The virtual host is the website proxy that is accepting requests on behalf of the web servers serving the website the ADC is proxying requests for.
| Web server
Read only |
Protocol and Fully qualified domain name (FQDN) for the website the proxy is configured for. |
| Website status
Drop down list |
Controls if the website is served by the Web Security Manager node.
|
| Proxy name
Input field |
The name of the website proxy when listed in overview tables and reports.
|
| HTTP(s) listen IP
Drop down list |
The IP address the virtual host is bound to. Applies only to HTTPS proxies.
|
| HTTP listen port
Input field |
The port number the virtual HTTP host is listening to.
|
| HTTPS listen port
Input field |
The port number the virtual HTTPS host is listening to.
|
| Update certificates
Button |
Click to update or add SSL server certificate. See Section 1.2, “SSL Certificate” for details. |
In the SSL certificate section the current SSL certificate in use is displayed. To upload a new certificate click the button.
The SSL section is only shown for SSL enabled website proxies.
To import a certificate go to ->->->.
In the section Virtual web server select .
Depending on the format of the certificate select the appropriate action in the bullet list.
If the certicifate is in the PKCS12 format follow the guidelines below:
Enter the path to the certificate file in the PKCS12 file input field.
Enter Passphrase in the Passphrase input field.
Click in the lower button pane.
If the certificate is in the PEM format follow the guidelines below:
Open the .PEM file in a text-editor. Copy the public certificate section of the certificate.
The public key/certificate is the section of the certificate file between (and including) the certificate start and end tags. Example:
-----BEGIN CERTIFICATE----- Certificate characters -----END CERTIFICATE-----
Select Import SSL certificate In the Web Security Manager management interface
Paste the SSL public key/certificate into the SSL-certificate field.
Now copy the (SSL) private key section of the certificate. The (SSL) private key is the section of the certificate file between (and including) the private key start and end tags. Example:
-----BEGIN RSA PRIVATE KEY----- Private key characters -----END RSA PRIVATE KEY-----
Enter the passphrase for the private key in the passphrase field (if the original private key was encrypted).
If a certificate authority chain is provided with your certificate enter the entire list of certificates (more than one certificate may be provided) in the SSL authority certificate(s) chain field
When creating a proxy for an existing HTTPS web server you need to move the SSL-certificate from the web server to Web Security Manager. This is done by exporting the SSL-certificate from the web server and importing it into Web Security Manager.
Web Security Manager supports importing of PKCS12 and PEM encoded server certificates.
To export a certificate from the web server please refer to the vendors guidelines:
Microsoft
Microsoft guidelines can be found on these addresses:
Export the certificate to a .PFX file (default) which is PKCS12 encoded.
Apache
For web servers running Apache:
Obtain the SSL-certificate file from the web servers file system. By default the file is PEM-encoded.
To configure Web Security Manager to handle requests for host aliases to the proxied domain name (e.g. www.mydomain.com) add a list of aliases in this section.
For instance if the web system answering requests to www.mydomain.com also serves requests to mydomain.com, www.mydomain.net and mydomain.net with the same content of www.mydomain.com, the alias domain names, when added in this section, will be proxied by Web Security Manager as aliases to the "main" virtual
host.
| Virtual host aliases
Input area |
A list of host names.
|
The proxied requests for virtual host aliases are filtered and forwarded without modification of the host header.
The wildcard character * can be used to match the server name part of the domain name (e.g. www). If for instance the the domain names www. domain.net, www2.domain.net, www3.domain.net and webserver.domain.net all point to the same server with the same server the wildcard expression *.domain.net can be used to match all HTTP requests pointing to domain.net - provided, of course, that the DNS records of the respective
hosts all point to Web Security Manager.
| Client READ header timeout
Input field |
Max time to wait for the client request header.
|
| Client READ body timeout
Input field |
Max time to wait for the client request body.
|
| Client SEND timeout
input field |
Max time to wait for a client send to complete.
|
| HTTP request throttling status
Info |
Displays the global HTTP throttling status. |
| Maximum burst rate
Input field |
How many requests the client is allowed to exceed the allowed request rate with. If for instance the maximum burst rate is set to 20 and the request rate is limited to 5 request per second then the client may issue 20 requests for one second but will then have to wait 4 seconds until the rate is balanced. When a client for instance loads an html page it typically results in a lot of sub-requests for graphic elements, style sheets, javascript, etc. Setting a reasonable burst rate will allow for fast page loads when the request rate is limited.
|
| Throttling action
Drop down list |
How to handle clients exceeding limits.
|
| Throttling zone
Drop down list |
Client request rate is tracked across website proxies using four global databases, throttling zones. To account for different usage patterns throttling limits are defined separately for each global throttling zone. |
| HTTP connection throttling status
Info |
Displays the global HTTP connection throttling status. |
| HTTP connection throttling zone
Drop down list |
Client request rate is tracked across website proxies using four global databases, throttling zones. To account for different usage patterns throttling limits are defined separately for each global throttling zone. |
If Web Security Manager is deployed behind another reverse proxy, by default, Web Security Manager will insert the source IP from that proxy in the X-Forwarded-For header sent to the backend web server. If the X-Forwarded-For header is already present the source IP will be appended to the header.
