Load Balancing Nginx Web Servers with OWASP Top 10 WAF in AWS

Similar documents
Load Balancing Web Servers with OWASP Top 10 WAF in AWS

Load Balancing Nginx Web Servers with OWASP Top 10 WAF in Azure

Load Balancing Web Servers with OWASP Top 10 WAF in Azure

Load Balancing FreePBX / Asterisk in AWS

Load Balancing Microsoft IIS. Deployment Guide v Copyright Loadbalancer.org

Load Balancing Microsoft Print Server

Load Balancing Fujifilm SYNAPSE. Deployment Guide v Copyright Loadbalancer.org

Load Balancing Microsoft IIS. Deployment Guide v Copyright Loadbalancer.org, Inc

Load Balancing VMware Horizon View. Deployment Guide v Copyright Loadbalancer.org, Inc

Enterprise Azure Quick Start Guide v8.3.0

Load Balancing Censornet USS Gateway. Deployment Guide v Copyright Loadbalancer.org

Load Balancing Microsoft OCS Deployment Guide v Copyright Loadbalancer.org

Load Balancing RSA Authentication Manager. Deployment Guide v Copyright Loadbalancer.org, Inc

Enterprise EC2 Quick Start Guide v1.3

Load Balancing OKI DICOM-Embedded Printers. Deployment Guide v Copyright Loadbalancer.org

Load Balancing Sage X3 ERP. Deployment Guide v Copyright Loadbalancer.org, Inc

Load Balancing Microsoft Remote Desktop Services. Deployment Guide v Copyright Loadbalancer.org, Inc

Load Balancing Microsoft AD FS. Deployment Guide v Copyright Loadbalancer.org

LB Cache Quick Start Guide v1.0

Load Balancing Bloxx Web Filter. Deployment Guide v Copyright Loadbalancer.org

Load Balancing Oracle Application Server

This guide provides a quick reference for setting up SIP load balancing using Loadbalancer.org appliances.

Load Balancing Microsoft 2012 DirectAccess. Deployment Guide v Copyright Loadbalancer.org, Inc

Loadbalancer.org WAF Gateway with Metaswitch EAS DSS/SSS

Load Balancing Microsoft Exchange Deployment Guide v Copyright Loadbalancer.org

Amazon Virtual Private Cloud. Getting Started Guide

Load Balancing Microsoft Terminal Services. Deployment Guide v Copyright Loadbalancer.org, Inc

How to Setup Total Application Security

Load Balancing Microsoft Lync 2010 / Deployment Guide v Copyright Loadbalancer.org

Load Balancing Web Proxies / Filters / Gateways. Deployment Guide v Copyright Loadbalancer.org

Microsoft Sharepoint 2010 Deployment Guide

Load Balancing Nuance AutoStore. Deployment Guide v Copyright Loadbalancer.org

CogniFit Technical Security Details

Load Balancing Microsoft Sharepoint 2010 / Deployment Guide v Copyright Loadbalancer.org, Inc

SonicWall Web Application Firewall 2.0. AWS Deployment Guide

Load Balancing Microsoft Remote Desktop Services. Deployment Guide v Copyright Loadbalancer.org

CloudEdge Deployment Guide

Elastic Load Balancing. User Guide. Date

Load Balancing Microsoft AD FS. Deployment Guide v Copyright Loadbalancer.org, Inc

Elastic Load Balance. User Guide. Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

Immersion Day. Getting Started with Windows Server on Amazon EC2. June Rev

Load Balancing Medical Imaging & Information System Protocols. Deployment Guide v Copyright Loadbalancer.org

Web Application Firewall Getting Started Guide. September 7, 2018

VMware Horizon View Deployment

Overview. AWS networking services including: VPC Extend your network into a virtual private cloud. EIP Elastic IP

Load Balancing Microsoft Exchange Deployment Guide v Copyright Loadbalancer.org, Inc

DPI-SSL. DPI-SSL Overview

Loadbalancer.org Virtual Appliance quick start guide v6.3

Pexip Infinity and Amazon Web Services Deployment Guide

Elastic Load Balance. User Guide. Issue 14 Date

Pexip Infinity and Amazon Web Services Deployment Guide

EdgeConnect for Amazon Web Services (AWS)

Qualys Cloud Platform (VM, PC) v8.x Release Notes

CloudEdge SG6000-VM Installation Guide

Services and Networking

Load Balancing Microsoft Skype For Business. Deployment Guide v Copyright Loadbalancer.org, Inc

