How to Configure GCP for a WAF to Use Appdome MOBILEBot Defense
Introduction
Web Application Firewalls (WAFs) play a crucial role in protecting web applications from a wide range of cyber threats. When combined with Appdome’s MOBILEBot™ Defense solution, businesses can achieve an unparalleled level of protection for their mobile applications. This article will guide you on configuring Google Cloud Platform to connect to a WAF so it can work seamlessly with Appdome MOBILEBot Defense.
Before delving into the steps, let’s understand some of the terms used:
MTLS (Mutual Transport Layer Security): Mutual TLS (mTLS) is a method for mutual authentication in which both parties in a network connection validate the SSL certificates presented by each other against a trusted root Certificate Authority (CA) certificate.
Client Certificate: In cryptography, a client certificate is a type of digital certificate that is used by client systems to make authenticated requests to a remote server.
Safe Session: Represents sessions that are determined to be safe or not at risk of any threat.
At Risk Session: Represents sessions that are potentially under threat or have detected anomalies.
Header Payload: The data transferred in the header of HTTP requests or responses. Protecting this data ensures that it cannot be tampered with during transit.
Prerequisites For Using GCP & Appdome Docker Image
In order to use the GCP Virtual Server in conjunction with Appdome, you’ll need:
- A GCP account with admin permissions
- A GCP server
- An Android or iOS app secured by Appdome MOBILEBot Defense
- An Appdome MOBILEBot Defense License
Getting Started with GCP Setup and Configuration
Set up a Linux Server on GCP
- Create a Project
- Navigate to the GCP Console.
- Click on the project drop-down and create a new project.
-
Enable Compute Engine API
- In the GCP Console, navigate to “APIs & Services” > “Dashboard“
- Click on “+ ENABLE APIS AND SERVICES” and search for “Compute Engine API” Enable it for your project.
-
Create a Virtual Machine (VM)
- In the GCP Console, navigate to “Compute Engine” > “VM instances“
- Click on “Create Instance“
- Configure your VM instance, including selecting the Linux distribution you prefer (e.g., Ubuntu, CentOS).
Note: Make sure to allow HTTP/HTTPS traffic when configuring the firewall rules.
Connect SSH to your VM
gcloud compute ssh YOUR_VM_NAME
Running a Docker Container on GCP
To learn more, see the installation instructions for Installing Docker Engine on Ubuntu
Configure Appdome’s Docker Image
Appdome’s Docker Image is a custom solution to secure apps built on the Appdome platform with the Anti-Bot service enabled. This service functions within a Docker container based on Nginx. To facilitate its operation, users must supply an SSL certificate, config files and keys, and designated environment variables.
Prerequisites: Familiarity with Docker and UNIX-based machines is beneficial.
How Does It Work?
Based on Nginx and Lua, the service employs the Lua module to decrypt the payload and validate the signature, then it proxies the request to the target route as specified in the config file.
The module can be used with either the built-in LRU cache or with Redis, but it is recommended to use the built-in LRU to reduce the overhead of making the calls to Redis and ease the setup. If working in a cluster, it is necessary to use Redis to share storage across multiple instances.
Setup
The following environment variables are required to set up the service.
Environment Variable Name | Required | Description |
REDIS | Optional | Only provide AD_REDIS_HOST if you intend to use it. |
LOG_LEVEL | Optional | The default setting is warn. Available options include: debug, info, notice, warn, error, crit, alert, emerg. All logs are output to the stdout. |
RESOLVER | Mandatory | Provide the resolver DNS server to use for discovering upstream servers. |
PASSTHROUGH | Optional | A key that logs only headers but does not validate them. |
Configs: Located in /home/configs, this folder contains JSON files. The name of the file is task_id, as built on Appdome and the content of the file is a JSON array of the mobile anti bot configuration as provided by Appdome.
“target”: “http://jsonplaceholder.typicode.com/posts/1”
Optional: How to Configure SSL & mTLS
Environment Variable Name | Description |
SSL_ON | In order to enable the reverse proxy to handle SSL connections, you need to mark the SSL_ON=true. Make sure to mount SSL certificates to the container under /etc/nginx/certs/{ssl.crt, key.key}. |
MTLS_ON=true | In order to enable the reverse proxy to handle mTLS, you need to set both SSL_ON and MTLS_ON=true. Make sure to mount the CA certificate that will be used for the mTLS under /etc/nginx/certs/ca.crt. |
FINGERPRINTS | If MTLS_ON=true the certificate fingerprints can be passed to allow only specific certificates identified by a SHA1 fingerprint. The value format should include a string of comma-separated values with a space following each comma as follows: asd, zxc, qwe |
How to run Appdome Docker Image
Connect to your VM, and run the following commands:
-
- Pull the docker image from our public repository:
docker pull public.ecr.aws/n2i7f1e2/appdome-waf:1.0.0
- Pull the docker image from our public repository:
-
- Run the docker image with the following command:
docker run -p 443:443 -p 80:80 -d \ -v "$(pwd)"/certs:/etc/nginx/certs \ -v "$(pwd)"/keys:/home/keys \ -v "$(pwd)"/configs:/home/configs \ -e AD_REDIS_HOST=<redis address> \ -e PASSTHROUGH=false \ -e RESOLVER=<resolver address> \ -e SSL_ON=true \ -e MTLS_ON=true \ -e FINGERPRINTS=asd, zxc, qwe \ -e LOG_LEVEL=debug \ --restart unless-stopped \ public.ecr.aws/n2i7f1e2/appdome-waf:1.0.0
- Run the docker image with the following command:
At this point, you have a machine that will run the Appdome Docker Image. Make sure that your application traffic is routing correctly to the Appdome Docker Image and that the Appdome Docker Image is passing the traffic correctly to the target.
Conclusion
Integrating GCP Virtual Server with Appdome provides robust protection for mobile apps. By understanding and applying the configurations above, businesses can ensure that their mobile app traffic is both secure and optimized.
Related Articles:
Thank you!
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app defense easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free