Managing Sites and Site Groups

Introduction

A site is a web property serving API responses intended for consumption by an application. Your environment might have many sites, where some sites might not be under ThreatX protection.

You can add, edit, or remove sites with the ThreatX user interface or ThreatX API.

Site settings

Dashboard

menu:Settigs
ThreatX API

api.threatx.com/tx_api/v2/sites
The backend you define for each site can be a single CNAME or a list of IP addresses – wherever traffic can be properly routed to reach your origin servers.
Some of the settings are on the Sites page as column headers.
Expand Listener Configuration
Table 1. Listener Configuration
Setting Description

Host Name

Domain name protected by the sensor (for example, www.example.com). It must be unique across all configured sites and cannot contain uppercase letters. Once created, the configured hostname cannot be changed.

SSL/TLS Enabled

Allows HTTPS connections to the hostname. Use this setting to provide your own site certificate (in PEM format). The setting does not need to be enabled if using ThreatX managed certificates with Let’s Encrypt. For more information, see the Site certificates section.

SSL/TLS Terminate Only

If set, SSL/TLS connection is terminated at the sensor and requests are sent through a proxy to the backend using HTTP.

Redirect HTTP traffic to HTTPS

If enabled, requests made to the hostname using HTTP receive a 301 response code and are redirected to the same hostname using HTTPS instead.

HTTP2 Enabled

Allows HTTP Version 2 traffic.

Wildcard Subdomains Enabled

For example, if enabled for site with “example.com” hostname, site configuration also applies to all requests sent to “subdomain.example.com”.
Expand Backend Configuration
Table 2. Backend Configuration
Setting Description

Origin

Location where traffic can be properly routed to reach your origin server, also called a backend. You can specify a single hostname or CNAME, or a comma-separated list of IP addresses. If you are forwarding traffic to a load balancer, supply the FQDN or IP addresses of your load balancer. The sensor forwards all benign and unblocked traffic to that load balancer.

HTTP Backend Port

Port number of the origin server or load balancer accepting HTTP traffic.

HTTPS Backend Port

Port number of the origin server or load balancer accepting HTTPS traffic.
Expand Blocking Modes Configuration
Table 3. Blocking Modes
Setting Description

Risk-Based Blocking

If set, any entity with accumulated risk above the risk-based blocking threshold is blocked. The threshold settings are described in Blocking.

Request Blocking

If set, individual requests that are obvious hostile attacks, as determined by the ThreatX rules, aure blocked.

Manual Action Blocking

If set, users can manually add IP addresses to the blocked list and blacklist.
Expand Caching Configuration
Table 4. Caching Configuration
Setting Description

Static Caching Enabled

Enables static caching. See Performance.

Dynamic Caching Enabled

Enables dynamic caching. See Performance.
Expand Proxy Configuration
Table 5. Proxy Configuration
Setting Description

Maximum Request Body Size

Maximum client request body in MB as read from Content-Length header. Accepts values from 1 to 1,000,000 (1MB to 1TB). Default is 1MB.

Proxy Read Timeout

Timeout in seconds for reading a response from the backend. Accepts values from 1 to 3,600 (1 second to 1 hour). Default is 90 seconds.

Proxy Send Timeout

Timeout in seconds for sending a request to the backend. Accepts values from 1 to 3,600 (1 second to 1 hour). Default is 30 seconds.

Set Real IP From Enabled

When checked, client requests override the IP address (as recognized by sensors). Header Name. Provides the value for the IP override; for example, “X-Real-IP” or “X-Forwarded-For”. Letters, numbers, hyphens, and underscores only. Trusted Sources. IP addresses of the trusted sources.

Custom Response Headers Enabled

Inserts one or more custom headers into responses, including common security headers such as Content-Security-Policy. Each custom header must have a name and value.
Expand Access Configuration
Table 6. Access Configuration
Setting Description

Site Groups

You can assign the site to an existing site group, which allows you to limit which users can access the site configuration and its associated data.

