Service Chain CDN & WAAP

Objective

This guide provides instructions on how to globally distribute and secure your web application with F5® Distributed Cloud Services (F5XC) utilizing F5XC's Load Balancing, Content Delivery Network (CDN), and Web App and API Protection (WAAP) services.

Figure: Web Application Security and Performance Steps

Figure: Web Application Security and Performance Steps

The following visual provides an overview of how traffic flows through CDN service to WAAP service on the RE.

Figure: F5 Distributed Cloud CDN Reference Architecture

Figure: F5 Distributed Cloud CDN Reference Architecture

Prerequisites

  • F5 Distributed Cloud Console SaaS account.

    Note: If you do not have an account, see Create an Account.

  • Google Domains account.

    Note: This example assumes you have a domain in Google Domains, and you will use this to delegate your domain to F5XC. You can perform the same function using a different domain hosting service; however, the specific steps to delegate a domain will vary from vendor to vendor.

Configuration

The use case provided in this guide demonstrates enabling a domain for an application hosted on a public website and secures it using Distributed Cloud's javascript challenge, WAF/WAAP, and a CDN. The following actions outline the activities in domain setup and securing the web app:

  1. The domain for the application is delegated to F5 Distributed Cloud Services for handling the queries towards the subdomain for the application and management of the SSL certificates for the subdomain.

  2. A HTTP load balancer is created for the subdomain with automatic certificate management. As part of this step, an origin pool is created with the origin server as the public website. This use case demonstrates securing the cloud.f5.com website.

  3. The load balancer is secured with the javascript challenge and WAF for its ingress traffic.

  4. A CDN Distribution is created to improve the performance of the website. The CDN will be service chained to the HTTP load balancer.

Step 1: Create Primary Zone

Note: Previous versions of this quick start instructed you to delegate your domain to the F5 Distributed Cloud Platform. The Delegate Domain capability has since been deprecated. Now you will configure your domain to use F5 Distributed Cloud DNS instead.

Log into Console and perform the following:

Step 1.1: Navigate to zone management and start adding a zone.
  • Click DNS Management service on the Console home page.
Figure: Navigate to DNS Management

Figure: Navigate to DNS Management

  • Select DNS Management option in the primary navigation menu located on the left side of the page.

  • Click Add Zone.

Figure: Add Zone

Figure: Add Zone

  • Enter domain or subdomain name in the Domain Name field in the metadata section.

  • Optionally, set labels and add a description for your zone.

Step 1.2: Start configuring primary zone.

Select Primary DNS Configuration for the Zone Type field in the DNS Zone Configuration section. Click Edit Configuration under the Primary DNS Configuration field. Do the following in the zone configuration form:

  • In the SOA Record Parameters section, the Use Default Parameters is populated by default. To customize this, select SOA Record Parameters option, click View Configuration, and set the SOA parameters such as refresh interval, retry interval, TTL, etc.
Figure: SOA Custom Configuration

Figure: SOA Custom Configuration

Step 1.3: Configure resource record sets for the default group.

  • Go to Resource Record Sets section and click Add Item. The resource record sets configuration form opens.

  • Enter a value for the Time to live field.

  • Select a record type for the Record Set field, enter a name for your record name in the Record Name field, and set the fields as per your record type selection. Refer to the following table for the record type and field mapping:

Record TypeFieldsNotes
AList of IPv4 AddressesEnter IPv4 addresses.
AAAAList of IPv6 AddressesEnter IPv6 addresses.
ALIASDomainEnter alias domain name.
CAATags and ValueEnter a tag and its value.
CNAMEDomainEnter domain name.
MXDomain and PriorityEnter domain and priority in the MX Record Value section.
NSList of Name serversEnter the FQDN for the name servers.
PTRList of Name serversEnter the FQDN for the name servers.
SRVPriority, Weight, Port, TargetClick Add Item in the SRV Value section and set the parameters.
TXTList of TextAdd the TXT record.
DNS Load BalancerDNS Load Balancer RecordsAdd the DNS Load Balancer record.
NAPTRNaming Authority PointerEnter regex based domain names used in URIs.
DSDelegation signerEnter the signer to identify DNSSEC signing key of a delegated zone.
CDSChild DSEnter Child copy of DS record, for transfer to parent.
EUI48MAC address (EUI-48)Add uniquely identified MAC address as per the EUI-48 specification.
EUI64MAC address (EUI-64)Add uniquely identified MAC address as per the EUI-48 specification.
AFSAFS recordEnter the AFS record.
DNSKEYDNS KeyEnter the type, protocol, algorithm, and public key.
CDNSKEYChild DNS KeyEnter the type, protocol, algorithm, and public key.
LOCLocation informationEnter geographical details such as latitude, longitude, hemispheres, etc.
SSHFPSSH Key FingerprintEnter the fingerprint algorithm, type, and hexadecimal hash result of the ssh key.
TLSATLS Certificate AssociationEnter the usage, selector, matching type, and association data.
CERTPublic Key CertificateEnter the type, key tag, algorithm, and certificate.

