1. HTTP


Prev	Chapter 3. Services	Next

The Website menu gives access to all configuration options related to proxy management, ACL administration, security logging and settings.

To manage proxies select Services->Websites in the left menu pane. This will take you to the website overview page.

1.1. Websites

1.1.1. Defined websites

Displays the list of configured website proxies in the system. The list shows the id, virtual host, real host and current running mode for each configured proxy.

1.1.1.1. Selecting a website proxy for management

To manage a configured proxy simply click on it in the defined proxies list.

1.1.1.2. Changing operating mode

In the list of configured website proxies select the new operating mode in the Mode drop-down box for the website proxy to be changed.

1.2. Adding a website

Path: Services->Websites+Add Website.

1.2.1. Virtual web server

Web server protocol Drop down list	Select the web server protocol. HTTP Standard non-encrypted HTTP site. HTTPS SSL/TLS HTTPS website Both Create e website that responds to both HTTP and HTTPS requests.
Web server address Input field	The public address of the web server you want to add a proxy for. Valid input A fully qualified domain name Input example www.mydomain.com Default value `none`
HTTP listen port Input field	The port number the virtual HTTP host is listening to. Valid input A valid TCP/IP Port number Input example `80` Default value The port number set for the server when created.
HTTPS listen port Input field	The port number the virtual HTTPS host is listening to. Valid input A valid TCP/IP Port number Input example `443` Default value The port number set for the server when created.
HTTP(s) listen IP Drop down list	The IP address the virtual host is bound to. Applies only to HTTPS proxies. Valid input An IP address from the drop down list. Default value The first IP-address in the drop down list.

1.2.2. Real web servers

Real server protocol Drop down list	HTTP or HTTPS Valid input Options from the drop down list `HTTP` or `HTTPS` HTTPS is only available if website virtual host is SSL-enabled. Default value The protocol initially set when the website proxy was created.
Validate real servers and enable health checking Check box	When enabled Web Security Manager will 1) and 2) Verify that the real servers entered respond to requests Enable health checking with an initial simple configuration If one or more of the real servers are not reachable Web Security Manager will return an error. To disable real server validation uncheck this option. Default: `<disabled>`
Real server IP Input field	Hostname or IP address of the web-server(s) Web Security Manager is proxying requests for. Valid input Fully qualified hostname (FQDN) or IP address. Input example `web1.mycompany.com` `10.10.10.10` Default value `<none>`
Port Input	The port number the real server is listening to. Valid input A valid TCP/IP Port number Default value `80`
Role Drop down list	Define the servers role in the load balancing set. Active The server is operative and accepts requests. Backup The server is operative but should only be sent requests if none of the other servers in the load balancing set are available. Down The server is nor operative and will not respond to requests.

1.2.3. Initial operating mode

Set the initial operating mode for the website proxy.

Operating modes are sets of configurations defining what violations to block and what violations to just log. Two configurable and one non-configurable presets are available.

Protect: The Protect mode preset by default blocks and logs all violations according to the access policy.
Detect: In the default Detect mode preset only logging occurs and no blocking protection is activated. Blocking protection that would occur in Protect is logged and available for review in the deny log. Operating in the default Detect preset is comparable to an intrusion detection system - it detects and logs activities but does not protect or prevent policy violations.'
Pass: In Pass mode all requests are passed through the website proxy. No requests are blocked and no logging is performed. As no filters are active in Pass mode this mode is not configurable.

By default Detect mode is selected.

	Note
	Initial operating mode selection is only available in WAF licenses. For load balancer licenses the operating mode is Pass.

1.2.4. Learning

Set the initial learning mode.

Enabled: Automated application profiling and policy building enabled. Web Security Manager analyzes incoming requests employing a combination of statistics, heuristic attack classification and server responses and builds a profile of the web site including static requests, web applications and input parameters. As Web Security Manager maps the web site the policy becomes more specific and shift towards a positive security model for specific applications.
Disabled: No automated policy building.

By default Learning is enabled.

	Note
	Learning is only available in WAF licenses. For load balancer licenses learning is disabled.

1.2.5. Removing a proxy

In the website overview, click on the trashcan symbol shown to the right of the website proxy you want to remove.

1.3. Global

Global HTTP settings that affect all websites.

1.3.1. Server ID

The server ID is the name of the server that will be sent in the response header "Server", also called the server banner. It is considered good practise to hide, mask or alter the server banner.

The server id can be set for each website proxy or globally for all websites.

Enforce server id for all website proxies

Check box

Enable / disable to enforce the global server id for all websites.

Default: <disabled>

Server ID

Input field

The global server ID.

An empty string will completely remove the server ID (prevent sending the Server header).

Valid input: alphanumeric, space, dash, slash, underscore, period and parentheses
Default value: <empty>

1.3.2. HTTP request throttling

HTTP request throttling tracks client request rate across all websites and enforces configured limits.

