HTTP Load Balancer

Origin server subset rules provide the ability to create match conditions on incoming source traffic to the HTTP load balancer using country, ASN, regional edge (RE), IP address, or client label selectors for subset selection of destination (origin servers).

As prerequisites, (1) create a label (key-value pair), (2) in origin pool configuration, add labels to one or more origin servers, (3) and then in the Other Settings subsection, select Enable Subset Load Balancing. Add one or more keys to origin server subset classes. Choose a setting for subset fallback policy. The default option is to select any origin server.

• Enable the Show Advanced Fields option.

• Under Origin Server Subset Rules, click Configure.

• Click Add Item.

• In the Name field, enter a name for the rule.

• From the Action field, click Add Label and select the same label(s) that you assigned to origin servers in the origin pool configuration.

• Optionally, select a country from the Country Codes List menu.

• From the Client Selector Match menu, select an option to match on label selectors.

• From the Source IPv4 Match menu, select an option to match on client IP address.

• From the Source ASN Match menu, select an option to match on client ASN.

• In the Regions Edges section, click Add Item to select an RE to match traffic to.

• After you finish, click Apply.

You can choose to disable WAF application (default setting) or you can select a WAF that was previously created, configured, and apply it in your load balancer security settings. In addition, you can also create and enable a new WAF and have your load balancer configured to exclude specific WAF rules from processing certain requests.

• Go to the Web Application Firewall section.

• From the Web Application Firewall (WAF) drop-down menu, select whether to enable the WAF for this HTTP load balancer. Disable is the default value.

• If you select Enable, use the Enable drop-down menu to select your WAF to apply to this load balancer.

Note: You can also add App Firewall per route. In the route configuration, for Simple Route, go to advanced options configuration, go to security section, and select App Firewall for the Web Application Firewall (WAF) field. Select an App Firewall object. By default, the route inherits the App Firewall configured for the load balancer.

• To add exclusion rules for the WAF, follow the instructions at Create WAF Exclusion Rules.

• Select Configure in the Data Guard Rules section and follow the instructions listed in Configure Data Guard to set data guard rules.

• Select Configure for the Cross-Site Request Forgery Protection option. Specify allowed domains in the Allowed Domains (Source Origin) field in the CSRF protection page, and select Apply. You can either configure to allow all load balancer domains or set specific domains to the allow list.

Note: You can verify the CSRF mitigation in the load balancer security monitoring page. The CSRF mitigation event is displayed as a Service Policy event. Expand the security event's JSON view. The sec_event_name field with value CSRF Policy Violation indicates that CSRF mitigation is active. For more information on load balancer monitoring, see Monitor HTTP Load Balancer.

• To configure the settings for GraphQL inspection, perform the following:

  • Under the GraphQL Inspection section, click Configure.

  • Click Add Item.

  • In the Name field, enter a name for this rule.

  • From the Domain drop-down menu, select an option that corresponds to your domain setting. Default value is Any Domain. You can choose an option match by Exact Value or Suffix Value.

  • From the Path drop-down menu, select an option for the location of your GraphQL server endpoint. Default value is /graphql.

  • From the HTTP Method drop-down menu, select an option that specifies the method used to access the GraphQL endpoint server.

  • In the GraphQL Settings section, perform the following:

    • From the Maximum Total Length menu, enter a value to specify the maximum total length in bytes for a query.

    • From the Maximum Structure Depth menu, enter a value to specify the maximum depth for a query.

    • From the Maximum Batched Queries menu, enter a value to specify the maximum number of single batch queries.

    • From the Introspection Queries menu, select whether to enable introspection of GraphQL schema.

  • Click Apply to save settings.

  • Click Apply to apply settings to load balancer configuration.

• Optionally, in the Cookie Protection field, click Configure to add attributes to an HTTP Response cookie that is sent to the client:

  • Click Add Item.

  • In the Cookie Name field, enter a name for this cookie.

Note: Wildcards and regular expressions (regex) are not supported. You must use the exact cookie name.

