How to Use Radware's WAF with Appdome MOBILEBot Defense
Introduction
Web Application Firewalls (WAFs), like the one offered by Radware, play a crucial role in protecting web applications from a wide range of cyber threats. Using Radware’s WAF with Appdome’s MOBILEBot™ Defense solution offers app developers a streamlined approach to protect backend APIs against malicious bots and botnets, credential stuffing attacks, DDoS, invalid traffic and other automated attacks. In this guide, you’ll learn how to integrate Appdome’s Docker Image with Radware’s WAF.
Before delving into the steps, let’s understand some of the terms used:
MTLS (Mutual Transport Layer Security): Mutual TLS (mTLS) is a method for mutual authentication in which both parties in a network connection validate the SSL certificates presented by each other against a trusted root Certificate Authority (CA) certificate.
Client Certificate: In cryptography, a client certificate is a type of digital certificate that is used by client systems to make authenticated requests to a remote server.
Safe Session: Represents sessions that are determined to be safe or not at risk of any threat.
At Risk Session: Represents sessions that are potentially under threat or have detected anomalies.
Header Payload: The data transferred in the header of HTTP requests or responses. Protecting this data ensures that it cannot be tampered with during transit.
RSA private and public keys: The RSA private key is used to generate digital signatures, and the RSA public key is used to verify digital signatures.
Prerequisites for Using Radware & Appdome Docker Image
For utilizing Appdome MOBILEBot Defense with Radware, you’ll need the following:
- A Radware account with admin permissions
- An AWS, GCP, or Azure server with admin permissions
- An Android or iOS app secured by Appdome MOBILEBot Defense
- An Appdome MOBILEBot Defense License
Getting Started with Radware WAF Setup and Configuration
- Upload SSL Certificates
- In the Radware portal, navigate to Assets > Certificates.
- In the Radware portal, navigate to Assets > Certificates.
2. Add a new certificate
-
- Click the + sign to add a new certificate.
- Click the + sign to add a new certificate.
-
- Add your private key
- Click Save
3. Create a new application
-
- Enter your Display Name
- Click Save
- Configure your VM instance, including selecting the Linux distribution you prefer (e.g., Ubuntu, CentOS).
4. Add an Application Domain
-
- In the Radware portal, Navigate to the Network tab
- Enter your Application Domain Name
- Click Save
4. Add Application Services
-
- Add a new service
- Configure the Front-End port 443
- Configure the Back-End port 443
- Add your SSL certificate
- Click Save
5. Add an Origin Server
-
- Add a FQDN ipv4 server address and your server domain name
Note: This is where the Appdome Docker Image instance will run
- Add a FQDN ipv4 server address and your server domain name
IMPORTANT: It is only necessary to configure the mTLS if you have enabled mTLS in the Appdome fuse process. Otherwise, skip ahead to the section “Configure Appdome’s Docker Image“
Configure mTLS
-
- Click on Advanced
- Select the root CA certificate.
- Click Save
- Turn on the mTLS toggle
At this point everything on the Radware side is ready, you can now set up your GCP, Azure or AWS sever or any cloud provider of your choice.
Links to Dedicated KBs:
- GCP: For setting up a server on Google Cloud Platform and configuring it with Appdome’s Docker Image, follow this guide.
- Azure: For setting up a server on Microsoft Azure and configuring it with Appdome’s Docker Image, follow this guide.
- AWS: For setting up a server on Amazon Web Services and configuring it with Appdome’s Docker Image, follow this guide.
After setting up your server of choice, continue with setting up Appdome Docker Image.
Configure Appdome’s Docker Image
Appdome’s Docker Image is a custom solution to secure apps built on the Appdome platform, with the MOBILEBot Defense service enabled. This service functions within a Docker container that’s based on nginx. To facilitate its operation, users must supply an SSL certificate, a private RSA key, and designated environment variables.
Prerequisites: Familiarity with Docker and UNIX-based machines is beneficial.
How Does It Work?
The service is based on nginx and Lua, it uses the Lua module to decrypt the payload and validate the signature, then it uses the request to be proxied to the AD_TARGET route.
The module can be used with either the built-in LRU cache or with Redis, but it is recommended to use the built-in LRU to reduce the overhead of making the calls to Redis and ease the setup.
Setup
The following steps are required to set up the service.
- Mount SSL certificates to the container, under /etc/ssl/certs/{ssl_certificate.crt, ssl_certificate_key.key}.
- Mount CA certificate that wil be used for mTLS to the container, under /etc/nginx/client_certs/ca.crt.
- Mount a private RSA key for payload decryption to the container, the pair to the public key provided in the build process. under /home/lua/private.pem
- Provide AD_SERVER_NAME – domain to which the service will respond.
- Provide AD_HOST – host header to override.
- Provide AD_TARGET – target URL to which the request will be proxied.
- Provide AD_SHARED_SECRET – shared secret used in the encrypted message.
- Provide COMPROMISED_SECRET – compromised secret used in the compromised encrypted message.
- Provide AD_MODULE of redis if you plan on using Redis as the cache. Make sure it is accessible from the container and is located as close as possible to the container, be it on the same network, same availability zone or same server rack.
- If AD_MODULE is redis, provide AD_REDIS_HOST.
How To Run
Setup the following environment variables.
- Copy the following files from your local machine onto the VM:
- Copy SSL certificates to:
/home/\<user\>/certs/ssl - Copy the Root CA certificate to:
/home/\<user\>/rootCA.crt - Copy a private RSA key for payload decryption, the pair to the public key provided in the build process to:
/home/<user>/private.pemExample command:
scp mykey.key ec2-user@INSTANCE_IP:/home/ec2-user/certs/ssl_certificate_key.key
- Copy SSL certificates to:
- Connect to your VM, and run the following commands:
- Pull the docker image from our public repository:
docker pull public.ecr.aws/n2i7f1e2/appdome-waf:basic-0.0.0
- Pull the docker image from our public repository:
- Note: If you are using Radware in conjunction with either Azure, GCP or AWS, make sure to populate the <server name> field with the domain name that is registered for this service. It needs to be the same server name that was configured in your Radware Origin server setup.
-
- Run the docker image with the following command:
docker run -p 443:443 -p 80:80 \ -v "$(pwd)"/certs/ssl:/etc/ssl/ \ -v "$(pwd)"/rootCA.crt:/etc/nginx/client_certs/ca.crt \ -e AD_SERVER_NAME= <domain to which the service will respond> \ -e AD_TARGET= <target URL to which the request will be proxied> \ -e AD_HOST= <host header to override> \ -e AD_SHARED_SECRET= <shared secret used in the encrypted message> \ -e AD_COMPROMISED_SECRET= <compromised secret used in the compromised encrypted message> \ public.ecr.aws/n2i7f1e2/appdome-waf:basic-0.0.0
- Run the docker image with the following command:
Conclusion
By integrating Akamai with your preferred Virtual Server and using Appdome’s MOBILEBot Defense, you can protect your backend APIs against malicious bots and enhance the security of mobile apps. By mastering and implementing the aforementioned configurations, businesses can safeguard and optimize their mobile app traffic.
Related Articles:
Thank you!
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app defense easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.
