How to Configure AWS Virtual Server for a WAF to Use Appdome MOBILEBot Defense

Last updated November 29, 2023 by Appdome

Introduction

Web Application Firewalls (WAFs), like the one offered by AWS, play a crucial role in protecting web applications from a wide range of cyber threats. When combined with Appdome’s MOBILEBot™ Defense solution, businesses can achieve an unparalleled level of protection for their mobile applications. This article will guide you on configuring your AWS Virtual Server to connect to a WAF so it can work seamlessly with Appdome MOBILEBot Defense.

Before delving into the steps, let’s understand some of the terms used:

MTLS (Mutual Transport Layer Security): Mutual TLS (mTLS) is a method for mutual authentication in which both parties in a network connection validate the SSL certificates presented by each other against a trusted root Certificate Authority (CA) certificate.

Client Certificate: In cryptography, a client certificate is a type of digital certificate that is used by client systems to make authenticated requests to a remote server.

Safe Session: Represents sessions that are determined to be safe or not at risk of any threat.

At Risk Session: Represents sessions that are potentially under threat or have detected anomalies.

Header Payload: The data transferred in the header of HTTP requests or responses. Protecting this data ensures that it cannot be tampered with during transit.

RSA private and public keys: The RSA private key is used to generate digital signatures, and the RSA public key is used to verify digital signatures.

Prerequisites for Using AWS & Appdome Docker Image

In order to use the AWS Virtual Server in conjunction with Appdome, you’ll need:

An AWS server with admin permissions
An Android or iOS app secured by Appdome MOBILEBot Defense
An Appdome MOBILEBot Defense License

How to Configure the WAF to Parse Safe Session and At Risk Session

When Appdome’s code is integrated into the AWS Virtual Server, it enhances the firewall’s capability to determine the validity of a session. To categorize sessions as “Safe Session” or “At Risk Session”, Appdome’s code analyzes specific headers within incoming requests: Timestamp, Nonce, and SignedMessage. The Timestamp header allows Appdome’s code to detect potential delay attacks by comparing the request’s timestamp with the server’s time. The Nonce, a unique random value, ensures the uniqueness of each request, protecting against replay attacks. The SignedMessage, typically an RSA-encrypted SHA256 hash of the timestamp, nonce, and a shared secret, ensures the integrity of the request.

Getting Started with AWS Setup and Configuration

Setting up a Linux Server on AWS

Follow these steps to configure a Linux server on AWS, and launch a Docker container with open network settings.

Create an EC2 instance
- - In the AWS portal, navigate to the EC2 Dashboard.
- Click “Launch Instance” to create a new EC2 instance.
Create a Virtual Machine (VM)
- In the AWS portal, go to EC2 -> Instances -> Launch an Instance
- Choose an Amazon Machine Image (AMI) with your preferred Linux distribution (e.g., Amazon Linux, Ubuntu, CentOS)
Select Instance type
- Note: Make sure to select a VPC that allows the AWS server to send and receive traffic from both the server (i.e. Radware) and your organization end-point server.
Configure security groups
- This allow inbound traffic on the necessary ports (e.g., 80, 443).
Click on Launch Instance
Select your newly created instance.

Connect SSH to Your EC2 Instance

Click Connect
Navigate to the SSH Client Tab

3. Enter the following SSH command to connect to your EC2 Instance

 ssh -i YOUR_KEY_PAIR.pem ec2-user@YOUR_INSTANCE_IP

Note: Make sure to replace placeholders such as YOUR_KEY_PAIR.pem, YOUR_INSTANCE_IP, and any other specific details with your actual values and preferences.

Running a Docker Container on an AWS Server

Inside your EC2 instance, install Docker:

 sudo yum update -y

sudo amazon-linux-extras install docker

sudo service docker start

sudo usermod -a -G docker ec2-user IP

Run a Docker Container

 docker run hello-world

Once this command runs successfully, continue with setting up an Appdome Docker Image

Configure Appdome’s Docker Image

Appdome’s Docker Image is a custom solution to secure apps built on the Appdome platform, with the Anti-Bot service enabled. This service functions within a Docker container that’s based on nginx. To facilitate its operation, users must supply an SSL certificate, a private RSA key, and designated environment variables.

Prerequisites: Familiarity with Docker and UNIX-based machines is beneficial.

How Does It Work?

The service is based on nginx and Lua, it uses the Lua module to decrypt the payload and validate the signature, then it uses the request to be proxied to the AD_TARGET route.
The module can be used with either the built-in LRU cache or with Redis, but it is recommended to use the built-in LRU to reduce the overhead of making the calls to Redis and ease the setup.

Setup

The following steps are required to set up the service.

Mount SSL certificates to the container, under /etc/ssl/certs/{ssl_certificate.crt, ssl_certificate_key.key}.
Mount CA certificate that wil be used for mTLS to the container, under /etc/nginx/client_certs/ca.crt.
Mount a private RSA key for payload decryption to the container, the pair to the public key provided in the build process. under /home/lua/private.pem
Provide AD_SERVER_NAME – domain to which the service will respond.
Provide AD_HOST – host header to override.
Provide AD_TARGET – target URL to which the request will be proxied.
Provide AD_SHARED_SECRET – shared secret used in the encrypted message.
Provide COMPROMISED_SECRET – compromised secret used in the compromised encrypted message.
Provide AD_MODULE of redis if you plan on using Redis as the cache. Make sure it is accessible from the container and is located as close as possible to the container, be it on the same network, same availability zone or same server rack.
If AD_MODULE is redis, provide AD_REDIS_HOST.

How To Run

Setup the following environment variables.

Copy the following files from your local machine onto the VM:
- Copy SSL certificates to:
```
/home/\<user\>/certs/ssl
```
- Copy the Root CA certificate to:
```
/home/\<user\>/rootCA.crt
```
- Copy a private RSA key for payload decryption, the pair to the public key provided in the build process to:
```
/home/<user>/private.pem
```
  Example command:
```
scp mykey.key ec2-user@INSTANCE_IP:/home/ec2-user/certs/ssl_certificate_key.key
```
Connect to your VM, and run the following commands:
- Pull the docker image from our public repository:
```
docker pull public.ecr.aws/n2i7f1e2/appdome-waf:basic-0.0.0
```

Note: If you are using Radware and AWS, make sure to populate the <server name> field with the domain name that is registered for this service. It needs to be the same server name that was configured in your Radware Origin server setup.

Run the docker image with the following command:

docker run -p 443:443 -p 80:80 \  
-v "$(pwd)"/certs/ssl:/etc/ssl/ \  
-v "$(pwd)"/rootCA.crt:/etc/nginx/client_certs/ca.crt \  
-e AD_SERVER_NAME= <domain to which the service will respond> \  
-e AD_TARGET= <target URL to which the request will be proxied> \  
-e AD_HOST= <host header to override> \  
-e AD_SHARED_SECRET= <shared secret used in the encrypted message> \  
-e AD_COMPROMISED_SECRET= <compromised secret used in the compromised encrypted message>  \
public.ecr.aws/n2i7f1e2/appdome-waf:basic-0.0.0

Conclusion

Integrating AWS Virtual Server with Appdome provides robust protection for mobile apps. By understanding and applying the configurations above, businesses can ensure that their mobile app traffic is both secure and optimized.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app defense easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.