Web App Security & Performance

Objective

This guide provides instructions on how to secure your web application and enhance its performance using F5® Distributed Cloud Console and F5 Distributed Cloud Mesh.

The steps to secure your web application and enhance its performance are:

SeqWasp
Figure: Web Application Security and Performance Steps

The following image shows the topology of the example for the use case provided in this document:

TopWasp
Figure: Web Application Security Sample Topology

Using the instructions provided in this guide, you can configure F5 Distributed Cloud Services to handle the domain ownership (which includes the creation of needed DNS resource records) of a new subdomain, create an HTTPS Load Balancer with automatic SSL certificate for the VIP, secure the domain with features such as javascript challenge and Distributed Cloud Next Generation Web Application Firewall (NG-WAF), and monitor the security and performance of your new subdomain. This example use case presents securing an application hosted on a public website. The HTTPS Load Balancer creates a Virtual IP (VIP) across your Application Delivery Network (ADN). All the VIPs instantiated on the ADN are automatically enabled with the DDoS protection.

Note: Additional performance and origin access via private tunnels or native K8s/Consul integration can be achieved by installing a Mesh node closest to the origin server. For more information, see the Secure Kubernetes Gateway quick start guide.


Prerequisites

  • F5 Distributed Cloud Console SaaS account.

    Note: If you do not have an account, see Create an Account.

  • Amazon Web Services (AWS) account.

    Note: This is required to deploy a Distributed Cloud site.

  • F5 Distributed Cloud vesctl utility.

    Note: See vesctl for more information.

  • Docker.


Configuration

The use case provided in this guide demonstrates enabling a domain for an application hosted on a public website and secures it using a Distributed Cloud javascript challenge and NG-WAF. The following actions outline the activities in domain setup and securing the web app:

  1. The domain for the application is delegated to F5 Distributed Cloud Services for handling the queries towards the subdomain for the application and management of the SSL certificates for the subdomain.

  2. A HTTP load balancer is created for the subdomain with automatic certificate management. As part of this step, an origin pool is created with the origin server as the public website. This use case demonstrates securing the cloud.f5.com website.

  3. The load balancer is secured with the javascript challenge and WAF for its ingress traffic.

Step 1: Delegate Domain

The following video shows the domain delegation workflow:

Perform the following steps to delegate your domain to Distributed Cloud Services:

Step 1.1: Log into Console and create domain delegation object.
  • Select the DNS Management service.
  • Navigate to Domain Management and select Add delegated domain.
  • Enter your domain name in the Domain Name field. Ensure that Managed by Distributed Cloud is selected for the Domain Method field. Select Save and Exit.

dd create new
Figure: Create Domain Delegation

Note: This creates a delegated domain object with a TXT record value and the status as domain verification pending.

  • Verify that the delegated domain object is displayed in the list and copy the value of the TXT Record field using the button to the right of the value.

dd txt
Figure: TXT Record Addition in Google Domains

Step 1.2: Add a DNS TXT records in your domain and perform verification.
  • Add a TXT record in your domain records with the copied TXT string. This example shows how to add the record in Google domains.

txt gdomain
Figure: TXT Record Addition in Google Domains

  • Go back to Console and select your delegated domain entry. Select Verify for your domain.

verify dd
Figure: Successful Domain Verification

  • After verification, the field Verification Status shows successful verification, and the nameservers get displayed on the Name Servers field.

verified dd
Figure: Successful Domain Verification

Step 1.3: Add NS records in your domain.

Go back to your domain and add the NS records with the nameservers obtained from Console. This example shows adding to the Google domains.

nss gdomain
Figure: NS Record Addition in Google Domains


Step 2: Load Balancer

The HTTP load balancer is created with the domain name for which, the DNS and certificate management is delegated to Distributed Cloud Services. As part of load balancer creation, an origin pool is created with the origin server as the public website.

The following video shows the load balancer creation workflow:

Perform the following steps for creating load balancers to enhance the application performance:

Step 2.1: Obtain the public certificate for the origin server.

