Configuring Upstream Servers in Web Application Firewall


Within Web Application Firewall (WAF), Upstream Servers are the web servers which the firewall protects from external attacks. WAF requires at least one Upstream Server to protect. If your web application is distributed across multiple servers, you can define each server in a load balancing configuration.

To configure your upstream server(s), go to Settings > Upstream in the grey navigation bar located on the Appliance page for your WAF.

Note: WAF is designed to protect & load balance a single web application. If your network hosts multiple different websites or web services, each will need its own instance of WAF.



Upstream Servers

This will be the first section found on the Upstream page. Enter your web servers one at a time via the Add Server button. You can use either a hostname or IP address to add a server.


Load Balancing

If you have more than one server running the same web application, WAF can load-balance between your servers. Once you add any additional servers, the Load Balancing Method options will be enabled.

Each server must be identical to the others, in that each is serving the same content (i.e., each server hosts the same website as the others). If you enter multiple servers which each host different content, WAF cannot tell the difference and may respond with unintended content.

The option you select determines how WAF distributes traffic between your servers:

Least Connections The server with the least amount of active connections will be used.
Round Robin Each server will be used in turn: Server A, then Server B, then Server C, then Server A again, &c.
Random Each request is passed to a randomly selected server.

Each request is 'associated' with a server once a connection has completed. Further sessions from the same client will be directed to the same server.

If your server uses a login system, use the Sticky setting: if subsequent sessions are not sent to the same server, their authentication tokens will not match.



The Listeners section determines what ports are used for HTTP and HTTPS traffic to your webserver. The listening port determines what port WAF monitors for requests, while the upstream ports is the port WAF should use when passing traffic to the webserver(s). Typically these will be HTTP/80 and HTTPS/443, but you can change them or add additional ports as necessary.



SSL Certificates

You may upload your server's SSL certificate here. Certificates must be in .pem format without password protection.

The private key must be included in this single file: your certificate file must include a section that begins with -----BEGIN PRIVATE KEY-----.

private key example

Advanced Options

These options are provided to give you additional control and ability to fine-tune your WAF.

Client Max Body Size The maximum allowed size of a client request. If a given request exceeds this size, WAF will return a 413 (Request Entity Too Large) error to the client. (Please note that web browsers will not display this error correctly.)
Client Timeout If a client connects to the server but does not take any action within the specified timeframe, the session is closed.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk