Web App Security & Performance

Objective

This guide provides instructions on how to secure your web application and enhance its performance using VoltConsole and VoltMesh.

The steps to secure your web application and enhance its performance are:

SeqWasp
Figure: Web Application Security and Performance Steps

The following images shows the topology of the example for the use case provided in this document:

TopWasp
Figure: Web Application Security Sample Topology

Using the instructions provided in this guide, you can configure Volterra to handle the domain ownership (which includes the creation of needed DNS resource records) of a new subdomain, create a HTTPS Load Balancer with automatic SSL certificate for the VIP, and secure the domain with features such as javascript challenge and Volterra Next Generation Web Application Firewall (NG-WAF). This example use case presents securing an application hosted on a public website. The HTTPS Load Balancer creates a VIP across Volterra’s Application Delivery Network (ADN). All the VIPs instantiated on the ADN are automatically enabled with the DDoS protection.

Note: Additional performance and origin access via private tunnels or native K8s/Consul integration can be achieved by installing a VoltMesh node closest to the origin server. For more information, see the Secure Kubernetes Gateway quickstart guide.


Prerequisites

  • VoltConsole SaaS account.

    Note: If you do not have an account, see Create a Volterra Account.

  • Amazon Web Services (AWS) account.

    Note: This is required to deploy a Volterra site.

  • Volterra vesctl utility.

    Note: See vesctl for more information.

  • Docker.

Configuration

The use case provided in this guide demonstrates enabling a domain for an application hosted on a public website and secures it using Volterra javascript challenge and NG-WAF. The following actions outline the activities in domain setup and securing the web app:

  1. The domain for the application is delegated to Volterra so that Volterra handles the queries towards the subdomain for the application and management of the SSL certificates for the subdomain.
  2. A HTTP load balancer is created for the subdomain with automatic certificate management. As part of this step, an origin pool is created with the origin server as the public website. This use case demonstrates securing the filecoin.io website.
  3. The loadbalancer is secured with the javascript challenge and WAF for its ingress traffic.

Step 1: Delegate Domain

The following video shows the domain delegation workflow:

Perform the following steps to delegate your domain to Volterra:

Step 1.1: Log into VoltConsole and create domain delegation object.
  • Navigate to Manage -> Networking in the system namespace. Select Delegated Domains and click Add Delegated domain.
  • Enter your domain name in the Domain Name field. Ensure that Managed Volterra is selected for the Domain Method field. Click Save and Exit.

dd create
Figure: Create Domain Delegation

Note: This creates a delegated domain object with a TXT record value and the status as domain verification pending.

  • Verify that the delegated domain object is displayed in the list and copy the value of the TXT Record field.

dd txt
Figure: TXT Record Addition in Google Domains

Step 1.2: Add TXT records in your domain and perform verification.
  • Add a TXT record in your domain records with the copied TXT string. This example shows how to add the record in Google domains.

txt gdomain
Figure: TXT Record Addition in Google Domains

  • Go back to VoltConsole and select your delegated domain entry. Click ... -> Start Verification. Click Start Verification in the confirmation dialogue box. After verification, the field Verification Status shows successful verification and the nameservers get displayed on the Name Servers field.

verified dd
Figure: Successful Domain Verification

Step 1.3: Add NS records in your domain.

Go back to your domain and add the NS records with the nameservers obtained from the VoltConsole. This example shows adding to the Google domains.

nss gdomain
Figure: NS Record Addition in Google Domains


Step 2: Load Balancer

The HTTP load balancer is created with the domain name for which, the DNS and certificate management is delegated to Volterra. As part of load balancer creation, an origin pool is created with the origin server as the public website.

The following video shows the loadbalancer creation workflow:

Perform the following steps for creating load balancers to enhance the application performance:

Step 2.1: Obtain the public certificate for the origin server.

This example demonstrates securing the pubic website filecoin.io. You can obtain the public certificate using more than one method. This example shows how to obtain using Firefox browser.

  • Open https://filecoin.io website in browser.
  • Click on the padlock symbol on the URL bar and click on the arrow button next to the Connection Secure option.

padlock fileco
Figure: View Connection Information of Public Site

  • Click on More Information to display the security options.

moreinfo fileco
Figure: View Security Information of Public Site

  • Click on View Certificate in the displayed security options.

viewcert fileco
Figure: View Certificate Information of Public Site

  • Click on the DST Root CA X3 tab and scroll down to the Miscelleneous section. Click PEM (Cert) and Ok in the confirmation box to download the certificate.

pem fileco
Figure: Download Certificate of Public Site

Step 2.2: Create a namespace.
  • Log into the VoltConsole and click on the settings next to the system namespace icon to open Manage namespaces. Click Add namespace.

AddNS
Figure: Manage Namespaces

  • Set a name, optionally add users, and click Save. This example creates wasp namespace.

