Web App Security & Performance
On This Page:
Objective
This guide provides instructions on how to secure your web application and enhance its performance using F5® Distributed Cloud Console and F5 Distributed Cloud Mesh.
The steps to secure your web application and enhance its performance are:
The following images shows the topology of the example for the use case provided in this document:
Using the instructions provided in this guide, you can configure F5 Distributed Cloud Services to handle the domain ownership (which includes the creation of needed DNS resource records) of a new subdomain, create an HTTPS Load Balancer with automatic SSL certificate for the VIP, secure the domain with features such as javascript challenge and Distributed Cloud Next Generation Web Application Firewall (NG-WAF), and monitor the security and performance of your new subdomain. This example use case presents securing an application hosted on a public website. The HTTPS Load Balancer creates a Virtual IP (VIP) across your Application Delivery Network (ADN). All the VIPs instantiated on the ADN are automatically enabled with the DDoS protection.
Note: Additional performance and origin access via private tunnels or native K8s/Consul integration can be achieved by installing a Mesh node closest to the origin server. For more information, see the Secure Kubernetes Gateway quick start guide.
Prerequisites
-
F5 Distributed Cloud Console SaaS account.
Note: If you do not have an account, see Create an Account.
-
Amazon Web Services (AWS) account.
Note: This is required to deploy a Distributed Cloud site.
-
F5 Distributed Cloud vesctl utility.
Note: See vesctl for more information.
-
Docker.
Configuration
The use case provided in this guide demonstrates enabling a domain for an application hosted on a public website and secures it using a Distributed Cloud javascript challenge and NG-WAF. The following actions outline the activities in domain setup and securing the web app:
-
The domain for the application is delegated to F5 Distributed Cloud Services for handling the queries towards the subdomain for the application and management of the SSL certificates for the subdomain.
-
A HTTP load balancer is created for the subdomain with automatic certificate management. As part of this step, an origin pool is created with the origin server as the public website. This use case demonstrates securing the
filecoin.io
website. -
The load balancer is secured with the javascript challenge and WAF for its ingress traffic.
Step 1: Delegate Domain
The following video shows the domain delegation workflow:
Perform the following steps to delegate your domain to Distributed Cloud Services:
Step 1.1: Log into Console and create domain delegation object.
- Select the
DNS Management
service. - Navigate to
Domain Management
and clickAdd delegated domain
. - Enter your domain name in the
Domain Name
field. Ensure thatManaged by Volterra
is selected for theDomain Method
field. ClickSave and Exit
.
Note: This creates a delegated domain object with a TXT record value and the status as domain verification pending.
- Verify that the delegated domain object is displayed in the list and copy the value of the
TXT Record
field using the button to the right of the value.
Step 1.2: Add a DNS TXT records in your domain and perform verification.
- Add a TXT record in your domain records with the copied TXT string. This example shows how to add the record in Google domains.
- Go back to Console and select your delegated domain entry. Click
Verify
for your domain.
- After verification, the field
Verification Status
shows successful verification, and the nameservers get displayed on theName Servers
field.
Step 1.3: Add NS records in your domain.
Go back to your domain and add the NS records with the nameservers obtained from Console. This example shows adding to the Google domains.
Step 2: Load Balancer
The HTTP load balancer is created with the domain name for which, the DNS and certificate management is delegated to Distributed Cloud Services. As part of load balancer creation, an origin pool is created with the origin server as the public website.
The following video shows the load balancer creation workflow:
Perform the following steps for creating load balancers to enhance the application performance:
Step 2.1: Obtain the public certificate for the origin server.
This example demonstrates securing the public website filecoin.io
. You can obtain the public certificate using more than one method. This example shows how to obtain using Firefox browser.
- Open https://filecoin.io website in browser.
- Click on the padlock symbol on the URL bar and click on the arrow button next to the
Connection Secure
option.
- Click on
More Information
to display the security options.
- Click on
View Certificate
in the displayed security options.
- Click on the
DST Root CA X3
tab and scroll down to theMiscellaneous
section. ClickPEM (Cert)
andOk
in the confirmation box to download the certificate.
Step 2.2: Create a namespace.
- Log into the Console and select the
Administration
service. - Navigate to
Personal Management
and selectMy Namespaces
. ClickAdd namespace
.
- Set a name, optionally add users, and click
Save
. This example createswaap
namespace.
Step 2.3: Create origin pool.
- Select the
Web App & API Protection
service. - Change to your new application namespace and navigate to
Manage
->Load Balancers
->Origin Pools
. - Click
Add Origin Pool
. - Enter a name for your origin pool in the metadata section.
- In the
Basic Configuration
section underOrigin Servers
, clickAdd Item
.- Select
Public DNS Name of Origin Server
for theType of Origin Server
field. - Enter the public DNS name of your origin server in the
DNS Name
field. This example configuresfilecoin.io
as the DNS name.
- Select
- In the
Basic Configuration
section, enter 443 for thePort
field. - Scroll down and select
TLS
in theEnable TLS for Origin Servers
field. - Select
SNI Value
in the SNI Selection field and enter the SNI in theSNI
field. This example setsfilecoin.io
as the SNI. - Select
High
for theTLS Configuration for Origin Servers
field. - Select
Use Custom CA List
for theOrigin Server Verification
field. - Select
Base64(binary)
option for theTrusted CAs
field. - Switch to command terminal and encrypt the downloaded public certificate of the website using Base64. Copy the output.
cat filecoin-io.pem | base64
- Go back to Console and enter the copied Base64 string in the
Trusted CAs
field.
Note: Configuring the public certificate enables Distributed Cloud Services to establish connection to the origin server.
- Click
Save and Exit
.
Step 2.4: Create HTTP load balancer.
-
Navigate to
Manage
->Load Balancers
->HTTP Load Balancers
. ClickAdd HTTP Load Balancer
. -
Enter a name and your domain in the
Name
andDomains
field respectively. This will create an A name entry, filecoin-vip, which will resolve to an IP address that is pointed to VIP that is hosted on F5 ADN. -
Select
HTPS with Automatic Certificate
in theType of Load Balancer
field. This will create an SSL certificate for this domain and sign it with a public Certificate Authority (CA).
- Since this use case attempts to provide a proxy to an existing public site, it is required to enable automatic host-rewriting. Therefore, route configuration is required. Enable
Show Advanced Fields
option in theRoutes Configuration
section and clickConfigure
under theRoutes
option.
- Click
Add Item
, selectANY
for theHTTP Method
, selectRegex
for thePath Match
field, and enter(.*?)
(all routes) in theRegex
field.
Note: The option
Simple Route
is applied by default for theSelect Type of Route
field.
- Click
Add Item
for theOrigin Pools
section. Select the origin pool created in the previous step for theOrigin Pool
field and clickAdd Item
.
- Click
Add Item
at the bottom of theRoutes
configuration form to add the route to the load balancer configuration and return to the load balancer configuration form.
Note: Ensure that the
Automatic Host Rewrite
option is selected by default for theHost Rewrite
field. This ensures that the requests coming to the domain you configured are redirected to the public DNS name of the origin server.
- Scroll down and click
Add Item
to complete this route and return to theRoutes
list. - Click
Apply
to apply this list to the load balancer. - Scroll to the bottom and click
Save and Exit
to complete the load balancer.
The load balancer object gets displayed on the screen. The fields DNS info
and TLS info
with values VIRTUAL_HOST_READY
and Certificate Valid
indicate that the virtual host certificate is successfully validated and ready for use. You can verify this by entering the load balancer domain into a browser.
Note: Click
Refresh
on the load balancers display list screen to display the latest status.
Step 3: Secure App
Securing the application includes applying javascript challenge for the requests towards the load balancer domain and configuring a WAF for the load balancer.
Note: Javascript challenge enforces the users to send requests through the browser preventing automated attacks.
The following video shows the workflow of securing the app:
Perform the following enable a javascript challenge and apply a WAF to the load balancer:
Step 3.1: Enable WAF.
- In the
Web App & API Protection
service, select the same namespace as your load balancer. - Navigate to
Manage
->Load Balancers
->HTTP Load Balancers
. - Click
...
->Manage Configuration
for your load balancer to view its configuration. Next clickEdit Configuration
in the upper right corner to edit its configuration. - Scroll down or click on
Security Configuration
in the left menu to jump to the security configuration. SelectApp Firewall
for theWeb Application Firewall (WAF) Config
field. - In the
App Firewall
field, use the pull-down menu to click theCreate new app firewall
button.
Step 3.2: Configure App Firewall.
- Enter a name for the firewall.
- Select
Blocking
for theEnforcement Mode
field. - Leave the
Protection Settings
at their defaults and clickContinue
to save the WAF and return to the HTTP Load Balancer form.
Step 3.3: Configure Malicious User Detection.
- Toggle the
Show Advanced Fields
under theSecurity Configuration
section to see additional security options. - Scroll down to the
ML Config
field and change the option toSingle Load Balancer Application
, which enables locally scoped ML configuration.
Note:
Malicious User Detection
is enabled by default.
- Scroll down and click
Save and Exit
to save these security settings.
Step 4: Performance and Security Monitoring
This step shows how to see the performance and security monitoring available.
Note: Monitoring is based on site traffic, so in order to have meaningful information, either wait for some user traffic or create traffic by visit and navigate the website in a browser.
Step 4.1: View the overall performance.
- In the
Web App & API Protection
service, select the same namespace as your load balancer. - Select
Performance
in theApps and APIs
section of the left navigation sidebar. This shows aTraffic Overview
graph and a list ofLoad Balancers
.
Step 4.2: View the performance dashboard for your load balancer.
- Click the name of the load balancer you want to monitor in load balancers list. This will show the performance dashboard for your load balancer.
Step 4.3: View the app's requests.
- Click the
Requests
tab. Each request shown represents a call to our website. Click a request to get more information specific to that request.
Step 4.4: View security dashboard for your load balancer.
- Select
Security
in theApps & APIs
section of the left navigation sidebar. Then lick the name of the load balancer you want to monitor in load balancers list. This will show the security dashboard for your load balancer. This shows several
Step 4.5: View the app's blocked requests.
- Click the
Security Events
tab. Below the chart is a list of blocked events with three tabs. TheSecurity Events
tab shows malicious requests - Click a request to see the specifics of the request and the violations that were triggered by the attack.