Service Chain CDN & WAAP
Objective
This guide provides instructions on how to globally distribute and secure your web application with F5® Distributed Cloud Services (F5XC) utilizing F5XC's Load Balancing, Content Delivery Network (CDN), and Web App and API Protection (WAAP) services.
Figure: Web Application Security and Performance Steps
The following visual provides an overview of how traffic flows through CDN service to WAAP service on the RE.
Figure: F5 Distributed Cloud CDN Reference Architecture
Prerequisites
-
F5 Distributed Cloud Console SaaS account.
Note: If you do not have an account, see Create an Account.
-
Google Domains account.
Note: This example assumes you have a domain in Google Domains, and you will use this to delegate your domain to F5XC. You can perform the same function using a different domain hosting service; however, the specific steps to delegate a domain will vary from vendor to vendor.
Configuration
The use case provided in this guide demonstrates enabling a domain for an application hosted on a public website and secures it using Distributed Cloud's javascript challenge, WAF/WAAP, and a CDN. The following actions outline the activities in domain setup and securing the web app:
-
The domain for the application is delegated to F5 Distributed Cloud Services for handling the queries towards the subdomain for the application and management of the SSL certificates for the subdomain.
-
A HTTP load balancer is created for the subdomain with automatic certificate management. As part of this step, an origin pool is created with the origin server as the public website. This use case demonstrates securing the
cloud.f5.com
website. -
The load balancer is secured with the javascript challenge and WAF for its ingress traffic.
-
A CDN Distribution is created to improve the performance of the website. The CDN will be service chained to the HTTP load balancer.
Step 1: Create Primary Zone
Note: Previous versions of this quick start instructed you to delegate your domain to the F5 Distributed Cloud Platform. The Delegate Domain capability has since been deprecated. Now you will configure your domain to use F5 Distributed Cloud DNS instead.
Log into Console and perform the following:
Step 1.1: Navigate to zone management and start adding a zone.
- Click
DNS Management
service on the Console home page.
Figure: Navigate to DNS Management
-
Select
DNS Management
option in the primary navigation menu located on the left side of the page. -
Click
Add Zone
.
Figure: Add Zone
-
Enter domain or subdomain name in the
Domain Name
field in the metadata section. -
Optionally, set labels and add a description for your zone.
Step 1.2: Start configuring primary zone.
Select Primary DNS Configuration
for the Zone Type
field in the DNS Zone Configuration
section. Click Edit Configuration
under the Primary DNS Configuration
field. Do the following in the zone configuration form:
- In the
SOA Record Parameters
section, theUse Default Parameters
is populated by default. To customize this, selectSOA Record Parameters
option, clickView Configuration
, and set the SOA parameters such as refresh interval, retry interval, TTL, etc.
Figure: SOA Custom Configuration
Step 1.3: Configure resource record sets for the default group.
-
Go to
Resource Record Sets
section and clickAdd Item
. The resource record sets configuration form opens. -
Enter a value for the
Time to live
field. -
Select a record type for the
Record Set
field, enter a name for your record name in theRecord Name
field, and set the fields as per your record type selection. Refer to the following table for the record type and field mapping:
Record Type | Fields | Notes |
---|---|---|
A | List of IPv4 Addresses | Enter IPv4 addresses. |
AAAA | List of IPv6 Addresses | Enter IPv6 addresses. |
ALIAS | Domain | Enter alias domain name. |
CAA | Tags and Value | Enter a tag and its value. |
CNAME | Domain | Enter domain name. |
MX | Domain and Priority | Enter domain and priority in the MX Record Value section. |
NS | List of Name servers | Enter the FQDN for the name servers. |
PTR | List of Name servers | Enter the FQDN for the name servers. |
SRV | Priority, Weight, Port, Target | Click Add Item in the SRV Value section and set the parameters. |
TXT | List of Text | Add the TXT record. |
DNS Load Balancer | DNS Load Balancer Records | Add the DNS Load Balancer record. |
NAPTR | Naming Authority Pointer | Enter regex based domain names used in URIs. |
DS | Delegation signer | Enter the signer to identify DNSSEC signing key of a delegated zone. |
CDS | Child DS | Enter Child copy of DS record, for transfer to parent. |
EUI48 | MAC address (EUI-48) | Add uniquely identified MAC address as per the EUI-48 specification. |
EUI64 | MAC address (EUI-64) | Add uniquely identified MAC address as per the EUI-48 specification. |
AFS | AFS record | Enter the AFS record. |
DNSKEY | DNS Key | Enter the type, protocol, algorithm, and public key. |
CDNSKEY | Child DNS Key | Enter the type, protocol, algorithm, and public key. |
LOC | Location information | Enter geographical details such as latitude, longitude, hemispheres, etc. |
SSHFP | SSH Key Fingerprint | Enter the fingerprint algorithm, type, and hexadecimal hash result of the ssh key. |
TLSA | TLS Certificate Association | Enter the usage, selector, matching type, and association data. |
CERT | Public Key Certificate | Enter the type, key tag, algorithm, and certificate. |
Note: Use the
Add item
button available in each record type configuration to add more than one record for that record. See DNS Load Balancer for instructions on how to configure DNS load balancer for your zone.
