Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Best Practice, multiple origins and sub domains

    Posted 01-16-2020 20:07
    Hi All,

    Been running the Imperva for a little while now, adding a site that has just a root and www domain is really easy, but I have a more complex requirement for a new site and just wondering how to accomplish it.

    example.com has 2 servers on different IP addresses with multiple sub domains and content we wish to protect.

    a.example.com (203.x.x.x)
    b.example.com (203.x.x.x)
    c.example.com (203.x.x.x)

    d.example.com (165.x.x.x)
    e.example.com (165.x.x.x)
    f.example.com (165.x.x.x)

    I can't see a way of making this work without creating 6 different sites for a-f which seems really messy.

    Any help would be appreciated.

    Cheers,
    #CloudWAF(formerlyIncapsula)

    ------------------------------
    Andrew Ford
    Guild
    ------------------------------


  • 2.  RE: Best Practice, multiple origins and sub domains

    Posted 01-17-2020 07:10
    Edited by Cezmi Cal 01-17-2020 09:35
    Hi Andrew,

    You can add multiple IP addresses under same Server Group as "Protected IPs" and you can create many "Web Applications" under same HTTP service for subdomains. After creating these applications you can map them under Applications tab of related "HTTP Service".

    I think, this configuration will work for you.

    Edit: I thought as OnPremWAF but I realized that it was CloudWAF that you mention.

    ------------------------------
    cezmi çal
    technical expert
    Barikat Cyber Security
    ------------------------------



  • 3.  RE: Best Practice, multiple origins and sub domains

    Posted 01-17-2020 08:59
    Edited by Jaired Anderson 01-17-2020 08:59
    Hi Andrew,

    In this scenario you can leverage a feature called "CNAME Reuse" as long as:

    • The certificate in Imperva Cloud WAF answers for the specified domains
    • The Origin server(s) answers for the specified domains

    If you are using the Imperva Cloud WAF (GlobalSign) generated certificate and have issued a wildcard cert, (default) then it will cover *.example.com

    If your own certificate is in use it must be a wildcard certificate or contain additional SANs.

    In the example above, let's assume that a.example.com and d.example.com are onboarded, and:

    • a was assigned an incap DNS entry of 123.x.incapdns.net
    • d was assigned an incap DNS entry of 789.x.incapdns.net

    To leverage CNAME Reuse, your DNS will be configured as follows:

    • b will be a CNAME of 123.x.incapdns.net
    • c will be a CNAME of 123.x.incapdns.net
    • e will be a CNAME of 789.x.incapdns.net
    • f will be a CNAME of 789.x.incapdns.net

    That's it - no additional config required within Imperva Cloud WAF.

    Please be aware that sites b and c will share the same cache, config, security policy, etc with site a.

    Sites e and f will share the same cache, config, security policy, etc with site d.

    When reviewing the Imperva Cloud WAF console you will only see 2 domains listed, however, 6 are being protected. (and only consuming 2 licenses)

    For more information on CNAME reuse, please see:

         https://docs.imperva.com/bundle/cloud-application-security/page/more/cname-reuse.htm



    ------------------------------
    Jaired Anderson
    Senior Professional Services Consultant
    Imperva
    Tulsa OK
    ------------------------------



  • 4.  RE: Best Practice, multiple origins and sub domains

    Posted 09-19-2022 11:27
    What are the certificate requirements for the Origin servers?
    If WAF issues wild card certs, do I still need to purchase certs for the Origin servers that match the domains in use?

    ------------------------------
    Jose Ortega
    Senior Systems Engineer
    Magid Glove
    Romeoville IL
    ------------------------------



  • 5.  RE: Best Practice, multiple origins and sub domains

    Posted 09-28-2022 08:06

    Hi @Jose Ortega

    I noticed there were no answers to your post so I checked in with one of our Product Development engineers and got this feedback:

    "CWAF generate certificate is on the account level and can provide Full domain or Wildcard domains SANs for the website primary domain only.

    If there is a use in CNAME reuse (alternative domains), the current Imperva generated certificate will not provide any other SANs."

    I hope this helps.
    Thanks,

    Sarah​​



    ------------------------------
    Sarah Lamont
    Digital Community Manager
    ------------------------------



  • 6.  RE: Best Practice, multiple origins and sub domains

    Posted 09-28-2022 10:14
    Hi Jose,

    The Origins must still contain certificates, but the names do not need to match. You can even use your own self signed certificates on the Origins.

    ------------------------------
    JairedAnderson
    Imperva
    ------------------------------