Web App Security & Performance

Objective

This guide provides instructions on how to secure your web application and enhance its performance using VoltConsole and VoltMesh.

The steps to create Secure Kubernetes Gateway are:

SeqWasp
Figure: Web Application Security and Performance Steps

The following images shows the topology of the example for the use case provided in this document:

TopWasp
Figure: Web Application Security Sample Topology

Using the instructions provided in this guide, you can deploy your web application in EKS cluster of your Amazon Virtual Private Cloud (Amazon VPC), setup discovery of cluster services from the VPC, provide load balancer, secure the application using the Volterra Secure K8s Gateway, and apply further security using Volterra network policies, service policies, and WAF.

The example shown in this guide deploys Secure K8s Gateways on two Amazon VPCs for an application called as Hipster Webapp deployed in two clusters with each representing a different geographic region namely use-east-2 and us-west-2. The application consists of the following services:

  • frontend
  • cartservice
  • productcatalogservice
  • currencyservice
  • paymentservice
  • shippingservice
  • emailservice
  • checkoutservice
  • recommendationservice
  • adservice
  • cache

Prerequisites

  • VoltConsole SaaS account.

    Note: If you do not have an account, see Create a VES Account.

  • Amazon Web Services (AWS) account.

    Note: This is required to deploy a Volterra site.

  • Volterra vesctl utility.

    Note: See vesctl for more information.

  • Docker.
  • Self-signed or CA-signed certificate for your application domain.

Configuration

The use case provided in this guide sets up Volterra sites as Secure K8s Gateways for the ingress and egress traffic for the two K8s clusters deployed in the VPCs. The example web application has a front end service to which all the user requests are sent and it redirects to other services accordingly. The following actions outline the activities in securing the web app and enhancing its performance.

  1. The frontend service of the application needs to be externally available. Therefore, two HTTPS load balancers are created for each cluster.
  2. The loadbalancer TLS configuration secured by applying Volterra Blindfold encryption to the TLS key.
  3. Security policies are configured to restrict ingress traffic selectively using the BGP ASN sets.
  4. A WAF configuration is applied to secure the externally available loadbalancer VIPs. Also, the load balancer is secured with a javascript challenge to protect against bots.
  5. Rest all communication from the k8s clusters is configured to be denied.

Note: Ensure that you keep the Amazon Elastic IP VIPs ready for later use in configuration.

Step 1: Deploy Sites & Discover Services

The following video shows the site deployment workflow:

Perform the following steps to deploy Volterra sites and web application in your VPCs:

Step 1.1: Download the Volterra quickstart deployment script.

Download the latest quickstart utility:

docker pull volterraio/volt-terraform

Download the deployment script:

docker run --rm -v $(pwd):/opt/bin:rw docker.io/volterraio/volt-terraform:latest cp /deploy-terraform.sh /opt/bin
Step 1.2: Prepare input variables file for terraform deployment. The following example shows the sample entries of the input variables:
{
    "vpc_east_cidr": "192.168.0.0/22",
    "vpc_west_cidr": "192.168.16.0/22",
    "deployment": "hipster-prod-wasp",
    "fleet_label_prefix": "hipster-prod-wasp",
    "access_key": "<aws_access_key>",
    "secret_key": "<aws_secret_key>",
    "api_p12_file": "<path-to-api-credentials>",
    "api_url": "https://<tenant>.console.ves.volterra.io/api",
    "machine_public_key": "<public-key>"
}

Note: Download the API credentials in the VoltConsole from the IAM->API Credentials option. The credentials get downloaded in the file with the .p12 extension. Use the export VES_P12_PASSWORD=<api credentials password> command to set the VES_P12_PASSWORD environment variable.

