- Description
- Types
- Setup - The basics of getting started with cudawaf
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
With the Barracuda Web Application Firewall, administrators do not need to wait for clean code or even know how an application works to secure their applications. Organizations can ensure robust security with a Barracuda Web Application Firewall hardware or virtual appliance, deployed either on-premises or in the cloud. This module enables management of the Barracuda Web Application Firewall using Puppet..
The following features can be configured using this module:
A Virtual Service is a combination of a Virtual IP (VIP) address and a TCP port, which listens and directs the traffic to the intended Service. The resource type for this feature is "cudawaf_service".
A server object can be used to configure the networking information of the back-end server to be hosted on the Barracuda Web Application Firewall. Multiple real servers can be added and configured to load balance the incoming traffic for a Service. The resource type for this feature is "cudawaf_server".
A signed certificate is a digital identity document that enables both server and client to authenticate each other. Certificates are used with HTTPS protocol to encrypt secure information transmitted over the internet. A certificate can be generated or procured from a third party Certificate Authority (CA). The resource type for this feature is "cudawaf_certificate". Generated certificates can be self-signed or signed by a trusted third-party CA. A certificate contains information such as user name, expiration date, a unique serial number assigned to the certificate by a trusted CA, the public key, and the name of the CA that issued the certificate.
A comprehensive cloud-based service that enables administrators to monitor and configure multiple Barracuda Networks products from a single console. The resource type for this feature is "cudawaf_cloudcontrol".
A rule group server object can be used to configure the networking information of the back-end server to be hosted on the Barracuda Web Application Firewall. Multiple real servers can be added and configured to load balance the incoming traffic for a rule group. The resource type for this feature is “cudawaf_rule_group_server”.
Rules are used to configure content-aware switching over incoming web traffic. Rules help analyze an HTTP request headers to make load balancing and caching policy decisions. The resource type for this feature is “cudawaf_rule_group”.
A Security Policy determines what action to take when one or more of the rules match the request. All security policies are global and can be shared among multiple Services configured on the Barracuda Web Application Firewall. The resource type for this feature is “cudawaf_security_policy".
The detailed documentation on each of these REST API end points can be found here : Barracuda Web Application REST API v3
The following components are necessary to use this module:
- A server running as a Puppet master.
- A Puppet agent running as a Puppet Device proxy to the Barracuda WAF.
- A Barracuda Web Application Firewall running the firmware version v9.1 or above
Install the following gems:
-
Typhoeus
-
Rest-Client v 1.8.0 Rest client needs dependencies to be installed, most likely gcc and gcc-c++ follow the instructions below:
Install gcc and gcc-c++ :
On CentOS:
yum install gcc, gcc-c++
To install the gem files:
Using the puppetserver gem binary (required):
/opt/puppetlabs/bin/puppetserver gem install typhoeus -v 1.3.0
/opt/puppetlabs/bin/puppetserver gem install rest-client -v 1.8.0
Using the Puppet agent gem binary (required)
/opt/puppetlabs/puppet/bin/gem insall typhoeus -v 1.3.0
/opt/puppetlabs/puppet/bin/gem install rest-client -v 1.8.0In some cases, external dependencies can cause errors such as "Error in retreiving resource statement". Increasing read and execute permissions to the gemspec on the master can help solve this problem.
Default Location of the gemspec files:
/opt/puppetlabs/puppet/lib/ruby/gems/2.0.1/specifications
To change permissions:
chmod 777 rest-client-1.8.0.gemspec
chmod 777 typhoeus-1.*Please note: After you are changing permissions, please remember to restart the puppetserver daemon.
/opt/puppetlabs/bin/puppetserver stop
/opt/puppetlabs/bin/puppetserver startThe best way to handle these is to use the 'Package' resource and run the puppet agent command on the target node. Sample manifest of the Package resource:
package { 'typhoeus' :
ensure => present,
provider => 'puppet_gem',
}
package { 'rest-client' :
ensure => '1.8.0',
provider => 'puppet_gem',
}puppet module install barracuda-cudawafpuppet module install barracuda-cudawaf --environment=<env-name>/opt/puppetlabs/puppet/bin/gem install rest-client -v 1.8.0
/opt/puppetlabs/puppet/bin/gem install typhoeus
To use the module, first configure a Puppet agent that is able to run puppet device.