Figure: Resource Record Set
- Click
Add Item
to add the resource record set to the list of resource record sets. Use theAdd Item
button to add more than one resource record step.
Step 1.4: Configure specific resource record sets group.
This step configures specific groups for resource record sets. A resource record sets group allows grouping of DNS records to make it easier to manage them. For example, you can group DNS records that belong to the same application.
-
Enable
Show Advanced Fields
in theResource Record Sets
section. -
Click
Add Item
in the appearedAdditional Resource Record Sets
section. This opens new resource record sets form. -
Enter a
Name
in the metadata section. -
Click
Add Item
in theResource Record Sets
section. This opens the resource record sets configuration form. -
Configure the records in the same way as mentioned in previous step.
-
Click
Add Item
to add the resource record set to the group. Use theAdd Item
button to add more than one resource record set. -
Click
Add Item
in theResource Record Sets
form to add the group to theAdditional Resource Record Sets
section. Use theAdd Item
button to add more than one group.
Step 1.5: Optionally, enable DNSSEC and load balancer management.
- In the
DNSSEC Mode
section, selectEnable
for theDNSSEC Mode
field if you want to use DNS security extensions (DNSSEC) to authenticate DNS response data.
Note:
DNSSEC Mode
is disabled by default.
- Check the
Allow HTTP Load Balancer Managed Records
. This is only optional for a legacy delegated domain.
Note:
Allow HTTP Load Balancer Managed Records
is unchecked by default, which might have made sense for a delegated domain. However, Distributed Cloud Services has deprecated the Delegated Domain capability, which means that new domains will need to be setup as a Primary DNS zone corresponding to your HTTP Load Balancer (which is what you created in these steps), and you must check theAllow HTTP Load Balancer Managed Records
checkbox for the HTTP Load Balancer to work properly.
Step 1.6: Complete creating the primary zone.
- Click
Apply
in the primary zone configuration form.
Figure: Primary Zone Configuration
- Click
Save and Exit
in the main zone configuration form to complete creating the primary zone.
Note: In case you enabled the DNSSEC, the system generates a DS record and displays it in the
DNSSEC DS Record
column. Click on the displayed value, clickCopy DS Record
on the displayed window, add the DS record to your parent zone. After primary zone is created, you can use thedig ds <domain name>
command to verify that the DS record digest is displayed in the output. This indicates that DNSSEC is functional.
Step 2: Create HTTP Load Balancer with WAF
Perform the following steps for creating load balancers and WAF to enhance the application performance and security:
Step 2.1: Start creating an HTTP Load Balancer.
- Select the
Web App & API Protection
service. - Verify that the namespace you created in step 1.4 is selected.
- Navigate to
Manage
>Load Balancers
>HTTP Load Balancers
and then selectAdd HTTP Load Balancer
. - Enter a name for your load balancer in the
Metadata
section. - Enter your domain name, corresponding to the delegated sub-domain (step 1.1), in the
Domains
list within theDomains and LB Type
section. - Select
HTTPS with Automatic Certificate
in theLoad Balancer Type
field. - Check the
HTTP Redirect to HTTPS
checkbox. - Ensure the
HTTPS Port
is set to 443 and theTLS Security Level
is set toHigh
.
Figure: Load Balancer Setup
Step 2.2: Create origin pool.