WaspNs
Figure: Create Namespace

Step 2.4: Create origin pool.
  • Change to your application namespace and navigate to Manage -> Origin Pools. Click Add Origin Pool.
  • Enter a name for your origin pool in the metadata section and enter the public DNS name of your origin server in the DNS Name field in the basic configuration section. This example configures filecoin.io as the DNS name.
  • Enter 443 for the Port field.

orig pool
Figure: Origin Pool Basic Configuration

  • Scroll down and selct TLS in the Enable TLS for Origin Servers field.
  • Enter the SNI in the SNI field. This example sets filecoin.io as the SNI.
  • Select Base64 option for the Trusted CA URL field.
  • Switch to command terminal and encrypt the downloaded public certificate of the website using Base64. Copy the output.
cat filecoin-io.pem | base64
  
  • Go back to VoltConsole and enter the copied Base64 string in the Trusted CA URL field.

tls b64
Figure: Origin Pool TLS Configuration

Note: Configuring the public certificate enables Volterra to establish connection to the origin server.

  • Click Save and Exit.
Step 2.4: Create HTTP load balancer.
  • Navigate to Virtual Hosts -> HTTP Load Balancers. Click Add HTTP Load Balancer.
  • Enter a name and your domain in the Name and Domains field respectively.

http lb new
Figure: HTTP Load balancer creation

  • Since this use case attempts to provide a proxy to an existing public site, it is required to enable automatic host-rewriting. Therefore, route configuration is required. Enable Show Advanced Fields option in the Routes Configuration section and click Configure under the Routes option.

route en
Figure: Route Configuration Section

  • Select ANY for the HTTP Method, select Regex for the Path Match field, and enter (.*?) for the Regex field.

    Note: The option Simple Route is applied by default for the Select Type of Route field.

  • Click Configure for the Origin Pools field and click Add item in the origin pools configuration. Select the origin pool created in the previous step for the Origin Pool field and click Apply.

route op
Figure: Route Origin Pool Configuration

  • Click Apply in the route configuration form to add the route to the load balancer configuration and return to the load balancer configuration form.

route final
Figure: Route Origin Pool Configuration

Note: Ensure that the Automatic Host Rewrite option is selected by default for the Host Rewrite field. This ensures that the requests coming to the domain you configured are redirected to the public DNS name of the origin server.

http lb final
Figure: HTTP Load Balancer Created

  • Scroll down and click Save and Exit to complete creating the HTTP load balancer.

The load balancer object gets displayed on the screen. The fields DNS info and TLS info with values VIRTUAL_HOST_READY and Certificate Valid indicate that the virtual host certificate is successfully validated and ready for use. You can verify the same by entering the load balancer domain from a browser.

Note: Click Refresh on the load balancers display list screen to display the latest status.


Step 3: Secure App

Securing the application includes applying javascript challenge for the requests towards the load balancer domain and configuring a WAF for the load balancer.

Note: Javascript challenge enforces the users to send requests through the browser preventing automated attacks.

The following video shows the workflow of securing the app:

Perform the following enable a javascript challenge and apply a WAF to the load balancer:

Step 3.1: Enable javascript challenge.
  • Navigate to Virtual Hosts -> HTTP Load Balancers. Click ...->Edit for your load balancer to edit its configuration. Scroll down or click on Security Configuration in the left menu to the security configuration. Select Javascript Challenge for the Select Type of Challenge field. Click Configure to open the javascript challenge configuration and set the following:
  • Set values for Javascript Delay and Cookie Expiry period fields. This example sets 5000 milliseconds of delay and 3600 seconds of cookie expiry.
  • Click Apply to apply the javascript challenge and click Save and Exit to save the updated load balancer configuration.

jsc
Figure: Javascript Challenge Configuration

Note: You can verify the javascript challenge functionality by visiting your application domain from the browser. The request gets redirected to the default Volterra page. Ensure that you clear cookies or request in the incognito or private mode.

Step 3.2: Create a Web Application Firewall (WAF) and apply to the load balancer.
  • Navigate to Virtual Hosts -> HTTP Load Balancers. Click ...->Edit for your load balancer to edit its configuration. Scroll down or click on Security Configuration in the left menu to the security configuration. Perform the configuration as per the following guidelines:
  • Select Specify WAF Intent for the Select Web Application Firewall (WAF) Config field.
  • Click on the Specify WAF Intent field and select Create new WAF.
  • Set a name for the firewall and leave all other fields. This sets the WAF to alert mode by default.
  • Click Continue to complete creating the WAF.

Note: The firewall is enabled by the BLOCK mode by default . This blocks all the suspicious requests.

WAF
Figure: Web Application Firewall Creation

  • Click Save and Exit to add WAF to the load balancer configuration.

You can verify the firewall operation using the load balancer monitoring feature. Navigate to Virtual Hosts -> HTTP Load Balancers and click on your load balancer to open its dashboard. Click App Firewall tab to view the detailed information about the firewall functioning.

WAF
Figure: Load Balancer Monitoring View for App Firewall


Concepts