• From the SameSite menu, select if or how the new cookie is sent with same-site and cross-site requests. You can select from the following:

  • Ignore
  • Strict
  • Lax
  • None

• From the Secure menu, select whether this new cookie is sent only over an HTTPS encrypted connection to the server. Default option is Ignore.

• From the HttpOnly menu, select whether this new cookie is inaccessible to JavaScript Document.cookie API. Default option is Ignore. Select Add to ensure the cookie is inaccessible.

• Select Enable for the Cookie Tampering Protection field to enable cookie tampering protection. This prevents attackers from modifying the values of session cookies.

• Click Apply to save settings.

• Click Apply to apply settings to load balancer configuration.

Note: You need to have bot defense enabled in your tenant as a service prior to configuring it for your load balancer.

• Go to Bot Defense section. From the Bot Defense menu, select an option to configure bot defense. The following options are available:

  • Disable: No bot defense configuration is applied to the load balancer.

  • Enable: Specifies a bot defense configuration for you to apply to the load balancer. Follow the instructions listed in the Configure Bot Defense guide to set Bot defense protection for your load balancer.

Go to API Protection section and do the following:

• From the API Definition menu, select whether to use an API definition. The default value is Disable, meaning an API definition is not used for this load balancer.

• If you select Enable:

  • From the API Definition menu, select the API definition.

  • To create a new definition, click Add item.

• From the Validation menu, select an option to perform OpenAPI specification validation. Following are the options:

  • Disabled: Default option. No validation is performed.

  • All Endpoints: Validate all endpoints listed in the OpenAPI specification file. Any other endpoints not listed will act according to Fall Through Mode.

  • Custom List: Define API groups, base path, or API endpoints and their validation modes. Any other endpoints not listed will act according to Fall Through Mode.

Note: OpenAPI Validation is a feature that ensures API traffic complies with the specified schema and can block or report non-compliant traffic. Validation can be configured on a per-endpoint, per-group, or per-base-path basis. The Fall Through Mode allows for identifying and handling Shadow APIs by either blocking, reporting, or allowing them. Allowed IPs list can be created to pass OpenAPI Validation by specific IP addresses.

• From the OpenAPI Validation Processing Mode menu, select whether to Validate or Skip.

• From the Validation Enforcement Type menu, select an option to specify the type of enforcement.

• From the Request Validation Properties menu, select one or multiple options from the following:

  • Query Parameters: The incoming requests are validated against the query parameters specified in the API definition.

  • Path Parameters: The incoming requests are validated against the path parameters specified in the API definition.

  • Content-type: The incoming requests are validated against the content-types specified in the API definition.

  • Cookie Parameters: The incoming requests are validated against the cookie parameters specified in the API definition.

  • HTTP Headers: The incoming requests are validated against the HTTP headers specified in the API definition.

  • HTTP Body: The incoming requests are validated against the HTTP body specified in the API definition.

• From the Fall Through Mode menu, select an action for every request that targets endpoints which are not in validation list.

• Select Configure in the API Protection Rules field. See the Configure API Protection Rules guide for more instructions.

• Under JWT Validation, click Configure.

• From the Target menu, select whether to perform validation on all endpoints, specific API groups, or a specific path.

• Target location(Bearer) will look for the JWT token in the Authorization HTTP header with Bearer authentication scheme.

• From the Action menu, select whether to block or report if JWT is not valid. Report action is the monitoring mode, and it allows the request to pass through and logs the security event. Block action will block the request and return a 403 error if audiences are not allowed. Block action will return a 401 error otherwise.

• Under JSON Web Key Set (JWKS), click Configure.

• In the text box, copy and paste the JSON Web Key Set (JWKS) used for authorization with the server. JWKS should be in JSON format.

• Click Apply.

• In the Reserved Claims Validation section, perform the following:

  • From the Issuer (iss) menu, select whether to match exactly the issuer’s reserved claim, or to disable this functionality. If you choose to match exactly, provide the exact match value in the corresponding field.

  • From the Audience (aud) menu, select whether to match exactly the JWT pre-configured value, or to disable this functionality. If you choose to match exactly, provide the exact match value in the corresponding field. You can add more than one value to match for using Add Item.