Step 1.3: Deploy the VPCs with Volterra sites and the K8s clusters using the deployment script.
./deploy-terraform.sh apply -p aws -i <tfvars> -tn self-serve/wasp

The deployment performs the following:

  • Creates AWS infrastructure such as VPC, subnets, and route-tables
  • Deploys AMI instance of Volterra node into the created VPC
  • Performs automatic site registration (approval)
  • Creates Volterra fleet and network connector objects with fleet label as transit-vpc
  • Creates the hipster-prod-east and hipster-prod-west EKS clusters
  • Creates the hipster-prod-east and hipster-prod-west namespaces
  • Deploys the Hipster shop web application in the clusters

Note:

  • The deployment approximately takes 10 to 15 minutes to complete.
  • The deployed Volterra sites act as the Secure Kubernetes Gateways for the web application services.

After the deployment is complete, download the kubeconfig files of the created K8s clusters using the following commands:


./deploy-terraform.sh output -n hipster-prod-wasp east_cluster_kubeconfig > hipster-prod-east-kubeconfig

./deploy-terraform.sh output -n hipster-prod-wasp west_cluster_kubeconfig > hipster-prod-west-kubeconfig
Step 1.4: Create a secret policy.

The secret policy is used for encryption of Kubeconfig file and private key of the certificates using Volterra Blindfold.

Log into the VoltConsole and navigate to Security -> Secret Policies. Click Add secret policy and enter the following configuration:

  • Enter a name in the Name field. This example uses the name wasp.
  • Select First Rule Match for the Rule Combining Algorithm field.
  • Select the Allow Volterra checkbox. This allows Volterra infrastructure services to decrypt the secret.
  • Click Add secret policy to complete secret policy creation.

SecPol

Step 1.5: Obtain a pubic key and store the output to a file.

Public key is used for encryption of Kubeconfig file and private key of the certificates using Volterra Blindfold.

Note: Public key is a part of the Volterra secret management key needed while performing the secret encryption.

vesctl request secrets get-public-key > hipster-co-public-key
Step 1.6: Obtain a policy document for the secret policy created in Step 1.4 and store the output to a file.

The policy document is used for encryption of Kubeconfig file and private key of the certificates using Volterra Blindfold.

Note: The policy document contains information about all the rules in the secret policy and policy_id.

vesctl request secrets get-policy-document --namespace system --name wasp> wasp-demo-demo-policy-doc
Step 1.7: Encrypt the kubeconfig files using the Volterra Blindfold.

Use the public key and policy document created in previous steps. Store the output a file.

Note: The encrypted bytes could only decrypted by users/components defined in the policy document.

For the hipster-prod-east cluster:

vesctl request secrets encrypt --policy-document wasp-demo-demo-policy-doc --public-key hipster-co-public-key hipster-prod-east-kubeconfig > hipster-prod-east-bf-secret

For the hipster-prod-west cluster:

vesctl request secrets encrypt --policy-document wasp-demo-demo-policy-doc --public-key hipster-co-public-key hipster-prod-west-kubeconfig > hipster-prod-west-bf-secret
Step 1.8: Go back to VoltConsole and start discovery object creation.

Select Manage -> Site Management. Select Discovery and click Add discovery. Enter the configuration as per the following guidelines:

  • Enter a name in the Name field.
  • Select Site for the Where field.
  • Click Select ref, select hipster-prod-wasp-east as the site, and click Select ref.
  • Select Site Local Inside Network for the Network Type field.
  • Select Kubernetes for the Type field.
  • Select K8s for the Discovery Service Access Information field and select Kubeconfig for the Oneoff field.

Adddisc

Step 1.9: Perform configuration for the Kubeconfig.

Click Kubeconfig and enter the configuration as per the following guidelines:

  • Select Blindfold for the Secret info field.
  • Enter the encrypted secret in the Location field. Use the secret from the hipster-prod-east-bf-secret file generated in Step 1.7.

Note: Use cat <filename> to copy the secret.

DiscBlf

Step 1.10:Complete creating discovery object.

Select Apply and Add discovery to create discovery object.

Step 1.11: Repeat from Step 1.8 to Step 1.10 for the second K8s cluster.

Note: Create the discovery object with site reference as hipster-prod-wasp-west and Blindfold secret from the hipster-prod-west-bf-secret file.


Step 2: Load Balance & Web App Performance

Creating load balancer requires creating origin pool for the services, endpoints, healthchecks, clusters, routes, advertise policies, and virtual hosts.

Note: The origin pool is created for frontend service and a load balancer is created to loadbalance between frontend services defined in the origin pool.

The following video shows the loadbalancer creation workflow:

Perform the following steps for creating load balancers to enhance the application performance:

Step 2.1: Create hipster-shop namespace.

Log into the VoltConsole and select Namespace -> Manage Namespaces. Click Add namespace, set hipster-shop as the name, optionally add users, and click Save.

AddNS
Figure: Manage Namespaces

HShopNs
Figure: Create Namespace

Step 2.2: Create virtual site.

Change to the hipster-shop namespace. Select Manage->Endpoints. Click Add endpoint and enter the configuration as per the following guidelines:

  • Enter hipster-aws-prod in the Name field.
  • Select CE for the Site Type field.
  • Select ves.io/fleet for the Site Selector Expression field and select values as hipster-prod-wasp-east and hipster-prod-wasp-west.
  • Click Add virtual site.

HSVsite
Figure: Virtual Site Creation

Step 2.3: Add endpoint for the clusters using the virtual site.

Change to the hipster-shop namespace. Select Manage->Endpoints. Click Add endpoint and enter the configuration as per the following guidelines:

  • Enter a name in the Name field.
  • Enter Virtual Site for the Where field and select the hipster-aws-prod for the Select ref field.
  • Select Site Local Inside Network for the network type.
  • Select Service Selector Info for Endpoint Specifier field.
  • Select Kubernetes for the Discovery field and Service Name for the Service field.
  • Enter frontend.hipster-shop as the service name.
  • Select TCP as the protocol.
  • Enter 80 for the Port field.
  • Click Add endpoint to create endpoint.

EP
Figure: Endpoint Creation

Step 2.4: Add healthcheck.

Select Manage->Healthcheck. Click Add healthcheck and enter the configuration as per the following guidelines:

  • Enter a name in the Name field.
  • Select HTTP Healthcheck the Health check field.
  • Enter / for the Path field.
  • Enter 5 and 2 for Timeout and Interval fields respectively. This sets timeout as 5 seconds and interval as 2 seconds for health check.
  • Enter 3 and 1 for Unhealthy Threshold and Healthy Threshold fields.
  • Click Add healthchcek.

HC
Figure: Healthcheck Creation

Step 2.5: Add cluster.

Select Manage->Clusters. Click Add cluster and enter the configuration as per the following guidelines:

  • Enter a name in the Name field.
  • Select the endpoint created in Step 2.3 for the Select endpoint field.
  • Select the healthcheck object created in Step 2.4 for the Select healthcheck field.
  • Select Round Robin for the LoadBalancer Algorithm field.
  • Click Add cluster.

cluster
Figure: Cluster Creation

Step 2.6: Create a route object.

Select Manage -> Routes. Click Add route to create the route. In the route configuration form, add the cluster object for the Add route field. Select the cluster created and add Regex for the Path Match field in the Match option.

route
Figure: Route Creation

Step 2.7: Create an advertise policy.

Select Manage -> Advertise Policies. Click Add advertise policy and select Virtual Network for the Where field and select the public network for the Select ref field. Select TCP for the protocol field and enter 443 for the port field.

Note: Select the public network advertises the load balancer across Volterra global application delivery network.

ap
Figure: Advertise Policy Creation

Step 2.8: Change to terminal and use vesctl and encrypt the private key of the TLS certificate using Volterra Blindfold.

