Blocking Cross Origin data posting to the CA AXA/APM Browser Agent infrastructure

Article Id: 129590
Status: Published
Updated On: 15-03-2019 12:22
Products:
CA Application Performance Management Agent (APM / Wily / Introscope) , INTROSCOPE
Issue/Introduction:

In the case of on-premise DXI implementations which use the Experience Collector (DXC) it is desirable for the DXI backend to reject data being posted by Browser Agent (or equivalent) which does not match the source origin domain for the application page where the Browser Agent is embedded or injected.

 

Solution that has been tested by Broadcom/CA Engineering:

<Please see attached file for image>

User-added image
 

Environment:

All On-premise environments with DXC (APM 10.5+ and AXA 17.x+).
 

Resolution:

NGINX loadbalancer configuration procedure
 
In the loadbalancer in the DMZ, the nginx configuration file was modified through the following steps.
- login to the nginx load balancer
- navigate to nginx/nginx-1.13.0 (or corresponding location)
- open the ' nginx.conf ' file in an editor
- In the 'server' section of the conf file uncomment/add the following lines.
 
location ~* (bajs|extjs|profile|(b|B)rowserMetrics) {
 
                  if ($request_method = 'GET') {
                      add_header 'Access-Control-Allow-Origin' 'http://<mywebsite>.com';
                  }
                  if ($request_method = 'OPTIONS') {
                     add_header 'Access-Control-Allow-Origin' 'https://<mywebsite>.com';
                     add_header 'Access-Control-Allow-Credentials' 'true';
                     add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                     add_header 'Access-Control-Allow-Headers' 'Content-Type';
                     return 200;
                  }
                  if ($request_method = 'POST') {
                     add_header 'Access-Control-Allow-Origin' 'https:// <mywebsite> .com';
                  }
 
- After this change, the nginx will need to be restarted - execute " ./services.sh restart " command
 
Expected result:
- This should block all the GET, POST and OPTIONS calls originating from anywhere but https://<mywebsite>.com
 
Actual result:
- DXC blocked all the GET, POST and OPTIONS calls originating from anywhere but https://<mywebsite>.com
 
 

Additional Information:

Note: This configuration requires the loadbalancer to be in the DMZ and direct DXC access from the DMZ is blocked via firewall to the DXC.   To prevent access in the secure zone to the DXC by unauthorized clients, you may also setup IPTABLES on the DXC servers to only allow the loadbalancer as an originating IP address for the web port being used by the DXC.
 

insert_drive_file 1558688710798000129590_sktwi1f5rjvs16fp4.jpeg
arrow_downward Download