This agent will be used to act as a "proxy system" for the puppet device subcommand.
Path and file name:
/etc/puppetlabs/puppet/device.conf
Example "device.conf" file
[waf-1]
type cudawaf
url http://admin:<password>@<ip_address>:8000/
puppet device -v --user=rootCreate a HTTP service with a Rule Group and Rule group Server, and connect the WAF to the Barracuda Cloud Control
cudawaf_service { 'DemoService2':
ensure => present,
name => 'MyService2',
type => 'HTTP',
ip_address => '10.11.2.2',
port => 8000,
group => 'default',
vsite => 'default',
status => 'On',
address_version => 'IPv4',
comments => 'Demo service',
}
cudawaf_security_policy { 'securitypolicy1':
ensure => present,
name => 'custom',
}
cudawaf_cloudcontrol { 'CloudControl':
ensure => present,
state => 'not_connected',
connect_mode => 'cloud',
username => '[email protected]',
password => 'password'
}
cudawaf_rule_group { 'RuleGroup-1':
ensure => present,
name => 'ContentRule1',
service_name => 'MyService2',
url_match => '/testing.html',
host_match => 'www.example.com'
}
cudawaf_rule_group_server { 'RuleGroupServer-1':
ensure => absent,
name => 'rgServer1',
service_name => 'MyService2',
rule_group_name => 'ContentRule1',
identifier => 'Hostname',
hostname => 'barracuda.com'
}
The following example manifests can be used to create resources on the Barracuda Web Application Firewall:
cudawaf_service { 'WAFSVC-1':
ensure => present,
name => 'WAFSERVICE',
type => 'http',
mask => '255.255.255.255',
ip_address => '10.0.0.1',
port => '80',
group => 'default',
vsite => 'default',
status => 'On',
address_version => 'ipv4',
enable_access_logs => 'Yes',
svcname => 'ProdService',
}cudawaf_server { 'WAFSERVER-2':
ensure => present,
name => 'server2',
identifier=> 'IP Address',
address_version => 'IPv4',
status => 'In Service',
ip_address => '192.168.1.10',
service_name => 'ProdService',
port => '80',
comments => 'Server for ProdService',
}cudawaf_certificate { 'WAFUPLOADSIGNEDCER-1':
ensure => present,
name => 'signedcert1',
signed_certificate => '/home/wafcertificates/root.pem',
allow_private_key_export => 'yes',
type => 'pem',
key =>'/home/wafcertificates/privkey.pem',
assign_associated_key => 'no',
upload => 'signed'
}
cudawaf_certificate { 'WAFUPLOADTRUSTEDCER-1':
ensure => present,
name => 'trustedcert1',
trusted_certificate => '/home/wafcertificates/cer.pem',
upload => 'trusted'
}
cudawaf_certificate { 'WAFUPLOADINTERMEDIATESIGNEDCER-1':
ensure => present,
name => 'signedcertint1',
signed_certificate => '/home/wafcertificates/root.pem',
intermediary_certificate => '/home/wafcertificates/inter.pem',
allow_private_key_export => 'no',
type => 'pem',
key =>'/home/wafcertificates/privkey.pem',
assign_associated_key => 'no',
upload => 'signed'
}
cudawaf_certificate { 'WAFUPLOADTRUSTEDSERVERCER-1':
ensure => present,
name => 'trustedservercert1',
trusted_server_certificate => '/home/wafcertificates/cer.pem',
upload => 'trusted_server'
}cudawaf_cloudcontrol { 'WAFCouldControl-1':
ensure => present,
connect_mode => 'cloud',
state => 'connected',
username => '[email protected]',
password => 'password'
}A Virtual Service is a combination of a Virtual IP (VIP) address and a TCP port, which listens and directs the traffic to the intended Service.
