How to Use Fastly's WAF with Appdome MobileBOT™ Defense

Last updated June 18, 2024 by Appdome

Introduction

Web Application Firewalls (WAFs), like the one offered by Fastly, play a crucial role in protecting web applications from a wide range of cyber threats. Using Fastly’s WAF with Appdome’s MobileBOT™ Defense solution offers app developers a streamlined approach to protect backend APIs against malicious bots and botnets, credential stuffing attacks, DDoS, invalid traffic and other automated attacks. In this guide, you’ll learn how to integrate Appdome’s Docker Image with Fastly’s WAF.

Before delving into the steps, let’s understand some of the terms used:

MTLS (Mutual Transport Layer Security): Mutual TLS (mTLS) is a method for mutual authentication in which both parties in a network connection validate the SSL certificates presented by each other against a trusted root Certificate Authority (CA) certificate.

Client Certificate: In cryptography, a client certificate is a type of digital certificate that is used by client systems to make authenticated requests to a remote server.

Safe Session: Represents sessions that are determined to be safe or not at risk of any threat.

At Risk Session: Represents sessions that are potentially under threat or have detected anomalies.

Header Payload: The data transferred in the header of HTTP requests or responses. Protecting this data ensures that it cannot be tampered with during transit.

When Appdome’s code is integrated into the Virtual Server, it enhances the firewall’s capability to determine the validity of a session. To categorize sessions as “Safe Session” or “At Risk Session”, Appdome’s code analyzes specific headers within incoming requests: Timestamp, Nonce, and SignedMessage. The Timestamp header allows Appdome’s code to detect potential delay attacks by comparing the request’s timestamp with the server’s time. The Nonce, a unique random value, ensures the uniqueness of each request, protecting against replay attacks. The SignedMessage, typically an RSA-encrypted SHA256 hash of the timestamp, nonce, and a shared secret, ensures the integrity of the request.

Prerequisites for Using Fastly & Appdome Docker Image

For utilizing Appdome MobileBOT™ Defense with Fastly, you’ll need the following:

  • A Fastly account with admin permissions
  • An AWS, GCP, or Azure server with admin permissions
  • An Android or iOS app secured by Appdome MobileBOT™ Defense
  • An Appdome MobileBOT™ Defense License

Getting Started with Fastly’s WAF Setup and Configuration

Note: For any additional information, please refer to Fastly’s  documentation on

  1. Upload a TLS certificate
    • Cloud WAF Certificate Management
    • Keep in mind that, for requests coming from Fastly’s Edge, you can use a Fastly-managed TLS certificate instead when you create a Cloud WAF instance. In this case, uploading a TLS certificate is optional.
  2. Create a Cloud WAF Instance
  3. Setup a Site Rule
  4. mTLS Configuration
  • IMPORTANT: It is only necessary to configure the mTLS if you have enabled mTLS in the Appdome Build process. Otherwise, skip ahead to the section Configure Appdome’s Docker Image

Setting up the server of your choice

When the Fastly configuration has been completed, you can begin setting up up your GCP, Azure or AWS sever or any cloud provider of your choice.

Links to Dedicated Appdome Knowledge Base articles:

  • GCP: For setting up a server on Google Cloud Platform and configuring it with Appdome’s Docker Image, follow this guide.
  • Azure: For setting up a server on Microsoft Azure and configuring it with Appdome’s Docker Image, follow this guide.
  • AWS: For setting up a server on Amazon Web Services and configuring it with Appdome’s Docker Image, follow this guide.

To learn more, see the installation instructions for Installing Docker Engine on Ubuntu

Configure Appdome’s Docker Image

Appdome’s Docker Image is a custom solution to secure apps built on the Appdome platform with the Anti-Bot service enabled. This service functions within a Docker container based on Nginx. To facilitate its operation, users must supply an SSL certificate, config files and keys, and designated environment variables.

Prerequisites: Familiarity with Docker and UNIX-based machines is beneficial.

How Does It Work?

Based on Nginx and Lua, the service employs the Lua module to decrypt the payload and validate the signature, then it proxies the request to the target route as specified in the config file.

