How to Use Fastly's WAF with Appdome MobileBOT™ Defense
Introduction
Web Application Firewalls (WAFs), like the one offered by Fastly, play a crucial role in protecting web applications from a wide range of cyber threats. Using Fastly’s WAF with Appdome’s MobileBOT™ Defense solution offers app developers a streamlined approach to protect backend APIs against malicious bots and botnets, credential stuffing attacks, DDoS, invalid traffic and other automated attacks. In this guide, you’ll learn how to integrate Appdome’s Docker Image with Fastly’s WAF.
Before delving into the steps, let’s understand some of the terms used:
MTLS (Mutual Transport Layer Security): Mutual TLS (mTLS) is a method for mutual authentication in which both parties in a network connection validate the SSL certificates presented by each other against a trusted root Certificate Authority (CA) certificate.
Client Certificate: In cryptography, a client certificate is a type of digital certificate that is used by client systems to make authenticated requests to a remote server.
Safe Session: Represents sessions that are determined to be safe or not at risk of any threat.
At Risk Session: Represents sessions that are potentially under threat or have detected anomalies.
Header Payload: The data transferred in the header of HTTP requests or responses. Protecting this data ensures that it cannot be tampered with during transit.
When Appdome’s code is integrated into the Virtual Server, it enhances the firewall’s capability to determine the validity of a session. To categorize sessions as “Safe Session” or “At Risk Session”, Appdome’s code analyzes specific headers within incoming requests: Timestamp, Nonce, and SignedMessage. The Timestamp header allows Appdome’s code to detect potential delay attacks by comparing the request’s timestamp with the server’s time. The Nonce, a unique random value, ensures the uniqueness of each request, protecting against replay attacks. The SignedMessage, typically an RSA-encrypted SHA256 hash of the timestamp, nonce, and a shared secret, ensures the integrity of the request.
Prerequisites for Using Fastly & Appdome Docker Image
For utilizing Appdome MobileBOT™ Defense with Fastly, you’ll need the following:
- A Fastly account with admin permissions
- An AWS, GCP, or Azure server with admin permissions
- An Android or iOS app secured by Appdome MobileBOT™ Defense
- An Appdome MobileBOT™ Defense License
Getting Started with Fastly’s WAF Setup and Configuration
Note: For any additional information, please refer to Fastly’s documentation on
- Upload a TLS certificate
- Cloud WAF Certificate Management
- Keep in mind that, for requests coming from Fastly’s Edge, you can use a Fastly-managed TLS certificate instead when you create a Cloud WAF instance. In this case, uploading a TLS certificate is optional.
- Create a Cloud WAF Instance
- See the Fastly’s guide on how to Create a Cloud Waf Instance
- Setup a Site Rule
- Learn more about Site Rules
- mTLS Configuration
- IMPORTANT: It is only necessary to configure the mTLS if you have enabled mTLS in the Appdome Build process. Otherwise, skip ahead to the section “Configure Appdome’s Docker Image“
Setting up the server of your choice
When the Fastly configuration has been completed, you can begin setting up up your GCP, Azure or AWS sever or any cloud provider of your choice.
Links to Dedicated Appdome Knowledge Base articles:
- GCP: For setting up a server on Google Cloud Platform and configuring it with Appdome’s Docker Image, follow this guide.
- Azure: For setting up a server on Microsoft Azure and configuring it with Appdome’s Docker Image, follow this guide.
- AWS: For setting up a server on Amazon Web Services and configuring it with Appdome’s Docker Image, follow this guide.
To learn more, see the installation instructions for Installing Docker Engine on Ubuntu
Configure Appdome’s Docker Image
After setting up your server of choice, proceed to configure the Appdome Docker Image as outlined in our dedicated knowledge base article, How to Configure Appdome’s Docker Image.
Related Articles:
- MobileBOT™ Defense
- Using Akamai WAF with Appdome MobileBOT™ Defense
- How to Secure Android & iOS Apps in Azure DevOps Pipelines
- Using F5 WAF with Appdome MobileBOT™ Defense
How Do I Learn More?
If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.
Thank you!
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app defense easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.