-
In the
Origins
section, selectAdd Item
to add a new entry in the list of origin pools. This will bring up theOrigin Pool with Weight and Priority
setup form. -
If you already have an origin pool setup, you could select it from the
Origin Pool
drop-down menu; however, for this example, use the drop-down menu to selectAdd Item
to create a new origin pool. -
Enter a name for your origin pool in the metadata section.
-
The
Origin Servers
section contains the list of servers that make up this pool. SelectAdd Item
to add a new server.- Select the type of origin server in the
Select Type of Origin Server
field and then enter the appropriate server identification. For this example, selectPublic IP of Origin Server
and enter13.56.168.147
in thePublic IP
field. - Select
Apply
to save the origin server information and return to theOrigin Pool with Weight and Priority
setup form.
Figure: Origin Server Basic Configuration
- Select the type of origin server in the
-
In the
Origin servers Port
section, enter80
for thePort
field. -
Optionally scroll down to the TLS port to setup TLS security.
-
Select
Continue
at the bottom of the form to save the origin pool.
Figure: Origin Server List
- Complete the origin pool by entering
Weight
andPriority
values. These will only be used if you have multiple origin pools in your load balancer.
Figure: Origin Pool
- Select
Apply
to save the origin pool to your load balancer.
Figure: Load Balancer Origins
Step 2.3: Setup WAF.
-
Select
Enable
in theWeb Application Firewall (WAF)
field. -
Use the
Enable
drop-down menu to selectAdd Item
to configure a new firewall. This example will block all threats using default values.- Enter a name for your firewall configuration.
- Select
Blocking
in theEnforcement Mode
field. - Select
Default
for all fields in theDetection Settings
section.
Figure: Default Blocking WAF
- Select
Continue
at the bottom of the form to complete your WAF.
Figure: Load Balancer WAF
Step 2.4: Complete the load balancer setup.
- Scroll down to the
Common Security Controls
section and selectDo Not Apply Service Policies
in theService Policies
field. - In the
Other Settings
section, selectInternet
in theVIP Advertisement
field. - Verify that
Round Robin
is selected for theLoad Balancing Algorithm
field. - Select
Save and Exit
at the bottom of the form to save the load balancer configuration.
Step 3: Create CDN Distribution
Perform the following to create your CDN distribution:
Step 3.1: Create a new CDN distribution.
-
Select the
Content Delivery Network
service. The CDN distribution configuration page opens. -
Go to
Manage
>Distributions
. -
Verify that the namespace you created in step 1.4 is selected.
Figure: CDN Distributions Page
- Select
Add Distribution
.
Step 3.2: Configure metadata, domains, and distribution type.
-
In the
Name
field, enter a name for the distribution. -
Optionally, select a label and enter a description.
-
Go to
Basic Configuration
and enter a domain name in theDomains
field. This should match the delegated domain name you entered in step 1. -
Select
Add item
to add more domains, if needed. -
Select an option for the
Select Type of CDN Distribution
. The following options are supported:- Select
HTTP
to create the CDN Distribution. Select theAutomatically Manage DNS Records
checkbox if your domain is delegated to F5 Distributed Cloud. Otherwise, ensure in your DNS provider configuration that your domain is resolved. - Select
HTTPS with Automatic Certificate
to create the CDN Distribution with an automatic TLS certificate. Ensure that the domain is delegated to F5 Distributed Cloud. Optionally, selectHTTP Redirect to HTTPS
and/orAdd HSTS Header
checkboxes to enable those functions. You can also select TLS security level to be high or medium. - Select
HTTPS with Custom Certificate
to create the CDN Distribution with your custom TLS certificate.
- Select
-
If you are using the
HTTPS with Custom Certificate
option:-
Set the TLS configuration using the
Configure
option under theTLS Parameters
field. -
From the
TLS Security Level
drop-down menu, select the desired level. -
In the
TLS Certificates
section, SelectAdd Item
. -
For the certificate URL encoding, select
PEM
orbase64(binary)
, and then enter the certificate URL. -
To configure the private key, Select
Configure
. -
Under the
Secret
section, enter your private key inText
type, SelectBlindfold
, wait for the Blindfold operation to complete, and then SelectApply
. -
Select
Add Item
. -
In the
TLS Parameters
section, SelectApply
.
Note: You can add more than one certificate using the
Add Item
option. -
This example configures a CDN Distribution of type HTTPS with Automatic Certificates.
Figure: Distribution of Type HTTPS with Automatic Certficate
Step 3.3: Configure CDN origin pool.