Enable client HTTP request throttling

Check box

Enable / disable HTTP request throttling for all websites.

Default: <disabled>

1.3.2.1. Max HTTP request rate throttling zones

Client request rate is tracked across website proxies using four global databases, throttling zones. To account for different usage patterns throttling limits are defined separately for each global throttling zone.

Zone T1, T2, T3 and T4

Input field

Each zone defines a maximum request rate in seconds.

If for instance a website proxy is assigned Zone T3 client requests to that site will be throttled down to a maximum of 5 req/sec per IP.

As the aim of throttling client requests typically is to prevent clients from consuming excessive system resources request throttling cannot is enabled on a global basis and client requests are tracked and throttled across all websites. This means that in the above example client requests are tracked across all website proxies and that the Zone T3 limits enforced for other websites using Zone T3.

By default Zone T1 is selected for all sites.

Unit: Requests / second
Valid input: Number in the range 0 - 1000000
Default value: T1 = 50, T2 = 10, T3 = 5, T4 = 1

1.3.2.2. Web site settings

Maximum burst rate Input field	How many requests the client is allowed to exceed the allowed request rate with. If for instance the maximum burst rate is set to 20 and the request rate is limited to 5 request per second then the client may issue 20 requests for one second but will then have to wait 4 seconds until the rate is balanced. When a client for instance loads an html page it typically results in a lot of sub-requests for graphic elements, style sheets, javascript, etc. Setting a reasonable burst rate will allow for fast page loads when the request rate is limited. Unit requests / second Valid input Number in the range 0 - 1000000 Default value `20`
Throttling action Drop down list	How to handle clients exceeding limits. Delay Slow down the client by delaying responses Default selection Error 503 Return HTTP error 503
Throttling zone Drop down list	Client request rate is tracked across website proxies using four global databases, throttling zones. To account for different usage patterns throttling limits are defined separately for each global throttling zone.
Precedence Drop down list	The global website settings can either be default settings when a website is created or enforced settings for all websites. Default web site settings When creating a website the settings will default to the global website settings. Enforced for all websites The global website settings will be enforced for all websites overruling settings defined in website proxies.

1.3.3. HTTP connection limiting

HTTP connection limiting tracks client connection concurrency across all websites and enforces configured limits.

Enable client HTTP connection limiting

Check box

Enable / disable connection limiting for all websites.

Default: <disabled>

1.3.3.1. Max HTTP connections limiting zones

Client connection concurrency is tracked across website proxies using four global databases, connection limiting zones. To account for different usage patterns connection limits are defined separately for each global limiting zone.

Zone L1, L2, L3 and L4

Input field

Each zone defines maximum allowed concurrent connections per client IP.

If for instance a website proxy is assigned Zone L1 client IPs are not allowed to establish more than 4 concurrent connections to the website proxy. However as client connections are tracked across all website proxies the limits will also be tracked and enforced for other websites using Zone L1.

Browsers will typically establish up to four concurrent connections when loading a web page, however many clients may access the website from behind the same gateway and this may result in a much higher concurrency from that IP.

By default Zone L1 is selected for all sites.

Unit: Requests / second
Valid input: Number in the range 0 - 1000000
Default value: L1 = 100, L2 = 20, L3 = 10, L4 = 4

1.3.3.2. Web site settings

HTTP connection throttling zone Drop down list	Client request rate is tracked across website proxies using four global databases, throttling zones. To account for different usage patterns throttling limits are defined separately for each global throttling zone.
Precedence Drop down list	The global website settings can either be default settings when a website is created or enforced settings for all websites. Default web site settings When creating a website the settings will default to the global website settings. Enforced for all websites The global website settings will be enforced for all websites overruling settings defined in website proxies.

1.3.4. SSL Server Name Indication

Allow several HTTPS sites using the same IP address.

If enabled Web Security Manager will allow binding an HTTPS virtual host to an IP address that is already in use by another HTTPS host.

Clients supporting TLS SNI (Server Name Indication) will include the requested hostname in the first message of the SSL handshake (connection setup). This allows the server to determine the correct named virtual host for the request and set the connection up accordingly using the correct vhost SSL certificate from the start. Clients not supporting SNI will not include the requested hostname and will be served the certificate from the first vhost using the shared IP.

The most common browsers support of SNI is:

Mozilla Firefox 2.0 or later
Opera 8.0 or later (with TLS 1.1 enabled)
Internet Explorer 7.0 or later (not XP)
Google Chrome
Safari 3.2.1 on Mac OS X 10.5.6

Since there is still a lot of XP based IE users out there it is not recommended to rely on SNI if broad SSL support is required.Create some more virtual IP addresses instead (cluster or virtual IPs.

Default <disabled>.