Configure Support for Akamai Dynamic Site Accelerator

You can configure WebApp Secure to work with a site that utilizes Akamai Dynamic Site Accelerator. You will need to make minor changes to your site's configuration in the Akamai Luna Control Center and in the Content Delivery Network section of the Security Engine configuration screen in the Web UI.

To make the necessary changes, do the following:

  1. Log into Luna Control Center and select the Configure tab.
  2. Click the link corresponding to the desired site configuration under Configuration Name.
  3. On the next screen, find the currently-active configuration and click Create Version from... in the right-hand column. Make the following changes:

    Table 3: Luna Control Center Configuration Changes

    Configuration Section

    Parameter

    Value

    Honor HTTP Cache-Control and Expires Headers

    Cache Control Headers

    false (uncheck)

    Honor HTTP Cache-Control and Expires Headers

    HTTP Expires Headers

    false (uncheck)

    Browser Cache Control Headers

    Pass through the origin's Cache-Control headers to the browser

    true (select)

    Browser Cache Control Headers

    Pass through all origin cache control headers

    true (select)

    Edge Services - General

    Enable True Client IP Header

    true (check)

    Edge Services - General

    True Client IP Header Name

    True-Client-IP (or other; see below)

    Edge Services - General

    Enable Edge Server Identification

    false (uncheck)

    Note: Choosing a name for the True-Client-IP header other than the default can provide additional security by preventing malicious users from spoofing this header. Make a note of the value chosen for the header. You will need to configure it on the WebApp Secure side.

  4. After making these changes, scroll to the bottom of the page and activate the new Akamai configuration as you normally would.
  5. Once you have verified that your new Akamai configuration has gone live, log into the WebApp Secure Web UI. If you are configuring Akamai support for an application, browse to that application's configuration page. Otherwise, browse to the Content Delivery Network section of the Security Engine configuration (or use the Configuration CLI). Make the following changes:

    Table 4: WebApp Secure Configuration Settings for Akamai Support

    Parameter ID

    Parameter Name

    Value

    engine.cdn.akamai.enabled

    Akamai: Enabled

    true

    engine.cdn.akamai.true_client_ip

    Akamai: True-Client-IP Header

    (value specified in Akamai configuration)

    engine.cdn.akamai.incidents.spoofing.enabled

    Akamai: Spoofing Incident Enabled

    true or false

  6. Set Akamai Enabled to true and True-Client-IP Header to the value that you configured in the Luna Control Center.

    Note: If you want a security incident to be triggered when a client attempts to spoof a request through Akamai, you can enable the Akamai Spoof Attempt incident. This incident carries a severity of Medium and can be incorporated into custom Autoresponse rules.

    Note: If WebApp Secure is configured to function alongside Akamai and a direct request comes in to the web server's backend, a warning will appear in mws.log, indicating "Unexpected direct access to origin server. This could be malicious or it could be origin site maintainers doing checkout." While this could be malicious, it could also be an indication that the site maintainer is doing work directly with the backend. It is always safe to confirm these direct backend requests with the webmaster.

Related Documentation

Copyright© 1999-2014 Juniper Networks, Inc. All rights reserved.