Imperva Cyber Community

Expand all | Collapse all

Best Practice, multiple origins and sub domains

  • 1.  Best Practice, multiple origins and sub domains

    Posted 01-16-2020 20:07
    Hi All,

    Been running the Imperva for a little while now, adding a site that has just a root and www domain is really easy, but I have a more complex requirement for a new site and just wondering how to accomplish it.

    example.com has 2 servers on different IP addresses with multiple sub domains and content we wish to protect.

    a.example.com (203.x.x.x)
    b.example.com (203.x.x.x)
    c.example.com (203.x.x.x)

    d.example.com (165.x.x.x)
    e.example.com (165.x.x.x)
    f.example.com (165.x.x.x)

    I can't see a way of making this work without creating 6 different sites for a-f which seems really messy.

    Any help would be appreciated.

    Cheers,
    #CloudWAF(formerlyIncapsula)

    ------------------------------
    Andrew Ford
    Guild
    ------------------------------


  • 2.  RE: Best Practice, multiple origins and sub domains

    Posted 01-17-2020 07:10
    Edited by cezmi çal 01-17-2020 09:35
    Hi Andrew,

    You can add multiple IP addresses under same Server Group as "Protected IPs" and you can create many "Web Applications" under same HTTP service for subdomains. After creating these applications you can map them under Applications tab of related "HTTP Service".

    I think, this configuration will work for you.

    Edit: I thought as OnPremWAF but I realized that it was CloudWAF that you mention.

    ------------------------------
    cezmi çal
    technical expert
    Barikat Cyber Security
    ------------------------------



  • 3.  RE: Best Practice, multiple origins and sub domains

    Imperva Employee
    Posted 01-17-2020 08:59
    Edited by Jaired Anderson 01-17-2020 08:59
    Hi Andrew,

    In this scenario you can leverage a feature called "CNAME Reuse" as long as:

    • The certificate in Imperva Cloud WAF answers for the specified domains
    • The Origin server(s) answers for the specified domains

    If you are using the Imperva Cloud WAF (GlobalSign) generated certificate and have issued a wildcard cert, (default) then it will cover *.example.com

    If your own certificate is in use it must be a wildcard certificate or contain additional SANs.

    In the example above, let's assume that a.example.com and d.example.com are onboarded, and:

    • a was assigned an incap DNS entry of 123.x.incapdns.net
    • d was assigned an incap DNS entry of 789.x.incapdns.net

    To leverage CNAME Reuse, your DNS will be configured as follows:

    • b will be a CNAME of 123.x.incapdns.net
    • c will be a CNAME of 123.x.incapdns.net
    • e will be a CNAME of 789.x.incapdns.net
    • f will be a CNAME of 789.x.incapdns.net

    That's it - no additional config required within Imperva Cloud WAF.

    Please be aware that sites b and c will share the same cache, config, security policy, etc with site a.

    Sites e and f will share the same cache, config, security policy, etc with site d.

    When reviewing the Imperva Cloud WAF console you will only see 2 domains listed, however, 6 are being protected. (and only consuming 2 licenses)

    For more information on CNAME reuse, please see:

         https://docs.imperva.com/bundle/cloud-application-security/page/more/cname-reuse.htm



    ------------------------------
    Jaired Anderson
    Senior Professional Services Consultant
    Imperva
    Tulsa OK
    ------------------------------