Configure CDN Distribution

• Log into Console.

• Click the Content Delivery Network service. The CDN distribution configuration page opens.

• Go to Manage > CDN Distributions.

Figure: CDN Distributions Page

• Click Add CDN Distribution.

• In the Name field, enter a name for the distribution.

• Optionally, select a label and enter a description.

• Go to Basic Configuration and enter a domain name in the Domains field. Ensure that you enter a Fully Qualified Domain Name (FQDN). FQDN is the complete address of an internet host, specifying its exact location within the Domain Name System (DNS). It includes the hostname, domain name, and top-level domain (TLD). For example, www.f5.com.

• Click Add item to add more domains, if needed.

• Select an option for the Select Type of CDN Distribution. The following options are supported:

  • Select HTTP to create the HTTP Distribution. Click the Automatically Manage DNS Records checkbox if your domain is delegated to F5 Distributed Cloud. Else, ensure in your DNS provider configuration that your domain is resolved.

  • Select HTTPS with Automatic Certificate to create the HTTPS Distribution with an automatic TLS certificate. Ensure that the domain is delegated to F5 Distributed Cloud. Optionally, click HTTP Redirect to HTTPS and Add HSTS Header checkboxes to enable those functions. You can also select the TLS Security Level to be high or medium. The High option is TLS v1.2+ PFS ciphers with strong cryptographic algorithms. The Medium option is TLS v1.1+ PFS ciphers with medium strength cryptographic algorithms.

  • Select HTTPS with Custom Certificate to create the HTTPS Distribution with your custom TLS certificate. Optionally, click HTTP Redirect to HTTPS and Add HSTS Header checkboxes to enable those functions.

• If you are using the HTTPS with Custom Certificate option:

  • Use the TLS Configuration drop-down menu to choose between TLS Certificates or Inline Certificate (legacy) options, and then click Configure.

  • From the TLS Security Level drop-down menu, select high, medium, low, or custom.

  • From the Certificates drop-down menu, either select an existing certificate or select Add Item to see the TLS Certificate form. For a new certificate,

    

    Figure: TLS Certificate Form

    • Enter a name and optionally labels and a description.

    • Click Import from File to see the sliding import panel. Click Upload File and select your file using the system file browser. Then click Import.

    • From the OCSP Stapling choice drop-down menu, select an OCSP stapling choice.

Note: OCSP stapling is not supported when the shared certificate is used in a CDN distribution.

• If you have an intermediate chain, select Add Item from the Intermediate Certificate Chain drop-down menu. Then upload the intermediate chain the same way you uploaded the certificate.

• Click Continue.

• Click Apply to save your TLS parameters.

This example configures a CDN Distribution of type HTTPS with Automatic Certificates.

Figure: Distribution of Type HTTPS with Automatic Certificate

• Click Configure in the CDN Origin Pools section. The CDN origin pool configuration page opens.

• Enter the CDN origin domain name in the DNS Name field. The requests to origin servers use this name in the host header.

• Select a TLS choice in the Enable TLS for Origin Servers field. Ensure that this matches your origin server configuration.

• Click Add Item in the List of Origin Servers section. In the origin servers page, enter public DNS name or public IP of your origin server. Click Apply.

• Enter a time value in the Origin Request Timeout Duration field. The default is 60s (sixty seconds).

• Click Apply in the CDN origin pool configuration page.

Figure: Origin Pool Configuration

• In the Caching Policies section, select an option for the Cache Actions field using following guidelines:

  • Select Default Cache TTL if the origin server does not provide a TTL value. Set the value in the Default Cache TTL field.
  • Select Override Cache TTL if the origin server provides a TTL in the response, and you want to override it. Set the value in the Override Cache TTL field.
  • Select Disable Cache to disallow caching content from the origin.

• Optionally create rules in the Cache Rules section to determine the content that is or is not cached:

  • Click Add Item to create a new rule.

  • Enter name in the Rule Name field.

  • Click Add Item in the Expressions section. If you create more than one expression, the rule will execute if any of the expressions match.

    • Enter a name in the Expression Name field and click Add Item in the Terms Section

      • Configure the match condition by using the Path Match, Query Parameters, Cache Headers, and/or Cookie Matchers.
      • Click Apply to save the match condition.

    • Click Apply to save the expression name.

  • Select an option in the Cache Actions section. The option you select will determine what happens to your cache if one of your expressions matches.

    • Bypass Cache will not cache the resource/content if the rule matches.

