Prisma Cloud Compute: WAAS unable to block internet attacks for a Web Server hosted behind a Reverse Proxy Server
3404
Created On 07/15/22 01:58 AM - Last Modified 11/27/24 18:09 PM
Symptom
Sample Setup
{Internet} ---- [Reverse Proxy Server] ---- [Apache HTTP Web Server]
- Apache HTTP Web Server hosted behind a Reverse Proxy Server.
- Prisma Cloud Defender installed on the Web Server.
- However, Prisma Cloud WAAS unable to block internet attacks (such as SQL injection or SQLi) for this Web Server.
Environment
- Prisma Cloud Compute
- Reverse Proxy
Cause
- The attack will not be blocked by providing either the IP address or Hostname of the Internal Web Server under:
Compute > Defend > WAAS > Host > Rule > App definition > Protected endpoints > HTTP host.
Resolution
- Review the WAAS Events under Monitor > Events > WAAS for hosts > Select an Attack type > Aggregated WAAS Events.
In the following example, we select the Attack type 'SQL Injection' to view all the Aggregated WAAS Events for this attack.
- The HTTP data section will provide decoded URL of the HTTP Host (Reverse Proxy Server URL in our case).
- Change the HTTP Host to this URL under:
Compute > Defend > WAAS > Host > Rule > App definition > Protected endpoints > HTTP host.
Additional Information
- For more information, refer: WAAS Troubleshooting
- To perform curl-based tests that can be used to verify endpoints have been properly defined, refer: App Firewall Settings
Eg. To test SQL injection, run the following command:
curl -I http://<http_hostname>:<external_port>/\?id\=%27%20OR%20%271
- If the attack is blocked successfully, you should see an HTTP 403 Forbidden message.