0

I need some help figuring out how to implement a Web Application Firewall (WAF) in my existing architecture.

Currently I have 2 HAproxy servers clustered using keepalived which are responsible for the following:

  • Load Balancing
  • SSL Termination
  • Re-directing static traffic to cache servers

I have 1 varnish server that is only caching static content. My Traffic flow looks something like this:

    Load Balancer (haproxy)-+---------(Dynamic content)-------+----- Drupal Servers
                             \                                /
                              +-- (Static Content) Varnish --+

And my HaProxy config looks like this:

frontend  main *:80
  acl url_static       path_beg       -i /static /images /javascript /stylesheets
  acl url_static       path_end       -i .jpg .gif .png .css .js

  use_backend         bk_varnish          if url_static
  default_backend     bk_drupal

In this scenario, where is a good place to put a WAF? It would be preferable to not introduce any more servers so ideally a WAF that would run on the HAProxy servers. I know Varnish has some WAF capabilities but it currently only serves static assets. Should I re-architect this solution to route all traffic though varnish?

m3ta
  • 1
  • 2

1 Answers1

0

You can put it on the same box as haproxy. It makes a lot of sense to put it there, actually.

So the question becomes before or after haproxy. If you put it before, then in addition to the rules to protect your app, you will also have to put in rules to protect/allow your static assets. If you put it after, you don't have to worry about rules for your static assets because you can send just the traffic for bk_drupal to the Web Application Firewall.

I have no opinion on how good a web application firewall varnish is.

longneck
  • 23,082
  • 4
  • 52
  • 86