Alert Logic Managed Web Application Firewall (WAF) for Rackspace Public Cloud

Before you begin:

Share the Managed WAF image with Alert Logic

Before you begin this step, make sure you have the following information:

  • Your Rackspace Member ID
  • The Region where you wish to store your image.

To share the image: 

  1. Contact Alert Logic provisioning and provide the required information. Call (877) 484-8383 and select the appropriate option.

For more information, visit the Alert Logic YouTube page.

Get the Managed WAF image

Before you begin this step, make sure you have the following information:

  • Image UUID – You can retrieve this information from the Alert Logic provisioning engineer.
  • Customer API key – You can retrieve this information from the Account Settings page on the Rackspace Public Cloud User Interface. The API key is located under Login Details.

To properly run the commands in this topic: 

  • If you use Mac OS, you can enter the commands in your local machine.
  • If you use Windows, you must first install Cygwin on your Windows machine.

To get the image:

  1. The API (authentication) token allows you to access the shared image from Alert Logic. Use the following command to get the API token:

curl -s https://identity.api.rackspacecloud.com/v2.0/tokens -X 'POST' \

-d '{"auth":{"RAX-KSKEY:apiKeyCredentials":{"username":"yourUserName", "apiKey":"yourApiKey"}}}' \

-H "Content-Type: application/json" | python -m json.tool

curl -s https://identity.api.rackspacecloud.com/v2.0/tokens -X 'POST' \

-d '{"auth":{"RAX-KSKEY:apiKeyCredentials":{"username":"TomR", "apiKey":"005ec2603b6e14"}}}' \

-H "Content-Type: application/json" | python -m json.tool

  1. When the command runs, several line items appear on the screen. Look for the item that begins with token.

  1. In the id field under token, copy the string of characters. You need this information at a later step.
  2. Use the table below to identify your region and the corresponding MemberID. You will need this information to run the command in the next step.
Region MemberID
DFW al-wsm-image-latest - ad7aad61-0348-4c48-b655-6ade72bd4911
IAD al-wsm-image-latest - 10f5d78c-c380-4af9-8993-aa7b43b81a85
ORD al-wsm-image-latest - f6e0203d-7dc1-4297-877d-ad0348e5062a
  1. Use the command below to get the Managed WAF virtual appliance image.

Your MemberID varies based on your region. When you run the command, be sure to use the correct MemberID.

curl -s -XPUT -H "Content-Type: application/json" -H"X-Auth-Token: $Token" \

https://$region.images.api.rackspacecloud.com/v2/images/$Image_UUID/members/$MemberID \

-d '{ "status": "accepted" }'

curl -s -XPUT -H "Content-Type: application/json" -H"X-Auth-Token: 7fc6353373ac4poTD68f7a99a02e83" \

https://iad.images.api.rackspacecloud.com/v2/images/86a0a711-c07e-4dfc-a533-ebd2a1482795

/members/000000 \

-d '{ "status": "accepted" }'

  1. After you see that the image is accepted, log in to the Rackspace Public Cloud User Interface.
  2. Select your region.

Cloud servers should be created in the same region as the protected host.

  1. Click Saved Images.
  2. Verify that the image is listed.

You may see the word Deleted instead of the Parent Server name for the image. This is normal and simply means that you are not authorized to access the parent server. This has no impact on the installation of Managed WAF in your environment.

For more information, visit the Alert Logic YouTube page.

Create a cloud server

A cloud server is a virtual machine that contains the Managed WAF virtual appliance.

To create a cloud server:

  1. Log in to the Rackspace Public Cloud User Interface.
  2. Click Create Server.
  3. Type a Server Name. Use a standard naming convention, such as rax-cloud-IAD-wsm-01.
  4. Select your Region.

Cloud servers should be created in the same region as the protected host.

  1. Under Image, select SavedParent Server > Image name.

  1. Scroll to the Flavor area of the user interface, and then select the Flavor Class you need.
  1. Leave the remaining server options at their default settings, and then click Create Server. The service builds your cloud server. When the server is has been created successfully, the server status changes to Active.

The server may take up to an hour to spin up. The typical time is about 20 minutes. If the server does not spin up after an hour, create another cloud server.

  1. To protect a first generation Rackspace Public Cloud web server, review the following knowledge base article and follow the instructions to connect to the Managed WAF appliance. For more information, see Rackspace public cloud documentation.

A web server created before June 3, 2013, is considered a first generation Rackspace Public Cloud web server.

For more information, visit the Alert Logic YouTube page.

Complete the Managed WAF virtual appliance installation

To complete the Managed WAF appliance installation:

  1. Contact Alert Logic at +1-713-351-0215 to provision the appliance.
  2. Provide the public IP address for your cloud server: To locate this information:
    1. Log in to the Rackspace Public Cloud User Interface.
    2. Select Cloud Servers and the region where your server is located.
    3. Locate the cloud server IP address and provide this IP address to Alert Logic provisioning.
  3. The Alert Logic provisioning team completes your Managed WAF appliance installation and performs initial connectivity testing.

Enable inbound traffic

The Managed WAF appliance is now enabled; however, you must enable inbound traffic. Use the login credentials you received during the onboarding process to access the Alert Logic user interface.

To enable inbound traffic: 

  1. At the top of the Alert Logic console, from the drop-down menu, select WAF.
  2. In the left navigation, under Manage, click Appliances.
  3. Click Manage Appliance.
  4. Under System, click Interfaces. Select Inbound traffic.

