Just Another Security Tip for your Websites: CDNfy everything

CDN's are very popular these days. Their main purpose is to off-load the servers and increase the speed of the website. I will explain here why you need a CDN from the performance and security point of view and if your website doesn't have CDN native support, how you can enable it with mod_cdn.

Technically Speaking, What is a CDN?

They are just inverse proxies. The concept is not new; inverse proxies have been around for quite some time. Their main goal is to protect the main web server by caching common objects and filtering HTTP queries that may try to exploit any possible vulnerability. An inverse proxy usually is hosted in the same network as the webserver is.

At some point, someone realized that if you have different inverse proxies around the world, you may improve drastically the performance of your website. Hence CDN's were born.

CDN's could be all in front of the main web server (full approach) or just partially. It depends on the architecture of the site.

• Partial CDN: only some URL's hit the CDN directly. Usually, these objects are static objects such as Images or Videos. The dynamically generated objects are still gotten from the main server (or the inverse proxy, if it exists). The big advantage of this approach is that the main server is able to see the originating IP of the client (in case the given website wants to do geolocalization filtering, for example) and because you will have more than one FQDN in your HTML code, objects will be downloaded faster. The not-so-good news is that the main server will need to implement its own security measures to stop attacks.
  
• Full CDN or Full Inverse Proxy: all the objects (dynamic and static) are gotten from the CDN. The bright side of this approach is that this kind of CDN services already have implemented a lot of security measures (such as DoS or SQL injection, among others), however, your website may lose the ability to get the client's source IP; some CDN networks forward the source IP in an X header.
  

Push vs Pull CDN

That is completely another thing, with nothing to do with the partial or full approach. When you read about a push or pull CDN, the vendor is referring to how it will get the objects.

• Push approach: you will literally need to send the object to the CDN servers and they will be stored there until you remove them. Vendors usually bill for the used space as well. If the CDN is requested an object that is not saved there but does exist in the main server, it won't try to pull it.
• Pull approach: works as an inverse proxy, you do not need to store anything just to tell the CDN servers where to pull data from. When a CDN node gets an object request for the very first time, it will pull it from the original web serve and store it in a temporal cacher; subsequent queries will use the cached object if it hasn't expired, otherwise, a new pull will be done.

Benefits of a CDN from a Performance Point of View

Modern websites now have a lot of objects to download: javascript, images, fonts, iframes, etc. A simple website will host all the objects within the same server. If your page is complex enough with 200 objects, your browser will end doing 200 object request to the same host. You will notice a considerable slowness while charging.

Moden web browsers won't overload your server with 200 requests on the spot, instead, they cap the simultaneous calls they can do. It is well-known Chrome does six simultaneous requests to the same FQDN. By adding extra FQDN's in your HTML code, you are working around this limitation. Instead of having a single FQDN (like inside-out.xyz), you may have two (static.inside-out.xyz) like this website. You will be able to have twice the connections (if there is no other limit) which are translated to having a quicker loading time.

CDN networks also take care of the latency issue (slowness because nodes are distant). CDNs have many points of presence around the world; with some Smart DNS queries, static.inside-out.xyz may resolve to a different IP if you are in Canada than if you are in Australia. There is no better thing than having cached content close to you. The following image shows how users find the closest CDN node.

In short, the faster the better SEO a website will have.

Benefits of a CDN from a Security Point of View

I would say that CDN is a perfect countermeasure for anything that threatens availability. CDN's usually have sophisticated controls to avoid anything from a DoS attacks to complex HTTP attacks. It is actually what is called a Layer-7 firewall. This usually works with a full CDN approach.

This approach will hide the Web server IP from the attacker. Making it, almost impossible to reach directly.

How do I Implement a CDN?

If you are lucky, the software you use will have support for CDN, you just need to do configurations.

How do I Implement a CDN if the Web Site doesn't Have CDN Support?

Happily for us, we have mod_cdn. It was quite difficult to find the source of this project. There are many articles that describe how to use mod_cdn, but you will find that the URL they publish is broken (domain doesn't exist any more). After diggin a little, I found it. Documents describe verion 1.1.0, I found 1.1.1.

I will describe here how I did it to make it work. Since I am an Apache sysadmin, this is the procedure I will be describing. The easiest way to install mod_cdn is by using my CentOS 7 & 8 RPM repository. After adding the repository, just type yum install mod_cdn. If you are using the wrong distribution (non RPM), you may need to download the source and compile manually, it is almost straitforward.

Since CDN are more domain-specific, the best approach is to configure them inside a VirtualHost tag. I suggest to start with something like this:

<IfModule mod_cdn.c>

    CDNHTMLDocType XHTML
    CDNHTMLToServer https://static.inside-out.xyz
    CDNHTMLFromServers inside-out.xyz
    CDNHTMLRemapURLServer \.png$ i
    CDNHTMLRemapURLServer \.jpe?g$ i
    CDNHTMLRemapURLServer \.gif$ i
    CDNHTMLRemapURLServer \.css$ i
    CDNHTMLRemapURLServer \.js$ i
    CDNHTMLRemapURLServer \.mp4$ i
    CDNHTMLRemapURLServer \.mp3$ i
    CDNHTMLRemapURLServer \.mp4#t=[\d\.]+ i
    CDNHTMLRemapURLServer \.jpe?g\?.+ i
    CDNHTMLRemapURLServer \.png\?.+ i
    CDNHTMLRemapURLServer \.js\?.+ i

    CDNHTMLLinks img src
    CDNHTMLLinks link href
    CDNHTMLLinks object data
    CDNHTMLLinks input src
    CDNHTMLLinks script src
    CDNHTMLLinks a href
    CDNHTMLLinks a data-remote
    CDNHTMLLinks source src
</IfModule>

Where:

• CDNHTMLToServer: species the CDN url to use.
• CDNHTMLFromServers: specifies the source URLs. You can specify more than one, use spaces.
• CDNHTMLRemapURLServer: specifies in a regular expresion the URL's to substitute. This is where you specify how to know if the object is static or not. \.png$ i specifies PNG images without parameters and no-case sensitive. You will need to specify all the possible combinations.
• CDNHTMLLinks: specifies the tag and the propierty to read the URL from. img src means that it will use the src propierty from the img tag. You will need to specify all the possible combinations.

The Github page of the project have a very clear explanation on all the options. This is just to start right away, in most cases it is all what you need. I have done a fork to make it work with Apache 2.4 and use CentOS library path (/usr/lib64), if you are going to compile by hand, make sure to make it point to the right place of your distribution.

After that, just restart your Apache, call the web page and you will see the tags you have configured CDNfied.

Good luck!