While this behaviour conforms to standards it is not always desirable. It is therefore possible to configure trusted proxies from which Web Security Manager will simply forwarded the X-Forwarded-For header as is.
| Trusted proxy 1 and 2
Input fields |
Trusted source IPs from which X-Forwarded-For header will be forwarded as is to the backend web server.
|
Tell the client to get the requested resource somewhere else.
The Redirect feature is used to instruct clients to make a new request with a different URL. It is often used to redirect HTTP requests for resources requiring encryption to corresponding pages on an SSL encrypted connection - HTTPS.
Web Security Manager allows for either prefix, regex or vhost regex based matching of client requests.
If prefix match is selected the requested URL is matched left to right beginning with a slash (/secret).
If Regex match is selected the requested URL is matched using a regular expression. Anything goes here so it is basically possible to match asp files in a specific directory and instruct the client to request a php file in another directory on another server using HTTPS instead of HTTP.
Do not select Regex match type unless you really need it. Prefix is cheaper CPU wise.
The vhost regex type allows for matching on elements in the virtual host name and redirecting to a different virtual host optionally with some of the matched elements in the target url - like redirecting foo.alertlogic.com to http://www.alertlogic.com/foo or foo.alertlogic.net to http://www.alertlogic.com/net/foo.
The syntax is dependent on the match type selected.
| Enable external redirects
Check box |
When checked Web Security Manager will redirect client requests based on redirect rules configured. |
| Proto Drop down list |
For website proxies serving both HTTP and HTTPS select the protocol to match. If for instance you only want to serve a specific page using the HTTPS protocol match the corresponding HTTP page and redirect to HTTPS on the same site. |
| Match type Drop down list |
See above. |
| Match
Input field |
The client request to match. If prefix match is selected the requested URL is matched left to right beginning with a slash (/secret). Only complete path segments are matched so prefix match type is basically matching on a "directory" basis.
|
| Redirect externally to
Input field |
The new URL path the client is redirected to. If prefix match is selected the new URL path corresponds to the prefix matched. If /secret is entered in the match field (above) then the part of the request following the prefix (/secret) is sent to the new URL path.
|
| Enable external redirects
Check box |
When checked Web Security Manager will redirect client requests based on redirect rules configured. |
| Proto Drop down list |
For website proxies serving both HTTP and HTTPS select the protocol to match. If for instance you only want to serve a specific page using the HTTPS protocol match the corresponding HTTP page and redirect to HTTPS on the same site. |
| Match type Drop down list |
See above. |
| Match
Input field |
The client request to match. If Regex match is selected the requested URL is matched using a regular expression. The supplied regular expression is matched against the requested URL-path, and if it matches, the server will substitute any parenthesized matches into the redirect URL path sent in the redirect response to the client.
|
| Redirect externally to
Input field |
The new URL path the client is redirected to. If Regex match is selected the parenthesized matches in $1, $2, etc. is substituted into the new URL path allowing fine grained and complex redirect rules.
|
| Enable external redirects
Check box |
When checked Web Security Manager will redirect client requests based on redirect rules configured. |
| Proto Drop down list |
For website proxies serving both HTTP and HTTPS select the protocol to match. If for instance you only want to serve a specific page using the HTTPS protocol match the corresponding HTTP page and redirect to HTTPS on the same site. |
| Match type Drop down list |
See above. |
| Match
Input field |
The vhost part of client request to match. If vhost regex match is selected the vhost part of the client request is matched using a regular expression. If it matches, the server will substitute any parenthesized matches into the redirect URL path sent in the redirect response to the client.
|
| Redirect externally to
Input field |
The new URL path the client is redirected to. If the match expression contains parentheses the parenthesized matches are placed in the variables $c1, $c2, $c9. These variables can be used in the redirect URL to allow for fine grained and flexible redirects.
|
The examples from the table above are summarized below. Substitute "ssl.somename.tld" with correct address.
Match type: prefix
Match: /
Redirect externally to: https://ssl.somename.tld/
Match type: prefix
Match: /secret
Redirect externally to: https://ssl.somename.tld/moresecret
Match type: regex
Match: (.+)\.jsp
Redirect externally to: https://ssl.somename.tld$1.php
Match type: vhost regex
Match: (\w+)\.somename\.(\w){1,5}
Redirect externally to: http://www.somename.tld/$c2/$c1