- Select
Configure
in theCDN Origin Pool
section. The CDN origin pool configuration page opens. - Enter the CDN origin domain name in the
DNS Name
field. The domain name must be the same domain name you entered for the delegated domain in step 1.1 and the HTTP load balancer in step 2.1. The requests to origin servers use this name in the host header. - Select a TLS choice in the
Enable TLS for Origin Servers
field. Ensure that this matches your origin server configuration. - Select
Add Item
in theList of Origin Servers
section. In the origin servers page, enter public DNS name or public IP of your origin server. SelectApply
. - Enter a time value in the
Origin Request Timout Duration
field. The default is 60s (sixty seconds). - Select
Apply
in the CDN origin pool configuration page.
Figure: Origin Pool Configuration
Step 3.4: Optionally, configure advanced options to control your content delivery operation.
Advanced configuration consists of options such as header control, security, cache control, etc. Go to Advanced Configuration
section and perform the following:
-
Select
Show Advanced Fields
toggle to display the advanced configuration options. -
Select
Add Location
checkbox to append the location header in the response. Value for this header is the Regional Edge Site name that serves your request.
Step 3.4.1: Configure header control.
Select Configure
in the Header Control
field and do the following:
Add Request Headers
-
Select
Configure
inAdd Origin Request Headers
. SelectAdd Item
in the next screen, and enter a name for the header to be added. -
Select
Value
orSecret
for the header value.- If it is value, enter a string value for the header and then select
Apply
to save the header. - For a secret value, select
Configure
in theSecret Value
field, enter the secret using theText
type, select the appropriateAction
andPolicy Type
settings and then enter your secret in theSecret to Blindfold
field. Select Apply to save the header.
- If it is value, enter a string value for the header and then select
-
Use the
Add Item
button to add additional headers. -
Select
Apply
to save the list of request headers.
Note: CDN sends the following headers with client IP values to upstream by default:
- X-F5-True-Client-IP
- X-Forwarded-For
Remove Request Headers
-
Select
Configure
inRemove Origin Request Headers
. -
Select
Add Item
and enter a name for the header to be removed. -
Select
Apply
.
Note: Use the
Add Item
option to specify more headers to be removed.
Add Response Headers
-
Select
Configure
inAdd Response Headers
. SelectAdd Item
in the next screen, and enter a name for the header to be added. -
Select
Value
orSecret
for the header value. If it is value, enter a string value for the header. In case of secret, selectConfigure
in theSecret Value
field, enter the secret using theText
type, selectBlindfold
, wait for the encryption to complete, and selectApply
. -
Select
Apply
in theHeaders to Add
page. -
Select
Apply
in theAdd Response Headers
page.
Note: Use the
Add Item
option to add more headers.
Remove Response Headers
-
Select
Configure
inRemove Origin Request Headers
. -
Select
Add Item
and enter a name for the header to be removed. -
Select
Apply
.
Note: Use the
Add Item
option to specify more headers to be removed.
Select Apply
to apply header control settings.
Step 3.4.2: Configure security settings.
Select Configure
in the Security Options
field and do the following:
Client IP Filtering Options
-
Select
Configure
inClient IP filtering Options
. -
Select whether IP filtering type is allow list or deny list.
-
Enter IP prefix in the IP prefix list section.
-
Select
Add Item
to add more IP prefixes. -
Select
Apply
.
Client Geo filtering Options
-
Select
Configure
inClient Geo filtering Options
. -
Select whether Geo filtering type is allow list or deny list.
-
Select countries from list in the
Country Codes List
field. You can select more than one country. -
Select
Apply
.
Authentication Options
-
Select
Configure
inAuthentication Options
. -
Select
JWT Token Authentication
for authentication type. -
Enter the secret in the
Text
box of theSecret
field. SelectBlindfold
and wait for the operation to complete. -
Specify a source for the token. You can select header value or cookie name or query parameter name or set it as bearer-token.
-
Select
Apply
.
Select Apply
to apply security settings.
Step 3.4.3: Configure logging options.
Select Configure
in the Logging Options
field and do the following:
Client Request Headers to Log
-
Select
Configure
inClient Request Headers to Log
. -
Select
Add Item
and add headers for logging. -
Select
Apply
.
