Can I implement CRS like this? Please suggest on my topology
18 views
Skip to first unread message
Blason R
Jan 3, 2023, 1:42:20 AM1/3/23
to ModSecurity Core Rule Set project
Hi Team,
Can someone suggest to me on my topology or how do I implement CRS with Nginx in AWS for portals with CDN?
Customer has 4 web servers installed on-premise and he wanted to protect those with WAF. He does not want to keep the WAF on-premise and wants to go with cloud setup. Hence I am planning to install one EC2 instance in AWS with Nginx/Modsec/CRS 3.3.4. With Nginx reverse proxy traffic then will be routed from Nginx to their on-premise servers. That is I will have a A record pointed to my elastic IP and customer will have a CNAME pointed to their A record
1.2.3.4 A elb.waf.com
www.example.com CNAME
elb.waf.com
Customer would like to activate cloud front as well and my queries are pertaining to my WAF setup..
- If I activate CDN on AWS. Do I need to protect CDN mirrors as well with WAF?
- Or only a main server should have a protection and automatically static contents will be cached by cloud front distributions.
- Can someone please help me understanding the topology ?
Andrew Howe
Jan 4, 2023, 2:14:52 PM1/4/23
to Blason R, ModSecurity Core Rule Set project
Hi Blason,
> Can someone suggest to me on my topology or how do I implement CRS with Nginx in AWS for portals with CDN?
This is beyond the scope of the Core Rule Set. You might want to find
an AWS consultant to provide professional advice, especially as you
ask about AWS services and how they might behave. But I can still
provide my personal opinion :)
Firstly, are you stuck with nginx? I always suggest Apache +
ModSecurity v2 for stability in production.
Secondly, bear in mind that AWS offer a platform-integrated AWS+CRS
WAF service (you might say "CRS-lite"). It doesn't provide the level
of control you'd have if you built your own WAF boxes, but using AWS'
integrated service is probably cheaper and simpler. I think they may
also have some CloudFront-specific WAF integration, too.
> I am planning to install one EC2 instance in AWS with Nginx/Modsec/CRS 3.3.4.
You definitely don't want to introduce a single point of failure
(unless your client finds that to be acceptable! And then you should
explain to them why it isn't!).
You already have redundancy through your cluster of four back end
servers: you don't want to put them at the mercy of a single box
sitting in front. High availability is always your friend: you'll want
to provision *at least two* WAF boxes, whether that's in an
active-passive setup or an active-active setup (or
active-active-active, etc.). That's also more scalable: too much
traffic creating too much CPU/RAM load? Simply provision an extra WAF
box to your WAF layer. That's much easier than juggling a single box
between EC2 instance types, trying to add vCPUs, etc. and probably
causing an outage in the process...
> If I activate CDN on AWS. Do I need to protect CDN mirrors as well with WAF?
> Or only a main server should have a protection and automatically static contents will be cached by cloud front distributions.
I can't comment on how CloudFront behaves as I've never used it. But
if I understand your requirements correctly, you'll want to put your
WAF boxes in front of your origin servers and to put the
CDN/acceleration layer in front of that, towards the edge.
Happy architect-ing!
Thanks,
Andrew
--
Andrew Howe
Loadbalancer.org Ltd.
www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
> Can someone suggest to me on my topology or how do I implement CRS with Nginx in AWS for portals with CDN?
an AWS consultant to provide professional advice, especially as you
ask about AWS services and how they might behave. But I can still
provide my personal opinion :)
Firstly, are you stuck with nginx? I always suggest Apache +
ModSecurity v2 for stability in production.
Secondly, bear in mind that AWS offer a platform-integrated AWS+CRS
WAF service (you might say "CRS-lite"). It doesn't provide the level
of control you'd have if you built your own WAF boxes, but using AWS'
integrated service is probably cheaper and simpler. I think they may
also have some CloudFront-specific WAF integration, too.
> I am planning to install one EC2 instance in AWS with Nginx/Modsec/CRS 3.3.4.
(unless your client finds that to be acceptable! And then you should
explain to them why it isn't!).
You already have redundancy through your cluster of four back end
servers: you don't want to put them at the mercy of a single box
sitting in front. High availability is always your friend: you'll want
to provision *at least two* WAF boxes, whether that's in an
active-passive setup or an active-active setup (or
active-active-active, etc.). That's also more scalable: too much
traffic creating too much CPU/RAM load? Simply provision an extra WAF
box to your WAF layer. That's much easier than juggling a single box
between EC2 instance types, trying to add vCPUs, etc. and probably
causing an outage in the process...
> If I activate CDN on AWS. Do I need to protect CDN mirrors as well with WAF?
> Or only a main server should have a protection and automatically static contents will be cached by cloud front distributions.
if I understand your requirements correctly, you'll want to put your
WAF boxes in front of your origin servers and to put the
CDN/acceleration layer in front of that, towards the edge.
Happy architect-ing!
Thanks,
Andrew
--
Andrew Howe
Loadbalancer.org Ltd.
www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
Blason R
Jan 4, 2023, 8:06:37 PM1/4/23
to Andrew Howe, ModSecurity Core Rule Set project
Thank for your valuable suggestion. And yes the HA matters the most but I was thinking from cloud front perspective.
Reply all
Reply to author
Forward
0 new messages