Load Balancing Microsoft Exchange Deployment Guide v Copyright Loadbalancer.org, Inc

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

FortiMail AWS Deployment Guide

NGF0502 AWS Student Slides

Sputnik Installation and Configuration Guide

CPM. Quick Start Guide V2.4.0

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

HySecure Quick Start Guide. HySecure 5.0

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

VNS3:turret WAF Guide Sept 2015

Configuring VPC Peering For AWS

Enforced Client Policy & Reporting Server (EPRS) 2.3. Administration Guide

Installing and Configuring vcloud Connector

Distil Networks & HAProxy Integration Guide

VMware Content Gateway to Unified Access Gateway Migration Guide

MICROSTRATEGY PLATFORM ON AWS MARKETPLACE. Quick start guide to use MicroStrategy on Amazon Web Services - Marketplace

Deploy and Secure an Internet Facing Application with the Barracuda Web Application Firewall in Amazon Web Services

AWS Reference Architecture - CloudGen Firewall Auto Scaling Cluster

Eucalyptus User Console Guide

This document describes the configuration of Secure Sockets Layer (SSL) decryption on the FirePOWER Module using ASDM (On-Box Management).

TIBCO Cloud Integration Security Overview

WAF on AWS Deployment Kit. On Demand. Configuration Guide

Puppet on the AWS Cloud

How to Deploy an AMI Test Agent in Amazon Web Services

File Reputation Filtering and File Analysis

Appliance Administration Manual v8.3.0

Loadbalancer.org. Loadbalancer.org appliance quick setup guide. v6.4

Eucalyptus User Console Guide

F5 BIG-IQ Centralized Management and Amazon Web Services: Setup. Version 5.4

Deployment Guide Apr-2019 rev. a. Array Networks APV/vAPV Series ADCs and eclinicalworks Application Servers

PCoIP Connection Manager for Amazon WorkSpaces

Magento Commerce Architecture and Security Model Last updated: Aug 2017

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Implementing Infoblox Data Connector 2.0

CPM Quick Start Guide V2.2.0

Web Cloud Solution. User Guide. Issue 01. Date

QUICK START: VERITAS STORAGE FOUNDATION BASIC FOR AMAZON EC2

Note: Currently (December 3, 2017), the new managed Kubernetes service on Azure (AKS) does not yet support Windows agents.

Appliance Quick Start Guide v8.0

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

How to Deploy the Barracuda NG Firewall in an Amazon Virtual Private Cloud

Load Balancing VMware Workspace Portal/Identity Manager

Figure 1 0: AMI Instances

Installing and Configuring vcloud Connector

Transcription:

Load Balancing Nginx Web Servers with OWASP Top 10 WAF in AWS Quick Reference Guide V1.0.2 ABOUT THIS GUIDE This document provides a quick reference guide on how to load balance Nginx Web Servers and configure a WAF using the Enterprise AWS Loadbalancer.org Amazon cloud appliance. The WAF addresses the OWASP Top 10 vulnerabilities and is very quick and simple to deploy SSL offload is handled by STunnel, HAProxy handles back-end server re-encryption RELATED DOCUMENTATION For additional information about the Loadbalancer.org AWS Appliance, please also refer to the following documents: Administration Manual AWS Quick Start Guide LOAD BALANCED PORTS Port Use Transport Layer Protocol 80 HTTP TCP 443 HTTPS TCP VPC SECURITY GROUP INBOUND RULES The following inbound rules must be configured in your Security Group: For Management: TCP 22 (SSH), TCP 9443 (Appliance WebUI), 7777 (HAProxy Stats page) For Nginx services: TCP 80 (HTTP), TCP 443 (HTTPS) LOAD BALANCER CONFIGURATION Page 1

DEPLOY THE LOADBALANCER.ORG AWS APPLIANCE 1. Deploy an AWS Loadbalancer.org appliance as detailed in the Quick Start Guide ACCESSING THE APPLIANCE WEBUI Using a browser, navigate to the Public DNS name or Public IP address on port 9443, i.e. https://<public DNS name>:9443 or https://<public IP address>:9443 You'll receive a warning about the certificate as it's a self signed cert not related to an Internet based CA. Confirm you want to continue and a login prompt will be displayed. Use the following default credentials: Username: loadbalancer Password: <EC2 Instance-ID> Note: To change the password for the 'loadbalancer' account, use the WebUI option: Maintenance > Passwords. Once logged in, the WebUI is displayed: Page 2