Adding a site

  1. Use the ThreatX user interface or API to add the site and enter the configuration settings, as described in the Site settings section.

  2. If you are not using the Let’s Encrypt option for client-facing certificates, provide the SSL/TLS Certificat .pem file in the SSL/TLS Enabled site setting.

  3. Once the site is available in the ThreatX user interface, cut-over DNS to direct traffic to the CNAME provided for your tenant through your DNS provider. The CNAME records are provided in the IWAF settings, as described in the Firewall settings section under. This can be done at your own pace.

Adding a site can impact the cost of the ThreatX platform. For information, contact the ThreatX SOC.

If you are adding multiple sites, you can add the additional sites first then cut-over DNS after.

If your DNS provider does not allow you to point to a root domain directly to a CNAME, contact ThreatX SOC to provide the sensor ingress IP addresses to use as A records.

Once your site is configured and traffic is flowing through your sensor, you should see traffic populated in the dashboard. If you do not see any traffic, contact the ThreatX SOC.

On-Boarding Checklist

✔️ TX Protect Pre-Installation Checklist

Check the box next to any of the requirements that apply to your application…​

  • Processes requests with well-formed SQL queries (E.g., some help desk or bug-tracking software)

  • Processes requests with well-formed HTML (E.g., some content management systems)

  • Requires Two-way SSL/TLS (client authentication)

  • Uses web sockets

  • Requires a specific TLS version or cipher suite restriction (Default is TLS 1.2 and 1.3)

  • Supports unique business requirements necessitating custom WAF rules (E.g, blocking traffic from foreign countries)

  • Is located behind a firewall or content delivery network (CDN) in which connections from ThreatX service IP addresses would need to be explicitly allowed

If you checked one or more boxes, please contact ThreatX support for assistance with your TX Protect installation.

Site certificates

You have two options. You can use Let’s Encrypt or upload your own certificate.

The ThreatX platform can manage the SSL/TLS/TLS certificates presented to your site’s visitors with Let’s Encrypt. The Let’s Encrypt integration allows you to offload the overhead and management commonly associated with managing SSL/TLS/TLS certificates while ensuring that an expired certificate is never presented to your site’s visitors. For more information, contact the ThreatX SOC.

Use a Custom Certificate

To upload your own certificate using the ThreatX user interface, perform the following:

  1. Navigate to Settings  Sites.📦

  2. If updating a certificate for an existing site, locate the site. You can use the search icon in the Hostname column to locate a site. Then click Edit Site.

  3. In the configuration page, enable SSL/TLS Enabled.

  4. Click Settings  Edit SSL/TLS credentials

  5. Paste your** Site Certificate* Intermediate Certificate, and your Private Key, in PEM format and in that order.

  6. Click Save at the bottom of the page.

If adding a site, enter your certificate using steps 3 through 6.

To ensure the correct certificate is being presented, the ThreatX platform validates the following: fsssssfvcard domain is listed as the Common Name or in the SAN attribute within the certificate. * Current date is within the notBefore and notAfter fields. * Private key provided is the same key that was used to sign the certificate. * Formatting of the uploaded certificate chain is in the proper PEM format, without any headers present or any other characters that should not exist.

Troubleshooting

  • If any one of these criteria are not met, you will receive an error describing the issue and the old certificate continues to be utilized.

  • If you are certain that you have the correct certificate and key pair for the site and the certificate has not expired, and yet are still receiving an error, contact the ThreatX SOC.

  • Optionally, you can ask a third-party test group, such as Qualys SSL/TLS Lab, to test and validate your certificate.

Site groups

Dashboard

Settings  Site Groups
API

api.threatx.com/tx_api/v2/sitegroups

You can create a site group then assign sites to a single group, which allows you to limit which users can access the site configuration and its associated data.

When creating a group, give it a name, list of sites to include in the group, and list of users that can access the sites in the group.