Blocking Cross Origin data posting to the CA AXA/APM Browser Agent infrastructure

book

Article ID: 129590

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) INTROSCOPE

Issue/Introduction

In the case of on-premise DXI implementations which use the Experience Collector (DXC) it is desirable for the DXI backend to reject data being posted by Browser Agent (or equivalent) which does not match the source origin domain for the application page where the Browser Agent is embedded or injected.

 

Solution that has been tested by Broadcom/CA Engineering:

<Please see attached file for image>

User-added image
 

Environment

All On-premise environments with DXC (APM 10.5+ and AXA 17.x+).
 

Resolution

NGINX loadbalancer configuration procedure
 
In the loadbalancer in the DMZ, the nginx configuration file was modified through the following steps.
- login to the nginx load balancer
- navigate to nginx/nginx-1.13.0 (or corresponding location)
- open the ' nginx.conf ' file in an editor
- In the 'server' section of the conf file uncomment/add the following lines.
 
location ~* (bajs|extjs|profile|(b|B)rowserMetrics) {
 
                  if ($request_method = 'GET') {
                      add_header 'Access-Control-Allow-Origin' 'http://<mywebsite>.com';
                  }
                  if ($request_method = 'OPTIONS') {
                     add_header 'Access-Control-Allow-Origin' 'https://<mywebsite>.com';
                     add_header 'Access-Control-Allow-Credentials' 'true';
                     add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                     add_header 'Access-Control-Allow-Headers' 'Content-Type';
                     return 200;
                  }
                  if ($request_method = 'POST') {
                     add_header 'Access-Control-Allow-Origin' 'https:// <mywebsite> .com';
                  }
 
- After this change, the nginx will need to be restarted - execute " ./services.sh restart " command
 
Expected result:
- This should block all the GET, POST and OPTIONS calls originating from anywhere but https://<mywebsite>.com
 
Actual result:
- DXC blocked all the GET, POST and OPTIONS calls originating from anywhere but https://<mywebsite>.com
 
 

Additional Information

Note: This configuration requires the loadbalancer to be in the DMZ and direct DXC access from the DMZ is blocked via firewall to the DXC.   To prevent access in the secure zone to the DXC by unauthorized clients, you may also setup IPTABLES on the DXC servers to only allow the loadbalancer as an originating IP address for the web port being used by the DXC.
 

Attachments

1558688710798000129590_sktwi1f5rjvs16fp4.jpeg get_app