CONFIGURATION DIAGRAM The diagram below shows how the system is configured. CONFIGURE THE VIRTUAL SERVICE (VIP) 1. Using the WebUI, navigate to: Cluster Configuration > Layer 7 Virtual Services and click Add a New Virtual Service 3. Enter the required Label (name) for the VIP, e.g. Web1 4. Set the Virtual Service IP address field to the required IP address, e.g. 10.0.0.125 5. Set the Virtual Service Ports field to the required port, e.g. 80 6. Leave Layer 7 Protocol set to HTTP Mode 7. Click Update DEFINE THE REAL (NGINX) SERVERS 1. Using the WebUI, navigate to: Cluster Configuration > Layer 7 Real Servers and click Add a new Page 3

Real Server next to the newly created VIP 3. Enter an appropriate label for the Real Server, e.g. Nginx1 4. Set the Real Server IP Address field to the required address, e.g. 10.0.0.150 5. Leave the Real Server Port field blank 6. Enable (check) Re-Encrypt to Backend 7. Click Update 8. Repeat the above steps to add your other Nginx server(s) UPLOAD THE PUBLIC SSL CERTIFICATE 1. Using the WebUI, navigate to: Cluster Configuration > SSL Certificate and click Add a New SSL Certificate 2. Select Upload prepared PEM/PFX file 3. Enter the following details: 4. Specify and Label (name) for the certificate, e.g. Cert1 5. Click Choose File and browse to and select the relevant PFX or PEM file 6. Enter the PFX file Password 7. Click Add Certificate CONFIGURE THE STUNNEL VIRTUAL SERVICE (VIP) STunnel is used to terminate SSL on the load balancer. 1. Using the WebUI, navigate to: Cluster Configuration > SSL Termination and click Add a New Virtual Page 4

Service 3. Enter the required Label (name) for the Virtual Service, e.g. SSL1 4. Select the required certificate in the SSL Certificate drop-down 5. Set the Virtual Service IP address to be the same as the VIP created previously, e.g. 10.0.0.125 6. Set the Virtual Service Port field to 443 7. Set the Backend Virtual Service IP address to be the same as the VIP created previously, e.g. 10.0.0.125 8. Set the Backend Virtual Service Port field to 80 9. The other settings can typically be left at their default values 10. Click Update CONFIGURE THE WAF 1. Using the WebUI, navigate to: Cluster Configuration > WAF Gateway and click Add a New WAF Gateway 3. Select the VIP created previously, e.g. Web1 Page 5

4. Specify a suitable WAF label (name), e.g. WAF1 5. Leave Rule Engine Traffic Blocking unchecked for now Note: While disabled, this option ensures that the ModSecurity Rule Engine logs any critical errors. You should leave the WAF in this mode until you are confident that the error logs are not showing false positives. Once you are confident you can enable this mode and the WAF will start blocking any malicious requests with a 403 Forbidden response. 6. Click Update APPLY THE NEW SETTINGS 1. Once the configuration is complete, use the Reload HAProxy, Restart STunnel and Reload WAF buttons at the top of the screen to commit the changes. ASSOCIATE AN EIP WITH THE VIRTUAL SERVICES An EIP is added and associated with the VIP to provide a public IP address for client connections. 1. Using the WebUI, navigate to: EC2 > EC2 Network Configuration 2. Click Allocate New Elastic IP, this will request an EIP from Amazon using API calls 3. Click [Associate] to associate the EIP to the Virtual Service private IP address This association is then displayed as shown below: Page 6

TESTING The load balanced Nginx Web Servers should now be accessible on ports 80 & 443 using the EIP address or corresponding public DNS name. LOGGING CLIENT SOURCE IP ADDRESSES IN NGINX The Nginx service on a web server can be configured to store the value of X-Forwaded-For headers for incoming web traffic. These headers are added by default by the load balancer. This allows upstream servers and network devices to see the real source IP addresses of clients, even though the load balancer is acting as a proxy. For full details on how to configure Nginx for this, see our blog post: https://www.loadbalancer.org/blog/nginx-and-x-forwarded-for-header/ LOADBALANCER.ORG TECHNICAL SUPPORT Don't hesitate to contact our support team if you need further assistance: support@loadbalancer.org Page 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback