How to set up Traffic Filter rules including WAF rules
Learn how to set up traffic filter rules, including WAF rules. Read about creating, deploying, testing, and analyzing results.
Setup
The setup process involves the following:
- creating rules with an appropriate AEM project structure and configuration file.
- deploying rules using Adobe Cloud Manager’s configuration pipeline.
- testing rules using various tools to generate traffic.
- analyzing the results using AEMCS CDN logs and dashboard tooling.
Create rules in your AEM project
To create rules, follow these steps:
-
At the top level of your AEM project, create a folder
config
. -
Within the
config
folder, create a new file calledcdn.yaml
. -
Add the following metadata to the
cdn.yaml
file:
kind: CDN
version: '1'
metadata:
envTypes:
- dev
- stage
- prod
data:
trafficFilters:
rules:
See an example of the cdn.yaml
file within the AEM Guides WKND Sites Project:
Deploy rules through Cloud Manager deploy-rules-through-cloud-manager
To deploy rules, follow these steps:
-
Log into Cloud Manager at my.cloudmanager.adobe.com and select the appropriate organization and program.
-
Navigate to the Pipelines card from the Program Overview page and click the +Add button and select the desired pipeline type.
In the example above, for demo purposes Add Non-Production Pipeline is selected since a dev environment is used.
-
In the Add Non-Production Pipeline dialog, choose and enter the following details:
-
Configuration step:
- Type: Deployment Pipeline
- Pipeline Name: Dev-Config
-
Source Code step:
- Code to deploy: Targeted deployment
- Include: Config
- Deployment Environment: Name of your environment, for example, wknd-program-dev.
- Repository: The Git repository from where the pipeline should retrieve the code; for example,
wknd-site
- Git Branch: The name of the Git repository branch.
- Code Location:
/config
, corresponding to the top-level configuration folder created in the previous step.
-
Test rules by generating traffic
To test rules, there are various third-party tools available and your organization may have a preferred tool. For demo purpose, let’s use the following tools:
-
Curl for basic testing like invoking a URL and checking the response code.
-
Vegeta to perform denial of service (DOS). Follow installation instructions from the Vegeta GitHub.
-
Nikto to find potential problems and security vulnerabilities like XSS, SQL injection, and more. Follow installation instructions from the Nikto GitHub.
-
Verify that the tools are installed and available in your terminal by running the commands below:
code language-shell # Curl version check $ curl --version # Vegeta version check $ vegeta -version # Nikto version check $ cd <PATH-OF-CLONED-REPO>/program ./nikto.pl -Version
Analyze results using the dashboard tooling
After creating, deploying, and testing the rules, you can analyze the results using Elasticsearch, Logstash, and Kibana (ELK) dashboard tooling. It can parse the AEMCS CDN logs, allowing you to visualize the results in the form of various charts and graphs.
Dashboard tooling can be cloned directly from the AEMCS-CDN-Log-Analysis-ELK-Tool GitHub repository and follow the steps to install and load the Traffic Filter Rules (including WAF) dashboard.
-
After loading the sample dashboard, your Elastic dashboard tool page should look like the following:
Next step
Learn how to declare traffic filter rules including WAF rules in the Examples and result analysis chapter, using the AEM WKND Sites Project.