The module can be used with either the built-in LRU cache or with Redis, but it is recommended to use the built-in LRU to reduce the overhead of making the calls to Redis and ease the setup. If working in a cluster, it is necessary to use Redis to share storage across multiple instances.

Setup

The following environment variables are required to set up the service.

Environment Variable Name Required Description
REDIS Optional Only provide AD_REDIS_HOST if you intend to use it.
LOG_LEVEL Optional The default setting is warn. Available options include: debug, info, notice, warn, error, crit, alert, emerg. All logs are output to the stdout.
RESOLVER Mandatory Provide the resolver DNS server to use for discovering upstream servers.
PASSTHROUGH Optional A key that logs only headers but does not validate them.
USE_DEFAULT False If default.json config file was passed in the configs folder, and this variable passed as true , only the default config will be used. This is meant for testing purposes without constantly updating the config file.
Note: For a Kubernetes server, the default DNS server IP is 192.168.0.10. For a pure Docker configuration, the default server IP is 127.0.0.11

Configs: Located in /home/configs, this folder contains JSON files. The name of the file is task_id, as built on Appdome and the content of the file is a JSON array of the mobile anti bot configuration as provided by Appdome. For testing purposes, a default config named default.json may be passed and -e USE_DEFAULT=true env var to use some default secrets that do not depend on task.

Keys: Located in /home/keys, this folder contains private keys used to validate the headers sent by Appdome.After receiving the JSON file from the Appdome support team, you will need to add two fields: key, target and, optionally, heartbeat_validity. The first two are string fields, and the last is the heartbeat number in seconds.
The key will point to a key from the keys folder mentioned above to validate the headers. The target is the address to which the request will be forwarded, which should be resolvable by the resolver. The target can be an internal address provided that the resolver can find it.
Example:
“key”: “keys/task-id-1-host-1.pem”,
“target”: “http://jsonplaceholder.typicode.com/posts/1”

Optional: How to Configure SSL & mTLS

If you want the Appdome Docker Image to handle SSL and mTLS, additional configuration is required. This includes passing environment variables and mounting certificates to the service.
Environment Variable Name Description
SSL_ON In order to enable the reverse proxy to handle SSL connections, you need to mark the SSL_ON=true. Make sure to mount SSL certificates to the container under /etc/nginx/certs/{ssl.crt, key.key}.
MTLS_ON In order to enable the reverse proxy to handle mTLS, you need to set both SSL_ON and MTLS_ON=true.
Make sure to mount the CA certificate that will be used for the mTLS under /etc/nginx/certs/ca.crt.
FINGERPRINTS If MTLS_ON=true the certificate fingerprints can be passed to allow only specific certificates identified by a SHA1 fingerprint. The value format should include a string of comma-separated values with a space following each comma as follows: asd, zxc, qwe

How to run Appdome Docker Image

Connect to your VM, and run the following commands:

    • Pull the docker image from our public repository:
      docker pull public.ecr.aws/n2i7f1e2/appdome-waf:1.0.0
    • Run the docker image with the following command:
      docker run -p 443:443 -p 80:80 -d \
      -v "$(pwd)"/certs:/etc/nginx/certs \
      -v "$(pwd)"/keys:/home/keys \
      -v "$(pwd)"/configs:/home/configs \
      -e REDIS =<redis address> \
      -e PASSTHROUGH=false \
      -e RESOLVER=<resolver address> \
      -e SSL_ON=true \
      -e MTLS_ON=true \
      -e FINGERPRINTS=asd, zxc, qwe \
      -e LOG_LEVEL=debug \
      --restart unless-stopped \
      public.ecr.aws/n2i7f1e2/appdome-waf:1.0.0

At this point, you have a machine that will run the Appdome Docker Image. Make sure that your application traffic is routing correctly to the Appdome Docker Image and that the Appdome Docker Image is passing the traffic correctly to the target.

Conclusion

By integrating Fastly with your preferred Virtual Server and using Appdome’s MobileBOT™ Defense, you can protect your backend APIs against malicious bots and enhance the security of mobile apps. By mastering and implementing the aforementioned configurations, businesses can safeguard and optimize their mobile app traffic.

Related Articles:

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app defense easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

Appdome

Want a Demo?

Mobile Bot Defense

TomWe're here to help
We'll get back to you in 24 hours to schedule your demo.