  • From the Validation Period menu, select Enable (default value) or Disable. Enable selection will validate the JWT expiration and not before (nbf) values (if present in the request token). Disable selection will not perform validation against these fields. After you finish with configuration, click Apply.

• In the Mandatory Claims section, perform the following:

  • Click Add Item. Enter the name of the claim. It must match the claim already present in the payload, in the JWT. After you finish with configuration, click Apply. If you need to delete a claim, click ... and then click Delete.

• From the API Discovery menu, select Enable to enable API discovery.

• From the Purge Duration for Inactive Discovered APIs menu, enter a number to represent the number of days worth of inactive Discovered APIs to purge.

• To manage rules for sensitive data detection, click Configure and perform the following:

  • To disable specific data types from detection, click Add Item under the Disabled Built-In Sensitive Data Types section. Then select the data type from the menu list. You can select more than one option.

  • To define custom rules for data types to detect, click Add Item under the Defined Custom Sensitive Data Types section:

  • Enter a name for this new custom rule.

  • From the Type menu, enter a value for the type of sensitive data.

  • From the Rule's Target menu, select if this rule applies to all detected endpoints or a specific endpoint. If specific only, select the API Endpoint and Methods.

  • From the Section menu, select where to apply the rule during the search process. You can choose the default value to search all requests and responses header sections, only request, only responses, or a custom search. For custom, select your options to search from the header sections. You can choose more than one option from the Custom Sections menu.

  • From the Pattern Choice menu, select how to search for the sensitive data. You can search by Key Pattern, Value Pattern, or Key-Value Pattern. For each of these options, you can search by exact value or using regular expressions (regex) using the menu options provided.

  • Click Apply to complete rule creation.

  • Click Apply to add the new rule to the configuration.

Note: For more information, see Import Swagger to Define and Control API Groups.

• From the L7 DDoS Auto Mitigation menu, select an option:

  • Default: This option blocks traffic from suspicious sources. No JavaScript challenge is returned.

  • Block: This option blocks traffic from suspicious sources. No JavaScript challenge is returned.

  • JavaScript Challenge: This option serves a JavaScript challenge to all traffic from suspicious sources. Click View Configuration to change the default settings and message for the JavaScript challenge.

• Under DDoS Mitigation Rules, select Configure to open the rules list page. Use Add Item to add a rule:

  • In the DDoS Mitigation Rule page, set a name for the rule.

  • Select a choice for the Mitigation Choice menu. The mitigation choice can be either a list of IP addresses or combination of ASN, Region, and TLS Fingerprinting.

  • Click Apply to add the rule to the list of rules.

  • Click Apply to add the rules list to the DDoS protection configuration.

• From the Slow DDoS Mitigation menu, select an option:

  • For the Custom option, enter Request Headers Timeout and Total Request Timeout values.

Note: See the Explore Security Monitoring section in the Monitor HTTP Load balancer guide to learn more about observing and reacting to an active DDoS attack.

Ensure that this service is enabled for your tenant. See Client-Side Defense for more information and configuration instructions.

Go to Common Security Controls section and perform the following:

• From the Service Policies menu, select an option to apply the service policy. The following options are available:

  • Apply Namespace Service Policies: This option applies the service policy to an entire namespace.

  • Do Not Apply Service Policies: This option does not apply any service policy.

  • Apply Specified Service Policies: This option applies a service policy to a specified load balancer, not the entire namespace.

• To apply a specific service policy, select Apply Specified Service Policies, and perform the following:

  • Click Configure.

• From the Policies menu, select a service policy, and then click Apply.

For more information, see Deny Malicious IPs Using IP Threat Categories.

• From the User Identifier drop-down menu, select the method for user identification:

  • Select Client IP Address to use the user's IP address.

  • Select User Identification Policy to use the object to evaluate the identity. To create a new user ID, click Add item from the User Identification Policy menu.

Note: For more information, see Configure Rate Limiting per User.

From the Malicious User Detection drop-down menu, select Enable.

