall, and the hacky changes to DNS it requires.

Thanks again, truly appreciate it.