sunhux
asked on
WAF's Accept-Encoding leads to very slow zip/rar files being uploaded
We are implementing an optimisation for content retrieval in a container
app (docker) UI endpoint.
During trial, users complain the uploading of files (though I did not get
a precise advice on how big the uploaded files are tho we currently
allow up to 100MB of zip, rar sizes) was very slow.
It's thought that it could be due to the size of the file was too big.
Hence we implemented an optimisation at the backend
Basically the nginx container at the backend will return the compressed version of the file if client request for it
However for this to work we need the http header Accept-Encoding to be passed to the backend.
Right now the WAF config is set to block the header when passing the request to the backend.
It's going to take some approvals to configure WAF (Barracuda but
the reseller vendor is not really of any help) to let 'Accept Encoding'
to pass thru the WAF but this opens up security gaps.
In the event if it's tested that it's due to this, we can't set the WAF
to let it go thru. What can we do?
I know gmail/google only allow attachments to be no more than
25MB but is this due to AV (or WAF or ?) causing slowness if
attachments uploaded are bigger? WAF has AV scanning too,
so I'm wondering if the slowness is due to WAF's AV.
One suggestion (but do assess if it's feasible) came up:
Instead of an end-to-end compression, which will result in the WAF not able to inspect the content thus allowing exploits to go thru.
Suggest turning on compression at the WAF end, this will allow traffic between browser and WAF to be compressed while leaving the backend at status quo.
app (docker) UI endpoint.
During trial, users complain the uploading of files (though I did not get
a precise advice on how big the uploaded files are tho we currently
allow up to 100MB of zip, rar sizes) was very slow.
It's thought that it could be due to the size of the file was too big.
Hence we implemented an optimisation at the backend
Basically the nginx container at the backend will return the compressed version of the file if client request for it
However for this to work we need the http header Accept-Encoding to be passed to the backend.
Right now the WAF config is set to block the header when passing the request to the backend.
It's going to take some approvals to configure WAF (Barracuda but
the reseller vendor is not really of any help) to let 'Accept Encoding'
to pass thru the WAF but this opens up security gaps.
In the event if it's tested that it's due to this, we can't set the WAF
to let it go thru. What can we do?
I know gmail/google only allow attachments to be no more than
25MB but is this due to AV (or WAF or ?) causing slowness if
attachments uploaded are bigger? WAF has AV scanning too,
so I'm wondering if the slowness is due to WAF's AV.
One suggestion (but do assess if it's feasible) came up:
Instead of an end-to-end compression, which will result in the WAF not able to inspect the content thus allowing exploits to go thru.
Suggest turning on compression at the WAF end, this will allow traffic between browser and WAF to be compressed while leaving the backend at status quo.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, yes, we do have a NIDS/NIPS & it has built-in
AV scanning too. On our nginx Linux servers &
containers, there's no AV currently
AV scanning too. On our nginx Linux servers &
containers, there's no AV currently
so not as bad, just need to factor the option and risk assessment. First it is best to know the root cause before jumping into too many options.
ASKER
WAF has AV scanning too, so I'm wondering if the slowness is due to WAF's AV.
1 suggestion is to use geo-location in Barracuda WAF: not to inspect compressed
content of IP coming from local country (as local country's IP is rarely known to be
malicious) but inspect those from other countries?