Blocking Cross Origin data posting to the CA AXA/APM Browser Agent infrastructure
Article ID: 129590
Updated On:
Products
CA Application Performance Management Agent (APM / Wily / Introscope)
INTROSCOPE
Issue/Introduction
In the case of on-premise DXI implementations which use the Experience Collector (DXC) it is desirable for the DXI backend to reject data being posted by Browser Agent (or equivalent) which does not match the source origin domain for the application page where the Browser Agent is embedded or injected.
Solution that has been tested by Broadcom/CA Engineering:
Solution that has been tested by Broadcom/CA Engineering:
<Please see attached file for image>
Environment
All On-premise environments with DXC (APM 10.5+ and AXA 17.x+).
Resolution
NGINX loadbalancer configuration procedure
In the loadbalancer in the DMZ, the nginx configuration file was modified through the following steps.
- login to the nginx load balancer
- navigate to nginx/nginx-1.13.0 (or corresponding location)
- open the ' nginx.conf ' file in an editor
- In the 'server' section of the conf file uncomment/add the following lines.
location ~* (bajs|extjs|profile|(b|B)rowserMetrics) {
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' 'http://<mywebsite>.com';
}
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' 'https://<mywebsite>.com';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Content-Type';
return 200;
}
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' 'https:// <mywebsite> .com';
}
- After this change, the nginx will need to be restarted - execute " ./services.sh restart " command
Expected result:
- This should block all the GET, POST and OPTIONS calls originating from anywhere but https://<mywebsite>.com
Actual result:
- DXC blocked all the GET, POST and OPTIONS calls originating from anywhere but https://<mywebsite>.com
In the loadbalancer in the DMZ, the nginx configuration file was modified through the following steps.
- login to the nginx load balancer
- navigate to nginx/nginx-1.13.0 (or corresponding location)
- open the ' nginx.conf ' file in an editor
- In the 'server' section of the conf file uncomment/add the following lines.
location ~* (bajs|extjs|profile|(b|B)rowserMetrics) {
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' 'http://<mywebsite>.com';
}
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' 'https://<mywebsite>.com';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Content-Type';
return 200;
}
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' 'https:// <mywebsite> .com';
}
- After this change, the nginx will need to be restarted - execute " ./services.sh restart " command
Expected result:
- This should block all the GET, POST and OPTIONS calls originating from anywhere but https://<mywebsite>.com
Actual result:
- DXC blocked all the GET, POST and OPTIONS calls originating from anywhere but https://<mywebsite>.com
Additional Information
Note: This configuration requires the loadbalancer to be in the DMZ and direct DXC access from the DMZ is blocked via firewall to the DXC. To prevent access in the secure zone to the DXC by unauthorized clients, you may also setup IPTABLES on the DXC servers to only allow the loadbalancer as an originating IP address for the web port being used by the DXC.
Attachments
Feedback
Yes
No
Powered by