Specifies the IP Protocol to be used with the service. Must be "IPv4",
Specifies if the service should be enabled "On" or disabled "Off"
Specifies the name for the service. Must be a valid string
Specifies the listening port for the service
Specifies the description for the service
Specifies if the service should be created with the access logs enabled i.e "Yes" or disabled i.e "No"
Specifies the session idle timeout. Must be a valid number or 0
Specifies the app-id for the service
Specifies the service group in which the Service is to be created. Must be a group present in the WAF.
Specifies the vsite object in which the Service will be created.
Specifies the type of service to be created. Example: HTTP or HTTPS
Specifies if the service should have Advanced DdoS Prevention service enabled i.e "Yes" or disabled i.e "No",
Specifies the listening ip address for the service
Specifies the subnet mask for the service
A server object can be used to configure the networking information of the back-end server to be hosted on the Barracuda Web Application Firewall. Multiple real servers can be added and configured to load balance the incoming traffic for a Service.
Specifies if the server identifier should be an ip address i.e "IP Address" or a hostname i.e "hostname"
Specifies IP Protocol. Must be IPv4
Specifies if the real server should be enabled or disabled. Must be set as one of In Service, Out of Service Maintenance, Out of Service Sticky, Out of Service All
Specifies the name for the server
Specifies the ip address for the server. Must be set if the identifier is set as "IP Address"
Specifies the hostname for the server. Must be set if the identifier is set as "hostname"
Specifies the port number to be bound with the server
Specifies a description for the server
The certificate file to be uploaded should be specified with the path
Specifies the name for the certificate
Specifies the type for the certificate. Options are pkcs12 and pem
Specifies the key type for the certificate being uploaded
Specifies the signed certificate file
Specifies if the uploaded certificate should be associates with a private key that is stored on the WAF system
Specifies the private key file
Specifies the intermediary certificate to be used with the signed certificate during the upload
Specifies if the WAF should allow the private key is to be exported when the certificate is exported
Specifies the password for the pkcs12 certificate
The certificate file to be uploaded should be specified with the path
Specifies the name for the certificate
Specifies the trusted server certificate file
The certificate file to be uploaded should be specified with the path
Specifies the name for the certificate
The certificate file to be uploaded should be specified with the path
city:
common_name:
country_code:
curve_type:
key_size:
key_type:
name:
organization_name:
organization_unit:
san_certificate[
"DNS:<domain name>,"
"Email:<email address>,"
"URI:<Provide the URI.>",
"IP:<Provide the IP.>"
]
state:
Specifies the mode of connections. Must be "cloud"
Specifies the password to be used for the cloud control connection. This should be available before using this resource type.
Specifies the state of the connection
Specifies the Barracuda Cloud Control username for the connection. This should be available before using this resource type.
Specifies the name for the security policy
Specifies the name for the rule group
Specifies the name of the service under which the rule group should be created
Specifies the app id for the rule group
Specifies any user comments under the rule group created
Specifies the extended match to be used with the rule group for matching the incoming request
Specifies the extended match sequence number for the rule
Specifies the host header match for the rule group
Specifies the security policy mode for the rule group
Specifies if the rule group is enabled or disabled
Specifies the url match for the rule group
Specifies the security policy for the rule group
Specifies the name for the rule group server
Specifies if the server identifier should be an ip address i.e "IP Address" or a hostname i.e "hostname"
Specifies IP Protocol. Must be IPv4
Specifies if the real server should be enabled or disabled. Must be set as one of In Service, Out of Service Maintenance, Out of Service Sticky, Out of Service All
Specifies the name for the server
Specifies the ip address for the server. Must be set if the identifier is set as "IP Address"
Specifies the hostname for the server. Must be set if the identifier is set as "hostname"
Specifies the port number to be bound with the server
Specifies a description for the server
Specifies the name of the rule group under which the server has to be created
Specifies the name of the service
Specifies the ip address of the backup server if the primary server is not reachable
Specifies the identifier for the server. Mention "IP Address" or "Hostname"
Specifies the hostname if the identifier is set to Hostname
Specifies the weight for the rule group server
This module is intended to be supported on all PE-supported platforms. However, it has been currently tested on Ubuntu/Linux platforms only.
Barracuda modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. Please follow our guidelines when contributing changes.
For more information, see our module contribution guide.
To see who's already involved, see the list of contributors.