    • Eligible for Cache will cache the resource/content based on the following fields:

      • In the Eligible for Cache field, click Scheme + Proxy Host + URI or Scheme + Proxy Host + Request URI.
      • In the Cache TTL field, enter the time the cached resource/content will be valid (Time To Live).
      • Check the Ignore-Response-Cookie checkbox if you want to cache the response even if the set-cookie header is present (Override set-cookie).
      • Check the Cache Override checkbox if you want to honor a cache override.

• Click Apply.

You can choose to disable WAF application (default setting) or you can select a WAF that was previously created, configured, and apply it in your load balancer security settings. In addition, you can also create and enable a new WAF and have your load balancer configured to exclude specific WAF rules from processing certain requests.

• Go to the Web Application Firewall section.

• From the Web Application Firewall (WAF) drop-down menu, select whether to enable the WAF for this CDN distribution. Disable is the default value.

• If you click Enable for All Requests, use the Enable for All Requests drop-down menu to select your WAF to apply to this load balancer, or select Add Item to create a new WAF.

Figure: Add App Firewall

• To add exclusion rules for the WAF, follow the instructions at Create WAF Exclusion Rules.

• Click Configure in the Data Guard Rules section and follow the instructions listed in Configure Data Guard to set data guard rules.

• Click Configure for the Cross-Site Request Forgery Protection option. Specify allowed domains in the Allowed Domains (Source Origin) field in the CSRF protection page, and click Apply. You can either configure to allow all load balancer domains or set specific domains to the allow list.

Note: You can verify the CSRF mitigation in the load balancer security monitoring page. The CSRF mitigation event is displayed as a Service Policy event. Expand the security event's JSON view. The sec_event_name field with value CSRF Policy Violation indicates that CSRF mitigation is active. For more information on load balancer monitoring, see Monitor HTTP Load Balancer.

• To configure the settings for GraphQL inspection, perform the following:

  • Under the GraphQL Inspection section, click Configure.

  • Click Add Item.

  • In the Name field, enter a name for this rule.

  • From the Domain drop-down menu, select an option that corresponds to your domain setting. Default value is Any Domain. You can choose an option match by Exact Value or Suffix Value.

  • From the Path drop-down menu, select an option for the location of your GraphQL server endpoint. Default value is /graphql.

  • From the HTTP Method drop-down menu, select an option that specifies the method used to access the GraphQL endpoint server.

  • In the GraphQL Settings section, perform the following:

    • From the Maximum Total Length menu, enter a value to specify the maximum total length in bytes for a query.

    • From the Maximum Structure Depth menu, enter a value to specify the maximum depth for a query.

    • From the Maximum Batched Queries menu, enter a value to specify the maximum number of single batch queries.

    • From the Introspection Queries menu, select whether to enable introspection of GraphQL schema.

  • Click Apply to save settings.

  • Click Apply to apply settings to load balancer configuration.

• Optionally, in the Cookie Protection field, click Configure to add attributes to an HTTP Response cookie that is sent to the client:

  • Click Add Item.

  • In the Cookie Name field, enter a name for this cookie.

Note: Wildcards and regular expressions (regex) are not supported. You must use the exact cookie name.

• From the SameSite menu, select if or how the new cookie is sent with same-site and cross-site requests. You can select from the following:

  • Ignore
  • Strict
  • Lax
  • None

• From the Secure menu, select whether this new cookie is sent only over an HTTPS encrypted connection to the server. Default option is Ignore.

• From the HttpOnly menu, select whether this new cookie is inaccessible to JavaScript Document.cookie API. Default option is Ignore. Click Add to ensure the cookie is inaccessible.

• Click Enable for the Cookie Tampering Protection field to enable cookie tampering protection. This prevents attackers from modifying the values of session cookies.

• Click Apply to save settings.

• Click Apply to apply settings to load balancer configuration.

Go to API Protection section and do the following:

• Under JWT Validation, click Configure.

• In the Target menu, Base Paths is selected. Enter one or more Prefix Values for token validation.

• Target location (Bearer Token) will look for the JWT token in the Authorization HTTP header with Bearer authentication scheme.

• Action (Block) will block the request is the JWT is not valid.

• Under JSON Web Key Set (JWKS), click Configure.

• In the text box, copy and paste the JSON Web Key Set (JWKS) used for authorization with the server. JWKS should be in JSON format.

• Click Apply to save the JWKS.

• Click Apply to complete JWT validation rules.