This example demonstrates securing the public website cloud.f5.com. You can obtain the public certificate using more than one method. This example shows how to obtain using Firefox browser.

  • Open https://cloud.f5.com website in browser.
  • Select the padlock symbol on the URL bar and then select the arrow button next to the Connection Secure option.

padlock f5co
Figure: View Connection Information of Public Site

  • Select More Information to display the security options.

moreinfo f5co
Figure: View Security Information of Public Site

  • Select the View Certificate button in the displayed security options.

viewcert f5co
Figure: View Certificate Information of Public Site

  • Switch to the Entrust Root Certification Authority - G2 tab and scroll down to the Miscellaneous section. Select PEM (Cert) and Ok in the confirmation box to download the certificate.

pem f5co
Figure: Download Certificate of Public Site

Step 2.2: Create a namespace.
  • Log into the Console and select the Administration service.
  • Navigate to Personal Management and select My Namespaces. Select Add namespace.

AddNS
Figure: Manage Namespaces

  • Set a name, optionally add users, and select Save. This example creates waap namespace.

WaspNs
Figure: Create Namespace

Step 2.3: Create origin pool.
  • Select the Web App & API Protection service.
  • Change to your new application namespace and navigate to Manage > Load Balancers > Origin Pools.
  • Select Add Origin Pool.
  • Enter a name for your origin pool in the metadata section.

orig pool new
Figure: New Origin Pool

  • In the Origin Servers section, select Add Item.
    • Select Public DNS Name of Origin Server for the Type of Origin Server field.
    • Enter the public DNS name of your origin server in the DNS Name field. This example configures cloud.f5.com as the DNS name.

orig server new
Figure: Origin Pool Basic Configuration

  • In the Origin Servers section, enter 443 for the Port field.
  • Scroll down to the TLS section, and select Enable.
  • Select SNI Value in the SNI Selection field and enter the SNI. This example sets cloud.f5.com as the SNI Value.
  • Select High for the TLS Security Level field.
  • Select Use Custom CA List for the Origin Server Verification field.
  • Select Base64(binary) option for the Trusted CAs field.
  • Switch to command terminal and encrypt the downloaded public certificate of the website using Base64. Copy the output.
cat author-www-f5-com.pem | base64
  
  • Go back to Console and enter the copied Base64 string in the Trusted CAs field.

tls b64 new
Figure: Origin Pool TLS Configuration

Note: Configuring the public certificate enables Distributed Cloud Services to establish connection to the origin server.

  • Select Save and Exit.
Step 2.4: Create HTTP load balancer.
  • Navigate to Manage > Load Balancers > HTTP Load Balancers. Select Add HTTP Load Balancer.

  • Enter a name and your domain in the Name and List of Domains fields respectively. This will create an A name entry, cloudf5-vip, which will resolve to an IP address that is pointed to a VIP that is hosted on F5 ADN.

  • Select HTPS with Automatic Certificate in the Type of Load Balancer field. This will create an SSL certificate for this domain and sign it with a public Certificate Authority (CA).

http lb new
Figure: HTTP Load balancer creation

  • Since this use case attempts to provide a proxy to an existing public site, it is required to enable automatic host-rewriting. Therefore, route configuration is required. Scroll down to the Routes section and select Configure.

route en
Figure: Route Configuration Section

  • Select Add Item, select ANY for the HTTP Method, select Regex for the Path Match field, and enter (.*?) (all routes) in the Regex field.

Note: The option Simple Route is applied by default for the Select Type of Route field.

  • Select Add Item for the Origin Pools section. Select the origin pool created in the previous step for the Origin Pool field and select Add Item.

route op
Figure: Route Origin Pool Configuration

  • Select Add Item at the bottom of the Routes configuration form to add the route to the load balancer configuration and return to the load balancer configuration form.

route final
Figure: Route Origin Pool Configuration

Note: Ensure that the Automatic Host Rewrite option is selected by default for the Host Rewrite field. This ensures that the requests coming to the domain you configured are redirected to the public DNS name of the origin server.

