Airlock 5.3 Web Application Firewall Integration

 


1. Introduction

Airlock is a secure reverse proxy server that manages the data flow between a visitor of the website and the corporate web server(s). When you use unblu collaboration server, you need to configure Airlock as follows:

  1. setup an ICAP connection to the unblu server (ICAP is a messaging protocol that proxy servers often use to communicate with other servers).
  2. specify which requests to forward to the unblu server.
  3. restrict requests and only forward when a co-browsing session is established. This reduces network traffic.

2. Requirements And Prerequisites

To use the unblu module, you need an Icap license. To check the license, go to System Setup, click License, and make sure that Icap is set to on:

Before you can configure the Airlock reverse proxy server, you need to install and configure unblu. A minimal configuration for unblu so that it works with Airlock is in the appendix. Note that this is intended for quick reference, and not to provide a comprehensive guide to running unblu in a high-security environment.

3. Specifying the ICAP Connection

To specify the ICAP connection, proceed as follows:

  1. Click System Setup, and then click Network Services. The Network Services panel opens.
  2. Click the Plus sign to add a new ICAP server.
  3. In the Name field, type the name you want to use for the connection.
  4. In the ICAP Service URL, type the URL of the unblu server (here: http://unbluhost/) followed by the path sys-unblu/airlockicap/
  5. Click the Submit button.

4. Adding the unblu Server to Airlock

 

Airlock keeps two lists of servers: The list of virtual hosts (that is, all servers that receive requests) and the list of back-end groups (that is, all servers or groups of servers that answer the requests). To add the unblu server to Airlock, you need to add it to the back-end group, as follows:

  1. In the Reverse Proxy administration screen, click the Plus sign in the „Back-end Group“ list. Airlock creates a new back-end group (that is, a new group of servers that receive requests). The group contains one empty entry for a server.
  2. Type the name you want to use for the unblu back-end group.
  3. Type the protocol, host and port of the unblu server.
  4. Click Submit.




5. Mapping the application responses

To map the application responses, you need to configure Airlock to forward any backend responses to the unblu server via ICAP. Proceed as follows:

  1. In the Reverse Proxy administration screen, edit the mapping of your application (for the example, we use a mapping called „backend“).
  2. Click the ICAP tab.
  3. Click the Plus Sign in the ICAP Response Client View. Check the Handle response checkbox. In ICAP service list, select the unblu ICAP service you have created in section three above.
  4. In the Request Header Value Pattern (Value, not Name!), add the regular expression x-unblu-recorder-session=\"[0-9a-z]+\", make sure to be case sensitive and not inverted.
  5. Click Submit. Airlock now forwards all responses in a running co-browsing session to the unblu server via ICAP.

 


6. Mapping the Co-Browsing Connection

Now you need to add a new reverse proxy mapping that forwards co-browsing requests to the unblu server. Setting this up is straightforward, but requires some configuring to make sure that cookies and HTTP headers are forwarded correctly.

7. Adding a Reverse Proxy Mapping for unblu

To add the mapping, proceed as follows:

  1. In the Reverse Proxy administration screen, click the Plus Sign in the mapping list. Airlock now adds a new mapping.
  2. In the Basic tab, give it a name, specify the Entry Path (use Directory type), make sure it's case sensitive and further below, make sure the passthrough cookies are defined x-unblu-session|x-unblu-recorder-session
  3. Press the Submit button to apply


8. Configuring  the Allow Rules

  1. In the Reverse Proxy administration screen, edit the mapping of your application, and then click the Allow Rules tab.
  2. Increase Max path length to at least 4kB.
  3. Click Submit.



9. Allowing unblu Request/Response Headers

If you restrict the headers that Airlock forwards, then you need to add unblu‘s request header to the list of allowed headers. Proceed as follows:

  1. In the Reverse Proxy administration screen, edit the mapping of your application, and then click the Request Actions tab.
  2. Select the middle icon of (default) Request header whitelist to create a customized version of it. In the Header Name Pattern field add the following entries to the list of the allowed headers: x-unblu-xui, x-unblu-client, x-unblu-page, x-unblu-referer
  3. Make sure it's case insensitive and inversed
  4. Click Submit


  1. Go to tab Response Actions
  2. Click the middle icon on (default) Response header whitelist to create a customized version of it. In the Header Name Pattern part add (or make sure they're present) the following headers: Pragma, Cache-Control, Expires,x-unblu-xui, x-unblu-client, x-unblu-page, x-unblu-start-time
  3. Make sure it's case insensitive and inversed
  4. Click Submit.


10. unblu Configuration

A minimal configuration setting to run unblu with Airlock is as follows. Note that this is intended only as an overview and not as a guide on how you run unblu in a high security environment.

 

com.unblu.identifier.siteEmbeddedSetup=true
com.unblu.cobrowsing.hideOfflineFlap=true
com.unblu.domcap.server.filter.airlock.enableAirlockIcap=true

Note: If your airlock virtual server is configured to use SSL, you need to add the following line to your unblu.properties file:

 

com.unblu.review.server.airlockicap.request.hostScheme=https

 

Note: If you are using Apache Tomcat as a servlet container, you need to configure Tomcat to load the property file. There are different ways to do this, depending on how you administer Tomcat and your Java platform. For example, you can add the following line to the Tomcat start script, catalina.sh:

 

JAVA_OPTS="-Dcom.unblu.propertyoverlay=file:///<path to>/unblu.properties"