Airlock Web Application Firewall Integration

Airlock 5.1

There is an issue with Airlock 5.1 version and the ICAP SDK implementation. Please do not use it with unblu. Update Airlock to a newer version like Airlock 5.3

Screenshots

The screenshots in this article may differ from your version of Airlock and are outdated. They are in the process to be updated.


1. Introduction

Airlock is a secure reverse proxy server that manages the data flow between a visitor of the website and the corporate web server(s). When you use unblu Enterprise, you need to configure Airlock as follows:

  1. First, you need to specify an ICAP connection to the unblu server (ICAP is a messaging protocol that proxy servers often use to communicate with other servers).
  2. Then, you need to tell Airlock which requests to forward to the unblu server.
  3. Finally, you need to tell Airlock to forward the requests only when a co-browsing session is established. This reduces network traffic. Note that you need Airlock 4.2.5 or higher to use this feature.

2. Requirements And Prerequisites

Tu use the unblu module, you need an Icap license. To check the license, go to System Setup, click License, and make sure that Icap is set to on:

Before you can configure the Airlock reverse proxy server, you need to install and configure unblu. A minimal configuration for unblu so that it works with Airlock is in the appendix. Note that this is intended for quick reference, and not to provide a comprehensive guide to running unblu in a high-security environment.

3. Specifying the ICAP Connection

To specify the ICAP connection, proceed as follows:

  1. Click System Setup, and then click Network Services. The Network Services panel opens.
  2. Click the Plus sign to add a new ICAP server.
  3. In the Description field, type the name you want to use for the connection.
  4. In the ICAP Service URL, type the URL of the unblu server (here: http://rocketeer:7777/) followed by the path sys-unblu/airlockicap/
  5. Click the Submit button.

4. Adding the unblu Server to Airlock

 

Airlock keeps two lists of servers: The list of virtual hosts (that is, all servers that receive requests) and the list of back-end groups (that is, all servers or groups of servers that answer the requests). To add the unblu server to Airlock, you need to add it to the back-end group, as follows:

  1. In the Reverse Proxy administration screen, click the Plus sign in the „Back-end Group“ list. Airlock creates a new back-end group (that is, a new group of servers that receive requests). The group contains one empty entry for a server.
  2. Type the name you want to use for the unblu back-end group.
  3. Type the protocol, host and port of the unblu server.
  4. Click Submit .

5. Mapping the application responses

To map the application responses, you need to configure Airlock to forward any application responses to the unblu server via ICAP. Proceed as follows:

  1. In the Reverse Proxy administration screen, edit the mapping of your application (for the example, we use a mapping called „ebanking“).
  2. Click the ICAP tab.
  3. Check the Handle response checkbox. In ICAP service list, select the unblu ICAP service you have specified before-
  4. Click Submit. Airlock now forwards all responses to the unblu server via ICAP. Note that this does not affect the regular processing of the responses.

6. Configuring the Mapping

In the Passthrough Cookies group, click Use regular expression , and then type x-unblu-session|x-unblu-recorder-session . This means that Airlock will forward unblu‘s session cookies. 

7. Mapping the Co-Browsing Connection

Now you need to add a new reverse proxy mapping that forwards co-browsing requests to the unblu server. Setting this up is straightforward, but requires some configuring to make sure that cookies and HTTP headers are forwarded correctly.

8. Adding a Reverse Proxy Mapping for unblu

To add the mapping, proceed as follows:

  1. In the Reverse Proxy administration screen, click the Plus Sign in the mapping list. Airlock now adds a new mapping.
  2. By hovering over and clicking the connection lines, connect the mapping from the virtual host to the unblu back-end server.


9. Configuring the Mapping

To configure the mapping, click the Pen icon on the mapping you have just created. Then, proceed as follows:

  1. Type the name you want to use for the mapping. For the example, we use „unblu“.
  2. For both entry path and back-end path, type /unblu/
  3. In the Passthrough Cookies group, click Use regular expression, and then type x-unblu-session|x-unblu-recorder-session. This means that Airlock will forward unblu‘s session cookies. 

10. Configuring  the Allow Rules

  1. In the Reverse Proxy administration screen, edit the mapping of your application, and then click the Allow Rules tab.
  2. Increase Max path length to at least 4kB.
  3. Click Submit.

11. Allowing unblu Request Headers

If you restrict the headers that Airlock forwards, then you need to add unblu‘s request header to the list of allowed headers. Proceed as follows:

  1. In the Reverse Proxy administration screen, edit the mapping of your application, and then click the Advanced tab.
  2. If Restrict request headers is checked, add the following entries to the list of the allowed headers: x-unblu-xui, x-unblu-client, x-unblu-page, x-unblu-referer.
  3. If Restrict response headers is checked, add the following entries to the list of the allowed headers: Pragma, Cache-Control, Expires, x-unblu-xui, x-unblu-client, x-unblu-page, x-unblu-start-time.
  4. Click Submit.


12. Restricting the mapping to co-browsing sessions

With Airlock 4.2.5 and later, you can configure the mapping to use the ICAP forwarding only if a co-browsing session is established. This reduces traffic on your internal network, because the ICAP requests are sent only when required. To configure this, proceed as follows:

  1. In the Expert Settings, click Security Gate.
  2. Put the text below into the text field (or add it to any existing text if you have already specified a mapping). Replace <backendmapping> with the name of the mapping for which you have specified the ICAP forwarding (in this example, it is „ebanking“).
  3. Click Submit. Airlock will now use the ICAP forwarding only if the unblu co-browsing session is present.

 

SecurityGateway * Mapping.<backendappmapping>.Response.Icap.Position "CLIENT_VIEW"
SecurityGateway * Mapping.<backendappmapping>.Response.Icap.RequestHeaders.Pattern "x-unblu-recorder-session=\"[0-9a-z-]+\""
SecurityGateway * Mapping.<backendappmapping>.Response.Icap.RequestHeaders.IgnoreCase "FALSE"
SecurityGateway * Mapping.<backendappmapping>.Response.Icap.RequestHeaders.InvertPattern "FALSE"

 

13. unblu Configuration

A minimal configuration setting to run unblu with Airlock is as follows. Note that this is intended only as an overview and not as a guide on how you run unblu in a high security environment.

 

com.unblu.identifier.siteEmbeddedSetup=tru
com.unblu.cobrowsing.hideOfflineFlap=true

Note: If your airlock virtual server is configured to use SSL, you need to add the following line to your unblu.properties file:

 

com.unblu.review.server.airlockicap.request.hostScheme=https

 

Note: If you are using Apache Tomcat as a servlet container, you need to configure Tomcat to load the property file. There are different ways to do this, depending on how you administer Tomcat and your Java platform. For example, you can add the following line to the Tomcat start script, catalina.sh:

 

JAVA_OPTS="-Dcom.unblu.propertyoverlay=file:///<path to>/unblu.properties"

 

 

 


 

 

How can we help?

Chat with us and we will take you through our site!

Read about how we use cookies and how you can control them by clicking "Cookie Settings." If you continue to use this site, you consent to our use of cookies.