Use the policy document and public key obtained in the Step 1: Deploy Sites & Discover Services chapter. Save the output to a file.

vesctl request secrets encrypt --policy-document wasp-demo-demo-policy-doc --public-key hipster-co-public-key tls.key > tls.key.secret

Note: The tls.key specifies the private key of your TLS certificate. It is required that you obtain a TLS certificate and it is recommended to obtain it from a CA.

Step 2.9: Create a virtual host of type HTTPS Proxy.

Select Manage -> Virtual Hosts. Click Add virtual host and set the configuration as per the following guidelines:

  • Enter name and set HTTPS_PROXY as the proxy type and hipster-webapp.demo.helloclouds.app as the domain.
  • Select previously defined route and advertise policy.
  • Click TLS Parameters and apply TLS configuration using the Add TLS certificate option. Add the certificate URL in the Certificate URL field.

    Note: Generate Base64 string of your certificate and enter it in the string:/// format.

  • Click Private key and select secret info type as Blindfold secret and enter the secret obtained in previous step in the Location field. Select EncodingNone for the SecretEncoding field and click Apply.
  • Click Add virtual host.

vh
Figure: Virtual Host Creation

Note: It is recommended to add a DNS record to your domain provider so that for the domain name it points to the correct elastic IP.

You can now access the web application from the browser using the domain name of the virtual host.

Step 2.10: Verify that the request is load balanced between the origin servers.

Change to the hipster-shop namespace and select Virtual Hosts in the configuration menu. Select Load Balancers -> HTTP Load Balancers in the options and select More for your load balancer from the displayed list. Click the Origin Servers tab to verify the requests.

LbOrigins
Figure: Load Balancing Between Origin Servers


Step 3: Secure Web App

Securing the ingress and egress traffic requires you to set the network policies, service policies, DDoS protection, WAF, and network firewall.

The following video shows the workflow of securing the ingress and egress:

The examples in this chapter demonstrate how to reject or allow traffic based on network policies and service policies. Also shown is the enabling DDoS protection using the java script challenge that enforces the users to send requests through the browser.

Note: You can use the BGP ASN set along with the service policies to protect your web application from competitor scraping.

Step 3.1: Add BGP ASN set.

Change to the hipster-shop namespace and select Security -> BGP ASN Sets. Click Add BGP ASN set and enter the following configuration:

  • Set a name for the BGP ASN set in the Name field.
  • Click Add as number and enter ASN numbers from which you want to reject or allow requests. This example adds ASN 7922 from which the requests are intended to be rejected.
  • Click Add BGP ASN set to complete adding the BGP ASN set.

BgpAS
Figure: BGP ASN Set Creation

Step 3.2: Create service policy rules to deny requests from the BGP ASN and allow from the rest of the sources.

Select Security -> Service Policy Rules. Click Add service policy rule and enter the following configuration:

  • Set a name for the policy rule.
  • Select Deny for the Action field.
  • Click AS Matcher field and click Select ASN set. Select the BGP ASN set created and click Select ASN set. Click Apply.
  • Click Add service policy rule to complete creating the service policy rule.

SrvcPolRule
Figure: Service Policy Rule To Deny Traffic From BGP ASN

  • Similarly, create another service policy rule to allow rest of the traffic by selecting Allow for the Action field.
Step 3.3: Create service policy.

Select Security -> Service Policies. Click Add service policy and enter the following configuration:

  • Set a name for the policy.
  • Select First Rule Match for the Rule Combining Algorithm field.
  • Click Select rule and add the rules created in the previous step. Ensure that you first select the Deny rule first followed by the Allow rule.
  • Click Add service policy to complete creating the service policy.

SrvcPol
Figure: Service Policy Configuration

Step 3.4: Create service policy set.

Select Security -> Service Policy Sets. Click Add service policy set and enter the following configuration:

  • Set a name for the policy.
  • Click Select policy and add the policy created in the previous step.
  • Click Add service policy set to complete creating the service policy set.

SrvcPolSet
Figure: Service Policy Configuration

Step 3.5: Enable Volterra Fast ACLs.

