Imperva Cyber Community

communities_1.jpg
 View Only

  • 1.  Nginx LB Behind Imperva WAF

     
    Posted 02-17-2022 15:08
    Has anyone seen any issues with deploying an Nginx load balancer behind Imperva Cloud WAF? We see intermittent issues when we do this, and have found no helpful log entries that point to a cause. Also cannot seem to find anyone else reporting a similar issue.
    #CloudWAF(formerlyIncapsula)

    ------------------------------
    - Jason
    Technical User
    ------------------------------


  • 2.  RE: Nginx LB Behind Imperva WAF

    Posted 02-21-2022 10:41

    Hi Jason

    I spoke with one of our Sr Sales Engineers about this and this was their insight...

    I have seen this issue before when the customer has their load balancer set up to balance/provide server stickiness based on Source IP.  When on Imperva, the source IP is no longer the browser, it will be one of Imperva's pops. Their load balancer should balance by Session Id not Source IP.  

    I hope this solves the problem. 

    Thanks,



    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------

    Original Message


  • 3.  RE: Nginx LB Behind Imperva WAF

     
    Posted 02-22-2022 13:37
    Thanks for that input. I'll discuss that with the that team and see if we can test that successfully.

    ------------------------------
    - Jason
    Technical User
    ------------------------------

    Original Message


  • 4.  RE: Nginx LB Behind Imperva WAF

     
    Posted 02-22-2022 13:42
    Our setup is using round-robin and no any sticky balancing. Have any issues been seen with that setup?

    ------------------------------
    - Jason
    Technical User
    ------------------------------

    Original Message


  • 5.  RE: Nginx LB Behind Imperva WAF

    Posted 02-23-2022 04:30
    Hi Jason,

    Can you elaborate on the issues detected with this setup ? As stated before common issues are due to our optimization mechanism (HTTP Multiplexing) which is not compatible with Source IP Stickiness on the Load Balancer. Did you check the "delivery" setup where you can enforce HTTP protocol used on the Origin server side. 

    Regards

    ------------------------------
    Arnaud Demene
    SE
    Imperva
    ------------------------------

    Original Message


  • 6.  RE: Nginx LB Behind Imperva WAF

    Posted 02-23-2022 09:17
    Just in case.
    I had some similar issues a few weeks ago and the issue was fixed by whitelisting all Imperva IP ranges at all points the traffic passes through.

    If you remove the LB, does the website work fine?
    Does the Nginx have some kind of blocking rules (like geo-policies)?

    Regards
    Elfego

    ------------------------------
    Elfego
    ------------------------------

    Original Message


  • 7.  RE: Nginx LB Behind Imperva WAF

     
    Posted 02-28-2022 14:22
    Thanks. I'll give that a shot. We have not tried to remove the Nginx LB, as it will be too complicated to do with this environment.

    ------------------------------
    - Jason
    Technical User
    ------------------------------

    Original Message


  • 8.  RE: Nginx LB Behind Imperva WAF

     
    Posted 02-28-2022 14:29
    Hi, Arnaud. We have checked that stickiness is not being used. I'm not sure what you mean by the delivery setup...haven't been using this WAF very long.

    ------------------------------
    - Jason
    Technical User
    ------------------------------

    Original Message


  • 9.  RE: Nginx LB Behind Imperva WAF

    Posted 03-10-2022 05:29

    Might be unrelated to your issue, but we face problems when

    - WAF is in front of an nginx, which is balancing our websites,

    - WAF is configured in Transparent Reverse Proxy mode,

    - and a technique like this is used on nginx to serve https://www.siteA.com/sitemap.xml as an alternative URL: https://www.siteB.com/sitemap/en/sitemap.xml

    The sample nginx config is like this:

    location = /sitemap.xml {
    proxy_pass https://www.siteB.hu/sitemap/en/sitemap.xml;
    }

    Then WAF then simply cannot step in the HTTPS traffic, and blocking the access entirely to the site without any logs entries

    BR,
    Cs.

    Then a 



    ------------------------------
    Csaba Weisz
    None
    Törökbálint
    ------------------------------

    Original Message