100% WHMCS Compatible WAF & CDN Companies?

[Sal]

Hello WHMCS & Community,

I am having a hard time finding 100% compatible WAF (Web Application Firewall) and CDN (Content Delivery Network) companies.  I would say both WAF & CDN are important but, more importance goes to WAF for WHMCS security,  

1. Do you know any WAF providers/companies that might be 100% compatible (i.e. allowing all the ports that whmcs uses) or at the very least that would let us configure all the ports WHMCS uses ourselves? 
2. Do you know any CDN providers that are 100% compatible with WHMCS?

We tried StackPath and they said they were NOT compatible, we contacted Sucuri and they do NOT even know what is WHMCS (at least by the way their sales team responded they've got no idea what is WHMCS), tried a few other companies no luck!

I would say WHMCS "MUST" have a documentation on compatible service providers; if they got Amazon AWS S3 mentioned then CDN & WAF companies are also important to keep whmcs safe, may be you can step in now to help, we'd very happy.

 

Thanks,

Sal

[Brad (SaneChoice Limited)]

Hi Sal,

I hope you are doing well?

Ill try best to answer from our findings but please also canvas the excellent experience within this community! 

1. We have a VPS running PLESK and WAF for WHMCS.  This works well and, on whole, we don't have any issues with WAF using MODSECUIRTY.  There is the odd glitch, but using logs you can see what rule is causing the issue and "tweak".  Naturally, you still need to apply other security at the Operating System and Webserver layer as WAF is not enough to harden on its own.  (i.e. ensuring that your Cyphers for SSL are modern and TLS1.2/1.3 are primary, etc). 
2. We have a CDN on our main Website but have (for now) decided to not use for WHMCS. So much of the calls go back to the WHMCS database that if you don't distribute your database then you get quite a slow user experience - even if you do store your CSS, JS and Images on the CDN's POPs.  I would be equally interested if anyone in the community has managed to crack this - whether using a CDN or distributed installation. 

Thanks,

Brad

[yggdrasil]

On 6/30/2020 at 2:45 AM, Sal said:

Hello WHMCS & Community,

I am having a hard time finding 100% compatible WAF (Web Application Firewall) and CDN (Content Delivery Network) companies.  I would say both WAF & CDN are important but, more importance goes to WAF for WHMCS security,  

1. Do you know any WAF providers/companies that might be 100% compatible (i.e. allowing all the ports that whmcs uses) or at the very least that would let us configure all the ports WHMCS uses ourselves? 
2. Do you know any CDN providers that are 100% compatible with WHMCS?

We tried StackPath and they said they were NOT compatible, we contacted Sucuri and they do NOT even know what is WHMCS (at least by the way their sales team responded they've got no idea what is WHMCS), tried a few other companies no luck!

I would say WHMCS "MUST" have a documentation on compatible service providers; if they got Amazon AWS S3 mentioned then CDN & WAF companies are also important to keep whmcs safe, may be you can step in now to help, we'd very happy.

 

Thanks,

Sal

WAF is an application firewall, in that regard it has nothing to do with ports open on your server as they check HTTP requests. Ports are related to a network firewall and a WAF works at the software layer.

That said, they don't need to be compatible with WHMCS, most WAF will protect against common exploits, just pick any provider and it should work. If not, they most likely let you manually exclude some specific POST/GET requests that you can match to WHMCS or any application. There is not such thing as a WAF WHMCS compatible provider because all applications are different and do different things. Most of them will protect against basic rules and then you need to customize them for tighter approach. You can also run your own like hosted one ModSecurity or if you run a Nginx server Naxi. This requires tons of work to get right and create proper rules. Take into account that any WAF will make your site slower as it needs to check for every request first.

A proper coded website or application should not require a WAF in the first place. WAF is a solution for apps that you cannot patch or secure properly as a temporary emergency fix or for huge sites on which developers upload different apps and softwares that are not properly vetted. The proper thing is to fix the application, instead of trying to stop the request with a WAF. That said, WHMCS should be properly safe to use without any WAF, if there is a security report, WHMCS will release a patch for it.

As for a CDN, most people don't realize this but unless your site is big and receiving huge amounts of traffic, there is no benefit on using a CDN provider. It's the opposite, unless your site is constantly getting traffic, all the time, every second, putting a CDN will make your site slower because its needs to request the CDN cache for content on new hits.

If you really want to go that path, just pick any WAF and CDN provider you want. They should all work because there is nothing special about WHMCS that would break it, it's a regular PHP application and it should work fine.

Edited July 4, 2020 by yggdrasil

[BILDr Hosting]

I run PFsense on a physical box with Cloudflare in front of it. The Cloudflare side adds caching and allows me to block countries, force https and limit the source IP's to Cloudflare on the Pfsense box so everyone has to go through it. Cloudflare is pretty comprehensive - it has a Wordpress and WHMCS ruleset right out of the box for example. It keeps threats at arms length and a lot of traffic from ever reaching me saving on bandwidth costs as well. Does things like DDoS before it hits me.

PFsense then allows for Snort or Suricata IDS engines locally which I can control as I need. Obviously PFsense is a full feature firewall as well but it mops up anything that can get through Cloudflare.

