Skip to content

CDN filtering nodes

The Nodes section of the Wallarm Console UI allows you to manage the nodes of the Wallarm node and CDN node types. This article is about CDN nodes.

Wallarm CDN node operates as a reverse proxy to the protected server. It analyzes incoming traffic, mitigates malicious requests and forwards legitimate requests to the protected server.

CDN node operation scheme

As for the other characteristics of the Wallarm CDN node:

  • Hosted by the third-party cloud provider, so no resources are required from your infrastructure to deploy the CDN node.

    Uploading request data to the third-party cloud provider

    Some data on processed requests is uploaded to the Lumen service.

  • Uploads some request data to the Wallarm Cloud. Learn more about uploaded data and cutting the sensitive data

  • Operates in the safe blocking mode relying on the IP graylist contents to identify suspected traffic and block it.

    To change the mode, use the corresponding rule.

  • The CDN node is fully configured via Wallarm Console UI. The only setting to be changed in another way is adding the Wallarm CNAME record to the protected resource's DNS records.

Creating a node

To create the CDN node, please follow the instructions.

Viewing details of a node

The details of the installed node are displayed in the table and card of each node. To open the card, click the appropriate table record.

The following node properties and metrics are available:

  • Node name generated based on the protected domain's name

  • Node IP address

  • Origin address associated with the protected domain

  • Unique node identifier (UUID)

  • Node status

  • SSL/TLS certificate: Let's Encrypt generated by Wallarm or the custom one

  • Time of the last synchronization of the filtering node and Wallarm Cloud

  • Date of the filtering node creation

  • Number of requests processed by the node in the current month

  • Versions of used custom_ruleset and proton.db

  • Versions of installed Wallarm API Security packages

  • Indicator of available component updates

CDN node card

Updating the origin address of the protected resourse

If your hosting provider dynamically updates the origin IP address or domain associated with the protected resource, please keep the origin address specified in the CDN node configuration up to date. Otherwise, requests will not reach the protected resource since the CDN node will try to proxy them to an incorrect origin address.

To update the origin address, use the Edit origin address option.

Uploading the custom SSL/TLS certificate

Wallarm automatically issues the Let's Encrypt certificate enabling HTTPS on the CDN node domain. Certificates are generated and renewed automatically as needed.

If you already have a certificate for the protected domain and prefer that to the Let's Encrypt certificate, you can upload your own using the Update SSL/TLS certificate option.

Deleting a node

When the filtering node is deleted, the filtration of requests to your domain will be stopped. The deleting of the filtering node cannot be undone. The Wallarm node will be deleted from the list of nodes permanently.

  1. Delete the Wallarm CNAME record from the DNS records of the protected domain.

    Malicious request mitigation will be stopped

    Once the CNAME record is removed and changes take effect on the Internet, the Wallarm CDN node will stop request proxying, and legitimate and malicious traffic will go directly to the protected resource.

    It results in the risk of the protected server vulnerability exploitation when deleted DNS record took effect but the CNAME record generated for the new node version did not take effect yet.

  2. Wait for the changes to be propagated. The actual CNAME record status is displayed in Wallarm Console → NodesCDNDelete node.

  3. Delete the CDN node from the node list.

Deleting the node

CDN node troubleshooting

What do CDN node statuses mean?

The following statuses may appear in Wallarm Console → Nodes for CDN nodes:

  • Registering: Wallarm registers the CDN node in the cloud provider.

    Required action: wait for the Requires CNAME status to add the Wallarm CNAME record to the protected domain's DNS records.

  • Requires CNAME: Wallarm CNAME record is not added to the DNS records of the protected domain or it is added but not propagated yet.

    Required action: add the CNAME record provided by Wallarm to the DNS records of the protected domain or wait for the changes to take effect on the Internet.

    If changes do not take effect for more than 24 hours, please check that your domain provider successfully updated the DNS records. If so, but the Not propagated yet status is still displayed in Wallarm Console, please contact the Wallarm technical support.

    The next expected status is Active.

  • Configuring: Wallarm processes changed origin address or SSL/TLS certificate.

    Required action: wait for the Active status.

  • Active: Wallarm CDN node mitigates the malicious traffic.

    Required action: none. You can monitor the events the CDN node detects.

  • Deleting: Wallarm deletes the CDN node.

    Required action: none, please wait for deletion to be finished.

How to identify the CNAME record propagated?

The Nodes section of Wallarm Console displays the actual status of whether the Wallarm CNAME record took effect on the Internet. If the CNAME record is propagated, the CDN node status is Active.

In addition, you can check the HTTP response headers with the following request:

curl -v <PROTECTED_DOMAIN>

If the Wallarm CNAME record is propagated, the response will contain the section-io-* headers.

If the CNAME record is not propagated for more than 24 hours, please check that your domain provider successfully updated the DNS records. If so, but the Not propagated yet status is still displayed in Wallarm Console, please contact the Wallarm technical support.

The CDN node is highlighted in red in the Nodes section. What does it mean?

If the CDN node is highlighted in red in the Nodes section, an error occurred during its registration or configuration due to the following possible reasons:

  • Unknown error while registering the node in the third-party cloud provider

    Required action: contact the Wallarm technical support.

  • Invalid custom SSL/TLS certificate

    Required action: make sure the uploaded certificate is valid. If not, upload the valid one.

The CDN node highlighted in red does not proxy requests and as a result, does not mitigate malicious traffic.

Why the CDN node could disappear from the node list in Wallarm Console?

Wallarm deletes CDN nodes with CNAME records left unchanged for 10 or more days since the moment of the node creation.

If you find the CDN node disappeared, create a new node.