Note: Use the Add item button available in each record type configuration to add more than one record for that record. See DNS Load Balancer for instructions on how to configure DNS load balancer for your zone.

Figure: Resource Record Set

Figure: Resource Record Set

  • Click Add Item to add the resource record set to the list of resource record sets. Use the Add Item button to add more than one resource record step.
Step 1.4: Configure specific resource record sets group.

This step configures specific groups for resource record sets. A resource record sets group allows grouping of DNS records to make it easier to manage them. For example, you can group DNS records that belong to the same application.

  • Enable Show Advanced Fields in the Resource Record Sets section.

  • Click Add Item in the appeared Additional Resource Record Sets section. This opens new resource record sets form.

  • Enter a Name in the metadata section.

  • Click Add Item in the Resource Record Sets section. This opens the resource record sets configuration form.

  • Configure the records in the same way as mentioned in previous step.

  • Click Add Item to add the resource record set to the group. Use the Add Item button to add more than one resource record set.

  • Click Add Item in the Resource Record Sets form to add the group to the Additional Resource Record Sets section. Use the Add Item button to add more than one group.

Step 1.5: Optionally, enable DNSSEC and load balancer management.
  • In the DNSSEC Mode section, select Enable for the DNSSEC Mode field if you want to use DNS security extensions (DNSSEC) to authenticate DNS response data.

Note: DNSSEC Mode is disabled by default.

  • Check the Allow HTTP Load Balancer Managed Records. This is only optional for a legacy delegated domain.

Note: Allow HTTP Load Balancer Managed Records is unchecked by default, which might have made sense for a delegated domain. However, Distributed Cloud Services has deprecated the Delegated Domain capability, which means that new domains will need to be setup as a Primary DNS zone corresponding to your HTTP Load Balancer (which is what you created in these steps), and you must check the Allow HTTP Load Balancer Managed Records checkbox for the HTTP Load Balancer to work properly.

Step 1.6: Complete creating the primary zone.
  • Click Apply in the primary zone configuration form.
Figure: Primary Zone Configuration

Figure: Primary Zone Configuration

  • Click Save and Exit in the main zone configuration form to complete creating the primary zone.

Note: In case you enabled the DNSSEC, the system generates a DS record and displays it in the DNSSEC DS Record column. Click on the displayed value, click Copy DS Record on the displayed window, add the DS record to your parent zone. After primary zone is created, you can use the dig ds <domain name> command to verify that the DS record digest is displayed in the output. This indicates that DNSSEC is functional.

Step 2: Create HTTP Load Balancer with WAF

Perform the following steps for creating load balancers and WAF to enhance the application performance and security:

Step 2.1: Start creating an HTTP Load Balancer.
  • Select the Web App & API Protection service.
  • Verify that the namespace you created in step 1.4 is selected.
  • Navigate to Manage > Load Balancers > HTTP Load Balancers and then select Add HTTP Load Balancer.
  • Enter a name for your load balancer in the Metadata section.
  • Enter your domain name, corresponding to the delegated sub-domain (step 1.1), in the Domains list within the Domains and LB Type section.
  • Select HTTPS with Automatic Certificate in the Load Balancer Type field.
  • Check the HTTP Redirect to HTTPS checkbox.
  • Ensure the HTTPS Port is set to 443 and the TLS Security Level is set to High.
Figure: Load Balancer Setup

Figure: Load Balancer Setup

Step 2.2: Create origin pool.

  • In the Origins section, select Add Item to add a new entry in the list of origin pools. This will bring up the Origin Pool with Weight and Priority setup form.

  • If you already have an origin pool setup, you could select it from the Origin Pool drop-down menu; however, for this example, use the drop-down menu to select Add Item to create a new origin pool.

  • Enter a name for your origin pool in the metadata section.

  • The Origin Servers section contains the list of servers that make up this pool. Select Add Item to add a new server.

    • Select the type of origin server in the Select Type of Origin Server field and then enter the appropriate server identification. For this example, select Public IP of Origin Server and enter 13.56.168.147 in the Public IP field.
    • Select Apply to save the origin server information and return to the Origin Pool with Weight and Priority setup form.
    Figure: Origin Server Basic Configuration

    Figure: Origin Server Basic Configuration

  • In the Origin servers Port section, enter 80 for the Port field.

  • Optionally scroll down to the TLS port to setup TLS security.

  • Select Continue at the bottom of the form to save the origin pool.

Figure: Origin Server List

Figure: Origin Server List

  • Complete the origin pool by entering Weight and Priority values. These will only be used if you have multiple origin pools in your load balancer.
Figure: Origin Pool

Figure: Origin Pool

  • Select Apply to save the origin pool to your load balancer.
Figure: Load Balancer Origins

Figure: Load Balancer Origins

Step 2.3: Setup WAF.

  • Select Enable in the Web Application Firewall (WAF) field.

  • Use the Enable drop-down menu to select Add Item to configure a new firewall. This example will block all threats using default values.

    • Enter a name for your firewall configuration.
    • Select Blocking in the Enforcement Mode field.
    • Select Default for all fields in the Detection Settings section.
    Figure: Default Blocking WAF

    Figure: Default Blocking WAF

    • Select Continue at the bottom of the form to complete your WAF.
Figure: Load Balancer WAF

Figure: Load Balancer WAF

Step 2.4: Complete the load balancer setup.
  • Scroll down to the Common Security Controls section and select Do Not Apply Service Policies in the Service Policies field.
  • In the Other Settings section, select Internet in the VIP Advertisement field.
  • Verify that Round Robin is selected for the Load Balancing Algorithm field.
  • Select Save and Exit at the bottom of the form to save the load balancer configuration.

Step 3: Create CDN Distribution

Perform the following to create your CDN distribution:

Step 3.1: Create a new CDN distribution.

  • Select the Content Delivery Network service. The CDN distribution configuration page opens.

  • Go to Manage > Distributions.

  • Verify that the namespace you created in step 1.4 is selected.

Figure: CDN Distributions Page

Figure: CDN Distributions Page

  • Select Add Distribution.
Step 3.2: Configure metadata, domains, and distribution type.

  • In the Name field, enter a name for the distribution.

  • Optionally, select a label and enter a description.

  • Go to Basic Configuration and enter a domain name in the Domains field. This should match the delegated domain name you entered in step 1.

  • Select Add item to add more domains, if needed.

  • Select an option for the Select Type of CDN Distribution. The following options are supported:

    • Select HTTP to create the CDN Distribution. Select the Automatically Manage DNS Records checkbox if your domain is delegated to F5 Distributed Cloud. Otherwise, ensure in your DNS provider configuration that your domain is resolved.
    • Select HTTPS with Automatic Certificate to create the CDN Distribution with an automatic TLS certificate. Ensure that the domain is delegated to F5 Distributed Cloud. Optionally, select HTTP Redirect to HTTPS and/or Add HSTS Header checkboxes to enable those functions. You can also select TLS security level to be high or medium.
    • Select HTTPS with Custom Certificate to create the CDN Distribution with your custom TLS certificate.

  • If you are using the HTTPS with Custom Certificate option:

    • Set the TLS configuration using the Configure option under the TLS Parameters field.

    • From the TLS Security Level drop-down menu, select the desired level.

    • In the TLS Certificates section, Select Add Item.

    • For the certificate URL encoding, select PEM or base64(binary), and then enter the certificate URL.

    • To configure the private key, Select Configure.

    • Under the Secret section, enter your private key in Text type, Select Blindfold, wait for the Blindfold operation to complete, and then Select Apply.

    • Select Add Item.

    • In the TLS Parameters section, Select Apply.

    Note: You can add more than one certificate using the Add Item option.

This example configures a CDN Distribution of type HTTPS with Automatic Certificates.

Figure: Distribution of Type HTTPS with Automatic Certficate

Figure: Distribution of Type HTTPS with Automatic Certficate

Step 3.3: Configure CDN origin pool.
  • Select Configure in the CDN Origin Pool section. The CDN origin pool configuration page opens.
  • Enter the CDN origin domain name in the DNS Name field. The domain name must be the same domain name you entered for the delegated domain in step 1.1 and the HTTP load balancer in step 2.1. The requests to origin servers use this name in the host header.
  • Select a TLS choice in the Enable TLS for Origin Servers field. Ensure that this matches your origin server configuration.
  • Select Add Item in the List of Origin Servers section. In the origin servers page, enter public DNS name or public IP of your origin server. Select Apply.
  • Enter a time value in the Origin Request Timout Duration field. The default is 60s (sixty seconds).
  • Select Apply in the CDN origin pool configuration page.
Figure: Origin Pool Configuration

Figure: Origin Pool Configuration

Step 3.4: Optionally, configure advanced options to control your content delivery operation.

Advanced configuration consists of options such as header control, security, cache control, etc. Go to Advanced Configuration section and perform the following:

  • Select Show Advanced Fields toggle to display the advanced configuration options.

  • Select Add Location checkbox to append the location header in the response. Value for this header is the Regional Edge Site name that serves your request.

Step 3.4.1: Configure header control.

Select Configure in the Header Control field and do the following:

Add Request Headers

  • Select Configure in Add Origin Request Headers. Select Add Item in the next screen, and enter a name for the header to be added.

  • Select Value or Secret for the header value.

    • If it is value, enter a string value for the header and then select Apply to save the header.
    • For a secret value, select Configure in the Secret Value field, enter the secret using the Text type, select the appropriate Action and Policy Type settings and then enter your secret in the Secret to Blindfold field. Select Apply to save the header.

  • Use the Add Item button to add additional headers.

  • Select Apply to save the list of request headers.

Note: CDN sends the following headers with client IP values to upstream by default:

  • X-F5-True-Client-IP
  • X-Forwarded-For
Remove Request Headers

  • Select Configure in Remove Origin Request Headers.

  • Select Add Item and enter a name for the header to be removed.

  • Select Apply.

Note: Use the Add Item option to specify more headers to be removed.

Add Response Headers

  • Select Configure in Add Response Headers. Select Add Item in the next screen, and enter a name for the header to be added.

  • Select Value or Secret for the header value. If it is value, enter a string value for the header. In case of secret, select Configure in the Secret Value field, enter the secret using the Text type, select Blindfold, wait for the encryption to complete, and select Apply.

  • Select Apply in the Headers to Add page.

  • Select Apply in the Add Response Headers page.

Note: Use the Add Item option to add more headers.

Remove Response Headers

  • Select Configure in Remove Origin Request Headers.

  • Select Add Item and enter a name for the header to be removed.

  • Select Apply.

Note: Use the Add Item option to specify more headers to be removed.

Select Apply to apply header control settings.

Step 3.4.2: Configure security settings.

Select Configure in the Security Options field and do the following:

Client IP Filtering Options

  • Select Configure in Client IP filtering Options.

  • Select whether IP filtering type is allow list or deny list.

  • Enter IP prefix in the IP prefix list section.

  • Select Add Item to add more IP prefixes.

  • Select Apply.

Client Geo filtering Options

  • Select Configure in Client Geo filtering Options.

  • Select whether Geo filtering type is allow list or deny list.

  • Select countries from list in the Country Codes List field. You can select more than one country.

  • Select Apply.

Authentication Options

  • Select Configure in Authentication Options.

  • Select JWT Token Authentication for authentication type.

  • Enter the secret in the Text box of the Secret field. Select Blindfold and wait for the operation to complete.

  • Specify a source for the token. You can select header value or cookie name or query parameter name or set it as bearer-token.

  • Select Apply.

Select Apply to apply security settings.

Step 3.4.3: Configure logging options.

Select Configure in the Logging Options field and do the following:

Client Request Headers to Log

  • Select Configure in Client Request Headers to Log.

  • Select Add Item and add headers for logging.

  • Select Apply.

Origin Response Headers to Log

  • Select Configure in Origin Response Headers to Log.

  • Select Add Item and add headers for logging.

  • Select Apply.

Select Apply to apply logging option settings.

Step 3.4.4: Configure cache TTL.

  • Select Configure in the Cache TTL field.