• From the L7 DDoS Auto Mitigation menu, select an option:

  • Default: This option blocks traffic from suspicious sources. No JavaScript challenge is returned.

  • Block: This option blocks traffic from suspicious sources. No JavaScript challenge is returned.

  • JavaScript Challenge: This option serves a JavaScript challenge to all traffic from suspicious sources. Click View Configuration to change the default settings and message for the JavaScript challenge.

• Under DDoS Mitigation Rules, select Configure to open the rules list page. Use Add Item to add a rule:

  • In the DDoS Mitigation Rule page, set a name for the rule.

  • Select a choice for the Mitigation Choice menu. The mitigation choice can be either a list of IP addresses or combination of ASN, Region, and TLS Fingerprinting.

  • Click Apply to add the rule to the list of rules.

  • Click Apply to add the rules list to the DDoS protection configuration.

• From the Slow DDoS Mitigation menu, select an option:

  • For the Custom option, enter Request Headers Timeout and Total Request Timeout values.

Note: See the Explore Security Monitoring section in the Monitor HTTP Load balancer guide to learn more about observing and reacting to an active DDoS attack.

The Common Security Controls section allows you to configure a number of common security measures to protect your CDN distribution.

Step 8.1: Service Policies.

Figure: Service Policy Configuration

• From the Service Policies menu, select an option to apply the service policy. The following options are available:

  • Apply Namespace Service Policies: This option applies the service policy to an entire namespace.

  • Do Not Apply Service Policies: This option does not apply any service policy.

  • Apply Specified Service Policies: This option applies a service policy to a specified load balancer, not the entire namespace.

• To apply a specific service policy, select Apply Specified Service Policies, and perform the following:

  • Click Configure.
  

  Figure: Apply Specific Service Policy

  • From the Policies menu, select a service policy, and then click Apply.
  

  Figure: Select Specific Service Policy

The Cross-Origin Resource Sharing (CORS) policy is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.

• In the CORS Policy field, click Configure.

• To enable a specific origin server, click Add item under the Allow Origin field.

• To enable origin servers by regex, click Add item under the Allow Origin Regex field.

• In the Allow Methods field, enter information to be used for the access-control-allow-methods header.

• In the Allow Headers field, enter information to be used for the access-control-allow-headers header.

• In the Expose Headers field, enter information to be used for the access-control-expose-headers header.

Figure: CORS Policy

• In the Maximum Age field, enter information in seconds to cache the headers.

• After you finish, click Apply.

• Click the Add Location checkbox to append the location header in the response. Value for this header is the Regional Edge Site name that serves your request.

Click Save and Exit.

It might take a few minutes for your CDN Distribution to be deployed and to be ready to cache and serve content at Regional Edges. Check your distribution in the CDN Distributions table and verify its status is listed as Active. Click > against your distribution object and expand its JSON view. Verify that the service domain is created.

Delegated Domain with Automatic Certificates:

• Wait for the DNS Info and Certificate status to display the VIRTUAL_HOST_READY and Certificate Valid values.

Figure: Distribution Created

• Verify that the requests to your CDN domain are processed, and the content is returned.

Note: In case of content updates in your origin servers, you can force the CDN servers to fetch the updated content using the purge option. Click ... > Purge for your distribution object and the CDN service initiates purge for all the cache servers. Purging manually does not immediately delete content, but marks content as expired. When expired content is requested, the CDN service performs a HEAD request to the origin. If the CDN finds that the content time stamp is not changed, the existing expired entry is marked as active. This prevents a re-fetch from the origin and saves time and bandwidth in re-downloading the content.

• In the Content Delivery Network service, click Manage > CDN Distributions. The CDN distribution configuration page opens.

• Click ... for the distribution for which you want to purge content, and then click Purge.

Figure: Purge Content From Distribution

• Select what to purge from the Purge Options drop-down list.

  • All: Your entire cache will be purged.
  • URL: Purge that portion of your cache identified by the entered URL.
  • Hostname: Purge all content for the entered hostname.
  • Pattern: Purge all content that matches the entered pattern. The string should be entered in Regex form. For example, "images/.*.(png|jpg)" will match PNG and JPEG files in the images directory.

• Select an option from the Purge Type drop-down menu to specify how the purge is to operate.

  • Soft Purge invalidates the cache entries, which means the content will be replaced on the next request if the content is stale.
  • Hard Purge removes the content from the distribution and forcing the next request to retrieve the content from the origin server.

• Click Save and Exit to deploy the purge.

Note: You can also deploy a purge from the Cache Purges tab of the Performance Monitoring page. See Cache Purges Tab below.