Origin Response Headers to Log
-
Select
Configure
inOrigin Response Headers to Log
. -
Select
Add Item
and add headers for logging. -
Select
Apply
.
Select Apply
to apply logging option settings.
Step 3.4.4: Configure cache TTL.
-
Select
Configure
in theCache TTL
field. -
Select an option for the
Cache TTL Settings
field as per the following guidelines:- Select
Default Cache TTL
if the origin server does not provide a TTL value. Set the value in theDefault Cache TTL
field. - Select
Override Cache TTL
if the origin server provides a TTL in the response and you want to override it. Set the value in theOverride Cache TTL
field.
- Select
-
Select
Apply
.
Step 3.5: Complete creating the distribution.
Select Save and Exit
.
Step 3.6: Verify the distribution status.
It might take a few minutes for your CDN Distribution to be deployed and to be ready to cache and serve content at Regional Edges. During this time, the Status
column will show Pending
. Once deployment is complete, the status for your CDN distribution will show Active
.
Note: To get a more detailed view of your site status, select
>
against your distribution object and expand its JSON view. Verify that the service domain is created. Select...
>Show Global Status
against your CDN object and ensure that theSite Status
section shows status asDEPLOYMENT_STATUS_DEPLOYED
.
Delegated Domain with Automatic Certificates:
- Wait for the
DNS Info
andTLS Info
columns to display theVIRTUAL_HOST_READY
andCertificate Valid
values. This indicates that the virtual host and certificate is created successfully.
Figure: Distribution Created
-
In the
Status
column, it showsActive
, which indicates CDN distribution is up and running. -
Select ‘...’ in the
Actions
column for your distribution, and then selectShow Global Status
.
Figure: Distribution Global Status
-
Global status indicates two things: 1) whether the distribution has been pushed to the CDN back end, and 2) whether the distribution has been configured on the Edge sites.
-
CDN distribution is configured successfully, when at least one edge site is configured with
- Global status is updated to
Operational
andCreated
. - Site Status is updated to
DEPLOYMENT_STATUS_DEPLOYED
. - Site name is listed.
- There will be one global, and at minimum, one status object for each site.
- Global status is updated to
-
In this delegated domain scenario, verify that the CDN domain is mapped to the F5 CNAME, and the F5 CNAME is mapped to the CDN Internal service domain, automatically.
Figure: Distribution CNAME Mapping
-
The user domain and F5 CNAME can be found in the JSON for your tenent.
Figure: Distribution CNAME JSON
-
Verify CNAME mapping using DIG command, and A records with unicast IP addresses of edge site, to indicate at least one edge site is configured for CDN distribution.
Figure: Distribution CNAME Mapping shown with dig
-
Verify that the requests to your CDN domain are processed, and the content is returned.
Delegated Domain with No Automatic Certificates:
Verify that the requests to your CDN domain are processed, and the content is returned.
Non-Delegated Domain:
Verify that the requests to your CDN domain are processed and the content is returned.
Note: In case of content updates in your origin servers, you can force the CDN servers to fetch the updated content using the purge option. Select
...
>Purge
for your distribution object and the CDN service initiates purge for all the cache servers.
Step 4: CDN + WAAP Verification & Dashboard
Step 4.1: Check the load balancer and distribution with curl.
- Access the HTTP load balancer domain using a curl command,
curl -I -k lb.example.com
, to make sure connection to the origin is fine. It should look something like this:
Figure: Verify Load Balancer with curl
- Access the CDN distribution domain to verify the end-to-end service chain is working correctly.
Figure: Verify Load Balancer with curl
- Because this is the first request to the CDN, the request will be redirected to the origin server causing the server to miss the cache (as shown at the bottom of the curl response:
x-cache-status: MISS
). - Generate more requests to observe cached traffic (
Hits
) and origin server traffic (Misses
) as shown below.
Figure: Verify CDN Hits and Misses
Step 4.2: View attack traffic in dashboards.
- Access the CDN domain with SQL injection or any other attack type sample.
- In Console, select the
Content Delivery Network
service and navigate toMonitoring
>Performance
. - Select your distribution to see its dashboard.
Figure: View Attack Traffic Cache Miss
- Observe the CDN dashboard is updated with cache misses.
- Switch to the
Web App & API Protection
service and navigate toOverview
>Security Dashboard
.
Figure: View Attack Traffic Details
- Observe the WAF security dashboard updated with security events.