Hi Blason,
> Can someone suggest to me on my topology or how do I implement CRS with Nginx in AWS for portals with CDN?
This is beyond the scope of the Core Rule Set. You might want to find
an AWS consultant to provide professional advice, especially as you
ask about AWS services and how they might behave. But I can still
provide my personal opinion :)
Firstly, are you stuck with nginx? I always suggest Apache +
ModSecurity v2 for stability in production.
Secondly, bear in mind that AWS offer a platform-integrated AWS+CRS
WAF service (you might say "CRS-lite"). It doesn't provide the level
of control you'd have if you built your own WAF boxes, but using AWS'
integrated service is probably cheaper and simpler. I think they may
also have some CloudFront-specific WAF integration, too.
> I am planning to install one EC2 instance in AWS with Nginx/Modsec/CRS 3.3.4.
You definitely don't want to introduce a single point of failure
(unless your client finds that to be acceptable! And then you should
explain to them why it isn't!).
You already have redundancy through your cluster of four back end
servers: you don't want to put them at the mercy of a single box
sitting in front. High availability is always your friend: you'll want
to provision *at least two* WAF boxes, whether that's in an
active-passive setup or an active-active setup (or
active-active-active, etc.). That's also more scalable: too much
traffic creating too much CPU/RAM load? Simply provision an extra WAF
box to your WAF layer. That's much easier than juggling a single box
between EC2 instance types, trying to add vCPUs, etc. and probably
causing an outage in the process...
> If I activate CDN on AWS. Do I need to protect CDN mirrors as well with WAF?
> Or only a main server should have a protection and automatically static contents will be cached by cloud front distributions.
I can't comment on how CloudFront behaves as I've never used it. But
if I understand your requirements correctly, you'll want to put your
WAF boxes in front of your origin servers and to put the
CDN/acceleration layer in front of that, towards the edge.
Happy architect-ing!
Thanks,
Andrew
--
Andrew Howe
Loadbalancer.org Ltd.
www.loadbalancer.org
+1 888 867 9504 /
+44 (0)330 380 1064