Figure: Distribution Monitoring View

The Dashboard view offers the following:

• Time series view for statistics such as Requests, Data Transfer, and Bandwidth. This is shown in a graph where hits and misses are displayed. Hover over the graph to see specific quantity information for that time point.

• Donut chart for cache hit versus miss ratio.

• HTTP Status codes show the number of response codes in each of the categories. Hover over the horizontal bar to see the values expressed as percentages.

• Latency shows the time taken between requests and responses for both hits and misses.

• HTTP version metrics.

• TLS version metrics.

• Client requests by country. Hover over a country to see the number of requests originating from that country.

• Top 5 countries providing requests, shown as a bar chart. Hover over a bar to get the specific value for that country.

Figure: Distribution Requests Monitoring View

The Requests tab provides greater insight into requests. There is a bar chart as well as a list of the incoming requests. Use the time period drop-down menu and refresh button to set the time constraint and update the data shown.

Interact with the bar chart as follows:

• The bar chart at the top shows the number of requests and response codes in each time period.

• Use the Add Filter to see only certain request based on your filter selection.

• Use the colored check-boxes below Add Filter to quickly filter out specific response types.

• Hover over a bar to get specific bar values (request counts) for that time period.

• Click and drag within the bar chart to zoom into a range of time. Use the time period drop-down menu to zoom back out.

The list view below the chart shows specific information for individual requests. The time period and filters also affect the requests shown in the list view.

Interact with the list view as follows:

• Use the Search field to only show list entries that match your search criteria. The search will work for all items in the list, not just the items on the current page; however, the search will not find information in columns that are not displayed (see the gear icon description below).

• Click the gear icon ( ⚙ ) to select which columns are shown in the list view. Time and Client IP will always be shown.

• Click the arrow ( > ) at the beginning of the row to see the specific request in JSON or YAML format.

Figure: Distribution Monitoring Requests

You can also click the blue Forensics side tab to view the Forensics side panel. This is an easier way to filter your request to zero in on specific issues. For instance, you can filter by site and by top request page simply by selecting check boxes in the Forensics panel. This will create a search query for the filter at the top of the window.

Figure: Distribution Monitoring Requests Using Forensics

Click the Alerts tab to load the alerts view. The active alerts are displayed by default.

You can filter the display for alerts of a specific severity using the severity selection options. All severity types are selected by default. Select a severity selection option to hide the alerts for that severity. You can again select it to display alerts for that severity.

Note: Severity selection options are color-coded and located above the Add filter option.

Use the toggle selector and click All Alerts. The All Alerts view shows graph for alerts over a specific period. The list of alerts is displayed beneath the graph.

Hover mouse pointer over a graph bar to view the alerts information specific to the time interval in which the bar is generated. Selecting the bar updates the graph and the list beneath the graph for the interval in which the bar is generated.

Figure: CDN Alerts

Click > for any alert entry to display its details in JSON format.

Figure: Distribution Cache Purges

The Cache Purges tab show past purges for your distribution in a table. Each row in the table provides a unique ID for the purge, the version and information on the date/time of the purge. To see details of the purge, click ... > Show Status in the Actions column for the purge you want to view.

Figure: Distribution Cache Purge Status

This displays a table showing the sites that were purged and some overview information about each site's purge. For details on the site purge, click the ID in the Service OP ID column for the site.

Figure: Distribution Cache Purge Site Details

Click Back to view more site purges or click Cancel and Exit to return to the Cache Purges page.

You can also deploy a cache purge from here by following these steps:

• Click Add Cache Purge.

  

  Figure: Distribution Cache Purge Request

• Select what to purge from the Purge Options drop-down list.

  • All: Your entire cache will be purged.
  • URL: Purge that portion of your cache identified by the entered URL.
  • Hostname: Purge all content for the entered hostname.
  • Pattern: Purge all content that matches the entered pattern. The string should be entered in Regex form. For example, "images/.*.(png|jpg)" will match PNG and JPEG files in the images directory.

• Select an option from the Purge Type drop-down menu to specify how the purge is to operate.

  • Soft Purge invalidates the cache entries, which means the content will be replaced on the next request if the content is stale.
  • Hard Purge removes the content from the distribution and forcing the next request to retrieve the content from the origin server.

• Click Save and Exit to deploy the purge.

This will create a new entry in the Cache Purges table providing information on your purge.

Note: You can also deploy a purge from the Distributions page. See Purge Content in Cache above.