Skip to main content

Troubleshooting WAF, CDN, and Load balancer

 Troubleshooting issues involving a Web Application Firewall (WAF), Content Delivery Network (CDN), and Load Balancer (LB) can be complex. Here is a step-by-step guide, including testing methods and relevant commands to isolate problems at each level.


### Step 1: Check Basic Connectivity


1. **Ping the Website**:

   ```sh

   ping example.com

   ```


2. **Check DNS Resolution**:

   ```sh

   nslookup example.com

   ```


### Step 2: Verify Load Balancer


1. **Direct Access to Load Balancer**:

   Modify `/etc/hosts` to bypass CDN and WAF, pointing directly to the load balancer’s IP.

   ```sh

   sudo nano /etc/hosts

   ```

   Add the line:

   ```

   LB_IP example.com

   ```

   

2. **Test HTTP Response**:

   ```sh

   curl -I http://example.com

   ```

   Check headers and status code to verify the load balancer is responding correctly.


3. **Check Load Balancer Logs**:

   Access logs on the load balancer to see if requests are hitting it and how they are being routed.

   ```sh

   tail -f /var/log/load_balancer.log

   ```


### Step 3: Verify CDN


1. **Direct Access to CDN**:

   Modify `/etc/hosts` to point to the CDN IP.

   ```sh

   sudo nano /etc/hosts

   ```

   Add the line:

   ```

   CDN_IP example.com

   ```


2. **Test HTTP Response**:

   ```sh

   curl -I http://example.com

   ```

   Check for CDN-specific headers (e.g., `X-Cache`, `X-CDN-Geo`).


3. **Check CDN Logs**:

   Access the CDN management console to review logs and analytics.


### Step 4: Verify WAF


1. **Direct Access to WAF**:

   Modify `/etc/hosts` to point to the WAF IP.

   ```sh

   sudo nano /etc/hosts

   ```

   Add the line:

   ```

   WAF_IP example.com

   ```


2. **Test HTTP Response**:

   ```sh

   curl -I http://example.com

   ```

   Check for WAF-specific headers (e.g., `X-WAF-Status`).


3. **Check WAF Logs**:

   Access the WAF management console or server to review logs for any blocked or flagged requests.


### Step 5: Combined Testing


1. **Normal Access**:

   Reset `/etc/hosts` to its original state to test the complete chain (CDN -> WAF -> LB).

   ```sh

   sudo nano /etc/hosts

   ```

   Remove any custom entries for `example.com`.


2. **Test HTTP Response**:

   ```sh

   curl -I http://example.com

   ```


3. **Trace Route**:

   Use `traceroute` to see the path packets take to reach the server.

   ```sh

   traceroute example.com

   ```


### Analyzing Return Codes and Headers


- **200 OK**: Normal operation.

- **301/302 Redirect**: Ensure redirection is intentional and correctly configured.

- **403 Forbidden**: Likely WAF blocking; check WAF logs.

- **503 Service Unavailable**: Check load balancer health checks and backend servers.


### Commands Summary:


- **Curl with Detailed Output**:

  ```sh

  curl -I -v http://example.com

  ```


- **Check Headers for Specific Components**:

  ```sh

  curl -I -H "Host: example.com" http://WAF_IP

  curl -I -H "Host: example.com" http://CDN_IP

  curl -I -H "Host: example.com" http://LB_IP

  ```


- **Logging into Servers**:

  ```sh

  ssh user@LB_IP

  tail -f /var/log/load_balancer.log

  

  ssh user@CDN_IP

  tail -f /var/log/cdn.log

  

  ssh user@WAF_IP

  tail -f /var/log/waf.log

  ```


### Conclusion


By systematically modifying the `/etc/hosts` file and analyzing the responses and logs from each component (Load Balancer, CDN, WAF), you can isolate where issues might be occurring. Ensure to reset the hosts file after each test to avoid DNS conflicts.

Labels:

Comments

Post a Comment

Popular posts from this blog

Soal dan pembahasan LKSN ITNSA

Berikut adalah koleksi soal-soal ITNSA dan beberapa website yang memberikan pembahasan pada event perlombaaan LKS SMK Nasional bidang lomba IT Network Systems Administration. 2014 Palembang Di tahun ini ada 1 soal packet tracer. Di website dibawah ini diberikan juga cara pembahasannya. https://agussas.wordpress.com/2015/04/02/review-soal-lks-nasional-it-network-23-packet-tracer-challenge/ Semua soal:  https://www.dropbox.com/sh/l90zyke2ib5msgv/AAA3kPOFo-zEn4wPOW4a3iMwa?dl=0 dan https://drive.google.com/file/d/18lDhtMjAnPAhkfOJ6uFHsC5j6ycg3K4I/view Pembahasan juga dalam bentuk video di youtube:  https://www.youtube.com/watch?v=8QML594nQBU 2015 Banten Pembahasan:   https://www.youtube.com/watch?v=quDbpC2xSfQ Soal:  https://drive.google.com/file/d/1B09IYfdoGENBL3txSQodpptG1zdQxBWI/view 2016 Malang Soal:   https://drive.google.com/file/d/13-2bRtb5IXO9vxAhLfhghZbDXeUzD0FI/view Pembahasan:   https://www.youtube.com/watch?v=zmUSUZguH24 20...
2 comments
Read more

LKS SMK Cloud Computing

 Lomba Kompetensi Siswa SMK merupakan salah satu kegiatan rutin yang dilakukan tiap tahun, mulai dari tingkat kota/kabupaten sampai Internasional (Asean, WorldSkills Competiton). Untuk kali ini akan membahas salah satu bidang yang belum terlalu lama yaitu cloud computing, tentu dunia cloud computing sudah lama beredar, dan AWS salah satu leadernya, untuk kegiatan kompetisi lomba cloud computing ini mulai dirintis sejak 2017 di worldskills abu dhabi, saat itu masih dalam proses demo, hingga pada tahun 2019 menjadi salah satu bidang resmi di worlskills kazan. AWS sendiri sebetulnya punya kegiatan kompetisi sendiri juga seperti Hackathon dan AWS Gaming Day. Pada blogpost ini akan berusaha mencari informasi tentang cloud computing kompetisi khususnya LKS SMK seperti kisi-kisi. Berikut adalah kurasi link-link yang bermanfaat untuk belajar,  terima kasih juga pada penulis di website-website berikut:  Kisi-kisi LKS di salah satu Provinsi https://github.com/stmj-dev/Soal-Dan-Kisi...
Post a Comment
Read more

Soal dan pembahasan LKS ITNSA Network Infrastructure Basic

Soal tahun 2021 tingkat Nasional Soal bisa di download di https://itnsa.id Basic Configuration Configure IP Address of all network devices according to the addressing table.  Create SSH user ‘patah’ with password specified in the appendix.  Make sure the user are able to enter configuration commands in the router.  Allow server admins to SSH to all network devices.  If you need to set additional password on the Routers, use Skills39 Look at the appendix table and configure accordingly Configure IP address: csr1000v# configure terminal #change interface name according to the topology csr1000v (config)# interface GigabitEthernet0 csr1000v (config-if)# ip address  x.x.x.x y.y.y.y csr1000v (config-if)# no shutdown Create SSH user: csr1000v# configure terminal csr1000v (config) # username patah password cisco123 csr1000v (config)# privilege 15 patah Allow server admins to SSH: csr1000v# configure terminal csr1000v (config)# ip access-list standard SSH_ACL csr10...
Post a Comment
Read more