Hi
In the moment we are using Apache+modsecurity/Haproxy and now right we are evaluate the Riverbed Stingray with Application Firewall to see it fill our requirements.
Apache is typical divide into IP
ORT:Hostname unique sections/files. As we can see Stingray is using unique IPORT virtual servers where the rules will use the Request Header "Host". So if we handle many hostnames we will always have to include Request Header "Host" in each rule. Is that right? In our case we will properly use minimum 500 rules in test environment on the same virtual server (port 80) and properly the same numbers of rules for another virtual server (port 443). In Apache it's easy to see the "rules" because they are in group in separate virtualhost (IP:HOST:Hostname unique) which is a separate file. How can we handle this in Riverbed Stingray? Right now we can just see all rules placed under the same virtual server in Stingray (for all hostname).
In our setup we have all the Apache/HAproxy configuration files in version control. A Configuration Management system is used to generate the Apache/Haproxy configuration files from template and then push to the servers. All is just plain text files and it easy to edit and manipulated if we want to make some changes across multiples files. We can also schedule new configuration files and reload the Apache/Haproxy at a specified time. Can we somehow do the same with Riverbed Stingray?
We are typical devops in our team and not network/security experts and that is why we want to try Riverbed Stingray but we still want to automate most the tasks.
Thanks in advance.
1 ACCEPTED SOLUTION
Accepted Solutions
Hi Khuong,
If you're overloading the IPORT with multiple host names then you'll have to use TrafficScript if you want to take to do different things based on the host name.
You can have a separate rule per hostname on the Stingray. At the top of each rule you can have something like:
if (http.getHostHeader() == "www.site1.com") {
# do work
}
You can definitely have the rules under version control. Stingray has a built-in REST API that makes this easy to do, scroll down to page 103. Basically do a PUT request to: /api/tm/2.0/config/active/rules/<rulename> with a Content-Type of application/octet-stream. There are other APIs to modify configuration of Pools, Virtual Servers, etc. Hope this helps.
Faisal
Hi Khuong,
If you're overloading the IPORT with multiple host names then you'll have to use TrafficScript if you want to take to do different things based on the host name.
You can have a separate rule per hostname on the Stingray. At the top of each rule you can have something like:
if (http.getHostHeader() == "www.site1.com") {
# do work
}
You can definitely have the rules under version control. Stingray has a built-in REST API that makes this easy to do, scroll down to page 103. Basically do a PUT request to: /api/tm/2.0/config/active/rules/<rulename> with a Content-Type of application/octet-stream. There are other APIs to modify configuration of Pools, Virtual Servers, etc. Hope this helps.
Faisal