  • Scroll down and select Add Item to complete this route and return to the Routes list.
  • Select Apply to apply this list to the load balancer.
  • Scroll to the bottom and select Save and Exit to complete the load balancer.

The load balancer object gets displayed on the screen. The fields DNS info and TLS info with values VIRTUAL_HOST_READY and Certificate Valid indicate that the virtual host certificate is successfully validated and ready for use. You can verify this by entering the load balancer domain into a browser.

http lb final
Figure: HTTP Load Balancer Created

Note: Select Refresh on the load balancers display list screen to display the latest status.


Step 3: Secure App

Securing the application includes applying javascript challenge for the requests towards the load balancer domain and configuring a WAF for the load balancer.

Note: Javascript challenge enforces the users to send requests through the browser preventing automated attacks.

The following video shows the workflow of securing the app:

Perform the following enable a javascript challenge and apply a WAF to the load balancer:

Step 3.1: Enable WAF.
  • In the Web App & API Protection service, select the same namespace as your load balancer.
  • Navigate to Manage > Load Balancers > HTTP Load Balancers.
  • Select ...>Manage Configuration for your load balancer to view its configuration. Next select Edit Configuration in the upper right corner to edit its configuration.
  • Scroll down or select Security Configuration in the left menu to jump to the security configuration section.
  • Select Enable for the Web Application Firewall (WAF) field, and then use the Enable pull-down menu to select the Create new App Firewall button.

lb sec config
Figure: HTTP Load Balancer Security Configuration

Step 3.2: Configure App Firewall.
  • Enter a name for the firewall.
  • Select Blocking for the Enforcement Mode field.
  • Leave the Protection Settings at their defaults and select Continue to save the WAF and return to the HTTP Load Balancer form.

lb waf
Figure: WAF for HTTP Load Balancer

Step 3.3: Configure Malicious User Detection.
  • Toggle the Show Advanced Fields switch under the Security Configuration section to see additional security options.
  • Scroll down to the API Discovery/DDoS Detection/Malicious User Detection field and change the option to Default, which enables locally scoped ML configuration.

lb waf ml config
Figure: ML Config for HTTP Load Balancer Security

Note: DDos Detection and Malicious User Detection are enabled by default.

  • Scroll down and select Save and Exit to save these security settings.

Step 4: Performance and Security Monitoring

This step shows how to see the performance and security monitoring available.

Note: Monitoring is based on site traffic, so in order to have meaningful information, either wait for some user traffic or create traffic by visit and navigate the website in a browser.

Step 4.1: View the overall performance.
  • In the Web App & API Protection service, select the same namespace as your load balancer.
  • Select Performance in the Apps and APIs section of the left navigation sidebar. This shows a Traffic Overview graph and a list of Load Balancers.

lb waf performance
Figure: HTTP Load Balancer WAF Monitoring

Step 4.2: View the performance dashboard for your load balancer.
  • Select the name of the load balancer you want to monitor in load balancers list. This will show the performance dashboard for your load balancer.

lb perf db
Figure: HTTP Load Balancer Performance Dashboard

Step 4.3: View the app's requests.
  • Select the Requests tab. Each request shown represents a call to our website.
  • Select a request to get more information specific to that request.

lb perf rq
Figure: HTTP Load Balancer Performance Requests

Step 4.4: View security dashboard for your load balancer.
  • Select Security in the Apps & APIs section of the left navigation sidebar.
  • Select the name of the load balancer you want to monitor in load balancers list. This will show the security dashboard for your load balancer.

lb security db
Figure: HTTP Load Balancer Security Dashboard

Step 4.5: View the app's blocked requests.
  • Select the Security Events tab. Below the chart is a list of blocked events with three tabs. The Security Events tab shows malicious requests
  • Select a request to see the specifics of the request and the violations that were triggered by the attack.

lb blocked rq
Figure: HTTP Load Balancer Performance Requests


Concepts