• To configure rate limiting, select an option from the list:

  • Disable: Default option. No rate limiting enabled for this load balancer.

  • API Rate Limit: Set rate limiting for specific API endpoints.

  • Custom Rate Limiting Parameters: Allows you to set custom parameters to rate limit.

Note: For detailed instruction to set up rate limiting, see Configure API Rate Limiting.

• In the Common Security Controls section, enable the Show Advanced Fields option.

• From the Malicious User Mitigation And Challenges drop-down menu, select Enable. This option enables you to configure a challenge for users detected as malicious.

Note: For the JavaScript Challenge, Captcha Challenge, and Policy Based Challenge options, you can enable a challenge for all users and/or requests matching specific conditions. For any of these options, click View Configuration to create that challenge for users/requests that meet specific criteria.

• From the Malicious User Mitigation Settings menu, select an option for malicious users at different threat levels:

  • Default: Applies low, medium, and high levels.

  • Custom: Defines different levels and actions to take. Select an option from the Custom menu. Or click Add Item to create a custom option.

• From the JavaScript Challenge Parameters menu, select the type of JavaScript challenge to enable:

  • JavaScript Challenge Parameters: This option enables you to configure a custom JavaScript challenge for this load balancer. Click Configure. Set the delay value, cookie expiration value, and custom message to use. After you finish, click Apply. For more information, see Configure JavaScript Challenge.

  • Use Default Parameters: This option sets the default challenge with no customization.

• From the Captcha Challenge Parameters menu, select the type of captcha challenge to enable:

  • Use Default Parameters: This option takes the default settings and applies them.

  • Captcha Challenge Parameters: This option enables you to define the challenge parameters. Click Configure. Set the cookie expiration value and the custom message to use. After you finish, click Apply.

These rules define specific clients for which WAF processing and Bot Defense will be skipped. Add rules to allow trusted clients based on the match conditions configured. You can skip WAF, skip bot processing, or both. The match conditions include IP prefix, AS number, and HTTP headers to identify specific clients.

• To configure the Trusted Client Rules option:

  • Click Configure, and then click Add Item.

  • Complete the configuration process to add rules to allow trusted clients and to prevent the WAF from applying the block rules you previously configured.

  • Click Apply.

  • Select the newly created rules option and then click Apply.

You can choose match condition rules, such as IP prefix, AS number, and HTTP headers to identify specific clients to block from accessing your applications.

• To configure the Client Blocking Rules option:

  • Click Configure, and then click Add Item.

  • Complete the configuration process to add rules to block specific clients from making requests.

  • Click Apply.

  • Select the newly created rules option, and then click Apply.

The Cross-Origin Resource Sharing (CORS) policy is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.

• In the CORS Policy field, click Configure.

• To enable a specific origin server, click Add item under the Allow Origin field.

• To enable origin servers by regex, click Add item under the Allow Origin Regex field.

• In the Allow Methods field, enter information to be used for the access-control-allow-methods header.

• In the Allow Headers field, enter information to be used for the access-control-allow-headers header.

• In the Expose Headers field, enter information to be used for the access-control-expose-headers header.

• In the Maximum Age field, enter information in seconds to cache the headers.

• After you finish, click Apply.

• From the VIP Advertisement drop-down menu, select from one of the options available:

  • Select Internet to advertise the default VIP on the public network.

  • Select Internet (Specified VIP) and enter an IP address in the Public IP field to advertise that IP as VIP on a public network.

  • Select Custom. Click Configure in the Advertise Custom field, and then perform the configuration per the following guidelines:

    • Select Add Item.

    • From the Select Where to Advertise menu, select Site or Virtual Site.

    • From the Site Network menu, select an option.

    • From the Site Reference menu, select an option. In case of a site, you can also optionally set an IP address as the VIP.

    • Enable the Show Advanced Fields option.

    • Configure a TCP listener port or select a default option for the TCP Listen Port Choice field. The default option sets port 80 for the HTTP load balancer and 443 for the HTTPS load balancer.

    • Click Apply.

  • Click Apply.

  • Select Do Not Advertise to disable VIP advertisement.

