security auth_error ai_generated true

OAuth2 authorization code intercepted by reverse proxy due to missing TLS termination at proxy

ID: security/oauth2-authorization-code-interception-via-reverse-proxy

Also available as: JSON · Markdown · 中文
92%Fix Rate
85%Confidence
1Evidence
2024-03-12First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
OAuth2 2.0 active
nginx 1.24.0 active
Apache HTTP Server 2.4.57 active
Spring Security 6.1.0 active

Root Cause

When a reverse proxy terminates TLS but forwards plain HTTP to the backend, the authorization code is transmitted in cleartext on the internal network, allowing any process on that network segment to intercept it.

generic

中文

当反向代理终止TLS但向后端转发明文HTTP时,授权码在内部网络上以明文传输,允许该网段上的任何进程截获它。

Official Documentation

https://oauth.net/2/grant-types/authorization-code/

Workarounds

  1. 95% success Configure reverse proxy to terminate TLS at the proxy and re-encrypt traffic to backend (e.g., nginx proxy_pass with HTTPS). Example: proxy_pass https://backend:443; proxy_ssl_verify off; 
    Configure reverse proxy to terminate TLS at the proxy and re-encrypt traffic to backend (e.g., nginx proxy_pass with HTTPS). Example: proxy_pass https://backend:443; proxy_ssl_verify off;
  2. 85% success Use mTLS between proxy and backend to ensure encrypted channel even on internal network. 
    Use mTLS between proxy and backend to ensure encrypted channel even on internal network.

中文步骤

  1. 配置反向代理在代理处终止TLS并重新加密到后端的流量(例如,nginx proxy_pass使用HTTPS)。示例:proxy_pass https://backend:443; proxy_ssl_verify off;
  2. 在代理和后端之间使用mTLS,确保即使在内部网络上也有加密通道。

Dead Ends

Common approaches that don't work:

  1. Adding HTTPS certificate to the backend server without changing proxy configuration 95% fail

    The proxy still forwards HTTP; backend HTTPS doesn't protect the wire between proxy and backend.

  2. Using a self-signed certificate on the backend to force HTTPS termination at backend 80% fail

    Self-signed certs cause backend SSL errors; the proxy may still strip TLS or fail to forward.