You can virtualise the PFsense part as well if you don't have a physical box. I run two Check Point firewalls which have been re-flashed with PFsense as a HA cluster.

Edited July 4, 2020 by BILDr Hosting

[yggdrasil]

58 minutes ago, BILDr Hosting said:

I run PFsense on a physical box with Cloudflare in front of it. The Cloudflare side adds caching and allows me to block countries, force https and limit the source IP's to Cloudflare on the Pfsense box so everyone has to go through it. Cloudflare is pretty comprehensive - it has a Wordpress and WHMCS ruleset right out of the box for example. It keeps threats at arms length and a lot of traffic from ever reaching me saving on bandwidth costs as well. Does things like DDoS before it hits me.

PFsense then allows for Snort or Suricata IDS engines locally which I can control as I need. Obviously PFsense is a full feature firewall as well but it mops up anything that can get through Cloudflare.

You can virtualise the PFsense part as well if you don't have a physical box. I run two Check Point firewalls which have been re-flashed with PFsense as a HA cluster.

That is a nice setup and while CloudFlare offloads some work personally I'm scared to have a middle man like that between my customers and servers. CloudFlare can see all the traffic which is fine for public sites but not so great for applications on which customers log in, handle server logins or make payments like WHMCS. It actually makes PCI compliance invalid as well since there someone now sitting between the encryption that can intercept the traffic.

[BILDr Hosting]

1 minute ago, yggdrasil said:

That is a nice setup and while CloudFlare offloads some work personally I'm scared to have a middle man like that between my customers and servers. CloudFlare can see all the traffic which is fine for public sites but not so great for applications on which customers log in, handle server logins or make payments like WHMCS. It actually makes PCI compliance invalid as well since there someone now sitting between the encryption that can intercept the traffic.

Unless you have a cat5 connection direct to your customers you have the whole internet between you and them.  It does not invalidate PCI and end to end encryption prevents any man in the middle attacks. Do you really think banks, financial institutions, governments and more don't use these services to protect themselves?

I think I am safe on this one 🙂

[yggdrasil]

11 minutes ago, BILDr Hosting said:

Unless you have a cat5 connection direct to your customers you have the whole internet between you and them.  It does not invalidate PCI and end to end encryption prevents any man in the middle attacks. Do you really think banks, financial institutions, governments and more don't use these services to protect themselves?

I think I am safe on this one 🙂

When you establish an SSL/TLS connection to a server, that connection is encrypted point to point. From your browser to the end server. When you use ClouFlare, that connection is not end-to-end encryption. The browser is encrypting the connection to CloudFlare, with a different certificate than your website, then CloudFlare is doing a second encryption to your end server. Hence, they are in the middle of the connection. It's not end-to-end encryption anymore. They can absolutely see as a plain text every byte transferred from your users to your servers, that includes credit cards, passwords, everything. I'm not saying they are doing this but technically they can as opposed to having a direct connection between your customers.

No, financial institutions don't use those services. They use self hosted devices or under their management that do that stuff like a Citrix appliance or netscaler load balancer just to name one brand. Government sites, depends on the certification they need to pass, but usually they don't use that either.

Edited July 4, 2020 by yggdrasil

[BILDr Hosting]

1 minute ago, yggdrasil said:

When you establish an SSL/TLS connection to a server, that connection is encrypted point to point. From your browser to the end server. When you use ClouFlare, that connection is not end-to-end encryption. The browser is encrypting the connection to CloudFlare, with a different certificate than your website, then CloudFlare is doing a second encryption to your end server. Hence, they are in the middle of the connection. It's not end-to-end encryption anymore. They can absolutely see as a plain text every byte transferred from your users to your servers, that includes credit cards, passwords, everything. I'm not saying they are doing this but technically they can as opposed to having a direct connection between your customers.

No, financial institutions don't use those services. They use self hosted devices or under their management that do that stuff like a Citrix appliance or netscaler load balancer just to name one brand. Government sites, depends on the certification they need to pass, but usually they don't use that either.

Well here's at least one bank that does and the case study from Cloudflare to highlight it:

https://www.cloudflare.com/case-studies/montecito/

[yggdrasil]

2 minutes ago, BILDr Hosting said:

Well here's at least one bank that does and the case study from Cloudflare to highlight it:

https://www.cloudflare.com/case-studies/montecito/

As I said before, it's ok for public content. They are using CloudFlare for their public pages at montecito.bank

Now if you check their login for online banking my.montecito.bank

That is not using CloudFlare anymore. It's on a different network, server....

So they are not using CloudFlare for sensitive information or their banking which proves my previous statements.

[BILDr Hosting]

10 minutes ago, yggdrasil said:

As I said before, it's ok for public content. They are using CloudFlare for their public pages at montecito.bank

Now if you check their login for online banking my.montecito.bank

That is not using CloudFlare anymore. It's on a different network, server....

So they are not using CloudFlare for sensitive information or their banking which proves my previous statements.

Thanks for clearing that up for me. I guess the other 15 banks they have as case studies or the 35 e-commerce case studies including Shopify, which processed more than $3.5bn in transactions last year also support what you say.