Note: If you have enabled Internet VIP on the AWS cloud site to allow clients to access Load Balancer VIP directly from the internet, set the VIP Adertisement selection to Custom, and then configure the custom VIP advertisement to advertise on a Site or Virtual Site with Site Network set to either Outside Network with internet VIP or Inside and Outside Network with internet VIP. For more information, see Create AWS Site.

Note: The following ports are not supported for advertising on a Distributed Cloud Services site:

• K8s node port range 28000-32767
• Distributed Cloud Services port range 65000-65535
• 10249
• 10250
• 10251
• 10252
• 10256
• 10257
• 10259
• 1067
• 18091
• 18092
• 18093
• 18095
• 22
• 22222
• 2379
• 23790
• 23791
• 2380
• 23801
• 23802
• 323
• 4500
• 500
• 53
• 5355
• 6443
• 68
• 8005
• 8007
• 8087
• 8443
• 8444
• 8505
• 8507
• 9007
• 9090
• 9153
• 9999

• From the Load Balancing Algorithm menu, set how the HTTP/HTTPS requests are load balanced. The options include:

  • Round Robin: This option sends requests to all eligible servers in a round robin fashion.

  • Least Active Request: This option sends requests to an origin server that has least active requests set.

  • Random: This option sends requests to all origin servers randomly.

  • Source IP Stickiness: This option sends requests to all origin servers using the hash value of the source IP.

  • Cookie Based Stickiness: This option sends requests to all origin servers using the hash value of the source IP. Requires you to further configure the parameters.

  • Ring Hash Policy: This option sends requests to all origin servers using the hash value of the request. Requires you to further configure the parameters.

• If you select Cookie Based Stickiness:

  • In the Name field, enter a name for the cookie.

  • Optionally, set a TTL value in milliseconds and set a path name value.

• If you select Ring Hash Policy:

  • Click Configure to specify a list of hash policies to use.

  • Click Add Item.

  • From the Hash Policy Specifier drop-down menu, select what to apply the hash policy to. The options include:

    • Cookie: Hash policies are applied to a cookie.

    • Header Name: Hash policies are applied to the name of key of the request header used to obtain the hash key.

    • Source IP: Hash policies are applied to the source IP address.

  • In the Name field, enter a name for the cookie that is used to obtain the hash key.

  • To apply the hash policy as a terminal policy, select the Terminal option.

  • Click Apply.

  • Select the newly created hash policy, and then click Apply.

• Select the Enable from the Trusted Client IP Headers drop-down menu.
• Use Add Item button to add one or more headers. The headers are processed in the numerical order they are added, as shown on the page.

Note: When trusted client headers are enabled, system uses real client IP address as the source IP, instead of the proxy's IP address.

• Select the Add Location checkbox to specify the regional edge (RE) site name in the header responses.

• Click Configure in the More Options field and perform the configuration per the following guidelines:

  • In the Header Options section, click Add Item and add details in each of the request headers and response headers fields to specify add and remove headers accordingly.

  • In the Configure Error Response Options section, click Configure to customize error responses.

  • In the Miscellaneous Options section, click Configure. Complete the configuration options.

• Click Apply.

• Wait for the DNS Info and Certificate status to display the VIRTUAL_HOST_READY and Certificate status Valid values.

• Verify that the requests to your virtual host domain are processed and load balanced between the configured origin servers.

Note: The Certificate expiration date column displays the expiration date for the certificates. Certificates managed by F5 Distributed Cloud Services are issued for 90 days and auto-renewed after 75 days from the date of issuance.

• Verify that the Certificate status field shows Domain Challenge Pending.

• Click > to view the load balancer information in JSON format.

• Verify that ACME challenge record exists under get_spec > auto_cert_info > dns_records field in the JSON. The record name starts with _acme-challenge and the value is the name of the TXT record created by Distributed Cloud Services.

• Create a CNAME record with the obtained ACME challenge name and value in your DNS server.

• Verify that the Certificate status field value changes to Certificate Valid.

• Verify that the Certificate expiration date field value displays the expiration date for the certificates.