Fast ACLs prevent DDoS attacks by enforcing rate limiting on the requests.

Change to system namespace and select Security -> Network Security. Select Policer and click Add policer. Enter the configuration as per the following guidelines:

  • Enter a name and select Policer Type as Single-Rate Two-Color Policer.
  • Select Policer Mode as POLCIER_MODE_NOT_SHARED.
  • Enter values for the Committed Information Rate and Burst Size fields.
  • Click Add policer to complete creating the policer.

policer
Figure: Policer Creation

Select Fast ACL Rules under the Network Security and click Add fast ACL rule. Enter the configuration as per the following guidelines:

  • Enter a name and select Prefix for the Source field.
  • Click Add prefix and add the IP prefix for which you want to apply the rule.
  • Click Add fast ACL rule to complete creating the Fast ACL rule.

FaclRule
Figure: Fast ACL Rule Creation

Select Fast ACL under the Network Security and click Add fast ACL. Enter the configuration as per the following guidelines:

  • Enter a name and select Public Network for the Virtual Network Type field.
  • Select VIP services for the Ip Type field.
  • Click Select source rule and select the created Fast ACL rule.
  • Click Add fast ACL to complete creating the Fast ACL.

Facl
Figure: Fast ACL Creation

Select Fast ACL Set under the Network Security and click Add fast ACL set. Enter the configuration as per the following guidelines:

  • Enter fast-acl-set-regional-edge as the name to apply the fast ACLs to the VIP located on the RE sites.
  • Click Select ACL list and select the created Fast ACL.
  • Click Add fast ACL set to complete creating the Fast ACL set.

FaclSet
Figure: Fast ACL Set Creation

Step 3.6: Enable javascript challenge.

Create a file with a custom message in plain text or HTML element and convert it to Base64. This example creates a file named hs-jc with the message in HTML paragraph.

echo "<p> Welcome to Hipster </p>" >> hs-jc
cat hs-jc | base64

Change to the hipster-shop namespace and select Manage -> Virtual Hosts. Click ...->Edit for your virtual host to edit the virtual host configuration. Click Javascript Challenge and set the following:

  • Click Enable checkmark.
  • Set javascript delay and cookie expiry periods. This example sets 2000 milliseconds of delay and 200 seconds of cookie expiry.
  • Enter the custom page URL in the string:///<custompage-url> format. Use the Base64 string generated for the custom page.
  • Click Apply and Save changes.

jsc
Figure: Javascript Challenge Configuration

Step 3.7: Create a Web Application Firewall (WAF).

Change to the hipster-shop namespace. Select Security -> App Firewall. Click Add firewall and set the following configuration:

  • Set a name for the firewall.
  • Select BLOCK for the Mode field. This blocks all the suspicious requests.
  • Click Add firewall to complete creating the WAF.

WAF
Figure: Web Application Firewall Creation

Step 3.8: Apply the WAF to the virtual host.

Select Manage -> Virtual Hosts and find your virtual host from the displayed list. Click ... -> Edit to open the virtual host edit form. Click WAF Config and select the firewall created in the previous step. Click Apply and Save changes to apply the WAF to the virtual host. This protects load balancer from malicious attacks.

WaftoVh
Figure: Enable WAF for Virtual Host


Verification

Perform the following to verify the web application security.

Step 1: Verify if the traffic from specific BGP ASN is rejected and the traffic from all other sources is allowed.

Note: Obtain the ASNs from the https://whatismyipaddress.com/ using regular browser and also anonymous browser such as TOR. Use one ASN in the denying service policy rule. Verify by loading the hipster-webapp.demo.helloclouds.app from both browsers to check if request from one ASN is blocked and from other ASN is allowed.

Step 2: Open the browser and load the `hipster-webapp.demo.helloclouds.app` domain.

Verify if the request is redirected to the configured custom javascript challenge page.


Concepts