  • Select an option for the Cache TTL Settings field as per the following guidelines:

    • Select Default Cache TTL if the origin server does not provide a TTL value. Set the value in the Default Cache TTL field.
    • Select Override Cache TTL if the origin server provides a TTL in the response and you want to override it. Set the value in the Override Cache TTL field.

  • Select Apply.

Step 3.5: Complete creating the distribution.

Select Save and Exit.

Step 3.6: Verify the distribution status.

It might take a few minutes for your CDN Distribution to be deployed and to be ready to cache and serve content at Regional Edges. During this time, the Status column will show Pending. Once deployment is complete, the status for your CDN distribution will show Active.

Note: To get a more detailed view of your site status, select > against your distribution object and expand its JSON view. Verify that the service domain is created. Select ... > Show Global Status against your CDN object and ensure that the Site Status section shows status as DEPLOYMENT_STATUS_DEPLOYED.

Delegated Domain with Automatic Certificates:
  • Wait for the DNS Info and TLS Info columns to display the VIRTUAL_HOST_READY and Certificate Valid values. This indicates that the virtual host and certificate is created successfully.
Figure: Distribution Created

Figure: Distribution Created

  • In the Status column, it shows Active, which indicates CDN distribution is up and running.

  • Select ‘...’ in the Actions column for your distribution, and then select Show Global Status.

Figure: Distribution Global Status

Figure: Distribution Global Status

  • Global status indicates two things: 1) whether the distribution has been pushed to the CDN back end, and 2) whether the distribution has been configured on the Edge sites.

  • CDN distribution is configured successfully, when at least one edge site is configured with

    • Global status is updated to Operational and Created.
    • Site Status is updated to DEPLOYMENT_STATUS_DEPLOYED.
    • Site name is listed.
    • There will be one global, and at minimum, one status object for each site.

  • In this delegated domain scenario, verify that the CDN domain is mapped to the F5 CNAME, and the F5 CNAME is mapped to the CDN Internal service domain, automatically.

    Figure: Distribution CNAME Mapping

    Figure: Distribution CNAME Mapping

  • The user domain and F5 CNAME can be found in the JSON for your tenent.

    Figure: Distribution CNAME JSON

    Figure: Distribution CNAME JSON

  • Verify CNAME mapping using DIG command, and A records with unicast IP addresses of edge site, to indicate at least one edge site is configured for CDN distribution.

    Figure: Distribution CNAME Mapping shown with dig

    Figure: Distribution CNAME Mapping shown with dig

  • Verify that the requests to your CDN domain are processed, and the content is returned.

Delegated Domain with No Automatic Certificates:

Verify that the requests to your CDN domain are processed, and the content is returned.

Non-Delegated Domain:

Verify that the requests to your CDN domain are processed and the content is returned.

Note: In case of content updates in your origin servers, you can force the CDN servers to fetch the updated content using the purge option. Select ... > Purge for your distribution object and the CDN service initiates purge for all the cache servers.

Step 4: CDN + WAAP Verification & Dashboard

Step 4.1: Check the load balancer and distribution with curl.
  • Access the HTTP load balancer domain using a curl command, curl -I -k lb.example.com, to make sure connection to the origin is fine. It should look something like this:
Figure: Verify Load Balancer with curl

Figure: Verify Load Balancer with curl

  • Access the CDN distribution domain to verify the end-to-end service chain is working correctly.
Figure: Verify Load Balancer with curl

Figure: Verify Load Balancer with curl

  • Because this is the first request to the CDN, the request will be redirected to the origin server causing the server to miss the cache (as shown at the bottom of the curl response: x-cache-status: MISS).
  • Generate more requests to observe cached traffic (Hits) and origin server traffic (Misses) as shown below.
Figure: Verify CDN Hits and Misses

Figure: Verify CDN Hits and Misses

Step 4.2: View attack traffic in dashboards.
  • Access the CDN domain with SQL injection or any other attack type sample.
  • In Console, select the Content Delivery Network service and navigate to Monitoring > Performance.
  • Select your distribution to see its dashboard.
Figure: View Attack Traffic Cache Miss

Figure: View Attack Traffic Cache Miss

  • Observe the CDN dashboard is updated with cache misses.
  • Switch to the Web App & API Protection service and navigate to Overview > Security Dashboard.
Figure: View Attack Traffic Details

Figure: View Attack Traffic Details

  • Observe the WAF security dashboard updated with security events.

Concepts

On this page: