Using FortiWeb Cloud behind a Content Distribution Service
If the traffic to your application server should be first forwarded to a Content Distribution Service, then flows to FortiWeb Cloud for threat detection, perform the following steps so that the traffic can correctly go through. In this example we assume the Content Distribution Service is AWS CloudFront.
Onboarding your application on FortiWeb Cloud
- Refer to Getting Started in FortiWeb Cloud Online Help to onboard your application.
- DO NOT enable CDN. A FortiWeb Cloud scrubbing center located nearest to your application server will be assigned. In your scenario, it's unnecessary to use the CDN feature of FortiWeb Cloud because AWS CloudFront already serves this purpose.
- Take note of the CNAME provided by FortiWeb Cloud.
- Refer to Endpoints to configure the SSL Certificate settings. If you use Automatic Certificate, make sure to select DNS Challenge type, otherwise the SSL certificate cannot be successfully retrieved.
Additionally, make sure to include a CNAME record for the DNS challenge. You can locate this record in Global > Applications > DNS Status.
Please note that DNS status may show as "Unknown". This is an expected issue when using CloudFront in front of FortiWeb Cloud. It does not affect the retrieval of the certificate, so there is no need to be concerned about it.
If you would like to use your own SSL certificate instead of the certificate issued by Let's Encrypt, you can select Custom Certificate in Network > Endpoint to upload your own SSL certificate.
Creating a Distribution in CloudFront
- Log in to AWS cloud portal. Navigate to CloudFront.
- Click Create Distribution.
- Configure the following options as described. You can set any option not specified here according to your preference. Refer to AWS online help for more information.
Origin Domain Enter the CNAME provided by FortiWeb Cloud. Origin Protocol Policy Select Match Viewer so that the protocol used for the connections between CloudFront and FortiWeb Cloud can be HTTP or HTTPS. It matches with the protocol used by the viewer, for example, if the viewer connects to CloudFront using HTTPS, CloudFront will connect to FortiWeb Cloud using HTTPS.
HTTP Port Set HTTP port value to 80. HTTPS Port Set HTTPS port value to 443. Minimum origin SSL protocol
Select TLSv1.2.
Path Pattern
This field specifies to which requests you want this cache behavior to apply. For example, a path pattern of images/*.jpg would apply the cache behavior to .jpg images.
Compress objects automatically
Select "Yes" if you want CloudFront to automatically compress specific file types when viewers support compressed content. This accelerates downloads by reducing file sizes, resulting in faster rendering of web pages for your users.
Viewer Protocol Policy
You can set this option as you want, but, if you select Redirect HTTP to HTTPS, it's suggested to turn off Redirect all HTTP traffic to HTTPS in Network > Endpoint in FortiWeb Cloud. See Endpoints.
Allowed HTTP methods Select the HTTP methods that you want CloudFront to process and forward to your origin Restrict viewer access
Choose No for public URLs or Yes for signed URLs when configuring the cache behavior's PathPattern. If selecting Yes, specify trusted signers, which are the AWS accounts authorized to create signed URLs.
Cache key and origin requests
Select Legacy cache settings from the list, then add header Host. CloudFront will directly forward the host header to FortiWeb Cloud.
- Configure the following options as described. You can set any option not specified here according to your preference. Refer to AWS online help for more information.
Alternate Domain Names (CNAMEs)
Enter an additional domain name (e.g., www.example.com) that users use to access your application. FortiWeb Cloud supports multiple domain names for a single application.
SSL Certificate
Select Custom SSL Certificate to upload the SSL certificate.
Modify your existing CloudWatch distributions by clicking into the tabs outlined below. Additionally, you can consult the configuration details provided in steps 3-5 above.
General: Settings configurations (details in Settings).
Security: WAF configurations (details in WAF options).
Origins: Origin configurations (details in Origin).
Behaviors: Default Cache Behaviors Configurations (details in Default Cache Behavior).
Modifying DNS record to use the domain name provided by CloudFront
Go to your DNS service to modify the DNS record to route queries for the your application's domain name (e.g. www.example.com) to the CloudFront domain name (e.g. d1234.cloudfront.net).
If you use AWS Route 53, refer to Working with Records on how to create or change the DNS records.
At this point, the queries to your application's domain name should successfully be forwarded to CloudFront first, then reach FortiWeb Cloud.
Configuring Error Pages
When FortiWeb Cloud detects a violation to its security rules, it takes appropriate actions, such as blocking the request and returning an error code to the client who initiated this request. The error code is cached in CloudFront, so that when the same client initiates the same request next time, CloudFront can directly return this error code to the client.
However, the request might be falsely detected as a violation. You can add the request as an exception in FortiWeb Cloud so that it will not be detected as a violation next time, but, if you have set a long Minimum TTL, the client may keep receiving the cached error code until the minimum TTL passes. During this period, CloudFront uses the cached error code to respond to the subsequent requests instead of forwarding them to FortiWeb Cloud for re-processing.
In most cases, the minimum TTL in the distribution settings is set to a long time value because for efficiency considerations you may not want CloudFront to renew its caches too frequently, so, the optimal solution for the above mentioned error code caching problem is to set a comparatively shorter Minimum TTL specially for error codes.
In the following example shown in the screenshots, the Minimum TTL in the distribution is set to 500s, while the Minimum TTL for the error code is set much shorterly to 30s. This distinguishes the minimum TTL time for error codes and the rest content. The objects such as the rarely changing icons and background images stay in cache for a long time, while the error codes frequently renews.
To set the Minimum TTL for error pages:
- In the distribution list, find the distribution you just created. Click its ID to open the distribution details page.
- Select Error Pages tab.
- Click Create Custom Error Response to create a new error page, or click an existing error page to edit its Minimum TTL.
- Set Error Caching Minimum TTL (Seconds).
- Configure other options as desired.
- Click Create.
After you complete the settings above, you can go ahead configure security rules in FortiWeb Cloud to protect your application.
FortiWeb Cloud has a security module called Caching and Compression. It allows you to cache and compress objects that rarely change, such as icons, background images, movies. If you have configured CloudFront to cache such objects, you can disable this module in FortiWeb Cloud.