Add a website

There are four major steps to complete:

  • Access the Add Website page
  • Modify the vritual web server section
  • Modify the real web servers section
  • Modify the Initial configuration section

Step 1: Access the Add Website page

To access the Add Website page: 

  1. At the top of the Alert Logic console, from the drop-down menu, select WAF.
  2. In the left navigation, under Manage, click Appliances.
  3. Click Manage Appliance that corresponds to the desired virtual appliance.
  1. In the left navigation, under Services, click Websites.
  1. Click Add Website.

Step 2: Modify the virtual web server section

In this step, add the website you want to protect. Managed WAF is deployed in reverse proxy mode. In reverse proxy mode, Managed WAF terminates requests and proxies the requests to the backend web server.

To modify the virtual web server section:

  1. In Add Website, from the Web Server Protocol list, select one of the following:
    • HTTP: This option creates a website proxy that responds to HTTP requests.
    • HTTPS: This option creates a website proxy that responds to HTTPS requests. Selection generates a temporary SSL certificate.
    • Both: This option creates a website proxy that responds to HTTP and HTTPS requests. Selection generates a temporary SSL certificate.
  1. In Web server domain name, type the URL of the website you want to protect.

  1. In the Listen IP left column, do one of the following:
    • Select an IP, and then click Add to add this IP to the Active Listen IP list in the right column. You can add more than one IP to the right column.

    • If the left column includes multiple IP addresses, you can select All Inbound, and then click Add to add all IP addresses to the Active Listen IP list in the right column. This option allows the virtual web server to listen to all IP addresses configured to accept inbound requests.

  1. In HTTP(S) listen port, type the port. The default ports are as follows:
    • HTTP: 80
    • HTTPS: 443

Selection of Both from the Web Server Protocol list makes both the HTTP and HTTPS boxes available.

  1. Select Default Host for listen IP.

When enabled the virtual host responds to all requests for the virtual host not configured as the primary host name or as a virtual host for other proxies listening to the same IP address. The Test your website proxystep assumes this option is selected. This behavior is convenient for testing since it will send any request that is not a policy violation to the backend web server.

Step 3: Modify the real web servers section

Use the real web servers section to identify any backend web server to be protected by Web Security Manager.

To modify the real web servers section:

  1. From the Real web server protocol list, select the connection protocol you want Web Security Manager to use for to a backend web server.
  • If you want traffic to a backend web server(s) to be encrypted, select https or both.
  • If traffic does not require encryption, select http.
  1. Select Validate real servers if you want Web Security Manager to send an HTTP request to the backend web server to verify it responds to HTTP requests.

Clear the check box if the backend web server is not yet running.

  1. In Real server IP or public domain name, type the private IP address or DNS name on which the web server is listening.
  1. In Port, type the port on which the web server is listening . The default ports are as follows:
    • HTTP: 80
    • HTTPS: 443
  1. From the Role list, select one of the following:
    • Active: Web Security Manager forwards requests to the backend web server.
    • Backup: Web Security Manager forwards requests to the backend web server only if no other servers are active.
    • Down: Web Security Manager does not forward requests to the backend web server.

Step 4: Modify the Initial configuration section

To modify the initial configuration section:

  1. Under Initial configuration, make sure WAF Default is selected.

    You can return to this option if you need to make changes.

  2. Click Save Configuration, and then click Apply changes.

    You can return to this option if you need to make changes.

  3. Click Save Configuration, and then click Apply changes.

Test your website proxy

You must test to verify Managed WAF can connect to the backend web server.

The following walkthrough assumes you have configured your website to be used as the default virtual host for the listen IP. You should also make sure that your website proxy is in Detect mode.

There are four major steps to complete:

  • Edit the local hosts file
  • Test for initial connectivity
  • Test in Detect mode
  • Test in Protect mode

Step 1: Edit the local hosts file

Edit the local hosts file to test traffic routed from the host provider through Managed WAF. This achieves the same result as reconfiguring NAT rules or making a host provider DNS change, but only the local PC is affected. This allows you to test Managed WAF prior to making a permanent NAT or DNS change.

To edit your local hosts file:

  1. Locate your hosts file. The host file can typically be found in the following locations:
    • For Windows PC users: %SystemRoot%\system32\drivers\etc\hosts
    • For Unix/Linux/Mac OS users: /etc/hosts
  2. Copy and save your original hosts file to another location.
  3. Edit the hosts file and route the host provider (www.example.com) through the Managed WAFweb application firewall (WAF) listen IP address (192.0.43.11).
  1. Save the hosts file.
    • Once you complete testing, replace the edited hosts with the original hosts file.

Step 2: Test for initial connectivity

To test for initial connectivity: 

  1. In your web browser's address bar, type your public web server IP, and then press Enter. The browser should open the default website for your Real web server. This test will not affect production traffic.

Step 3: Test in Detect mode

To test in Detect mode: 

  1. In your browser's address bar, type your public web server IP followed by /?x=a%00, and then press Enter.

www.example.com/?x=a%00

The browser should open the default website for your Real web server and the simulated DOS attack should be registered on the Deny log as a DOS attempt.

  1. On the Websites page, in the main menu, point to Log, and click Deny Log. To view details of any Deny log entry, click the Details icon ().

Step 4: Test in Protect mode

To test Protect mode:

  1. Open the Websites page.
  2. In the Websites list, for the website you want to test, in the Mode list, select Protect.

  1. In your browser's address bar, type your public web server IP, followed by /?x=a%00, and then press Enter.

    www.example.com/?x=a%00

    The browser should show a 404 error message. This attack should also be registered on the Deny log as a DOS attempt.

Route traffic through Managed WAF

After you have tested your website proxy, reconfigure NAT rules or make a host provider DNS change to route traffic to Web Security Manager permanently. DNS changes may take several days to propagate properly through the Internet domain servers. Once you have completed these initial steps, you can begin working with Managed WAF by adding additional sites to protect.