Data flows
Last updated 2022-12-05
IMPORTANT
This guide only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel. If you have access to the Next-Gen WAF product in the Fastly control panel, you can only deploy the Next-Gen WAF with the Edge WAF deployment method.
This document demonstrates various data flows between the Module and Agent. While MessagePack is the serialization protocol, the data is displayed here in JSON format for ease of reading.
Benign Post Request
Notice how in HeadersIn
the Cookie
value was redacted, and also that TLSProtocol
and TLSCipher
are filled in.
1{2 "ModuleVersion": "sigsci-module-apache 0.214",3 "ServerVersion": "Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.11 OpenSSL/1.0.1f",4 "ServerFlavor": "prefork",5 "ServerName": "soysauce.in",6 "Timestamp": 1438838135,7 "RemoteAddr": "198.51.100.209",8 "Method": "POST",9 "Scheme": "https",10 "URI": "/add-data"11 "Protocol": "HTTP/1.1",12 "TLSProtocol": "TLSv1.2",13 "TLSCipher": "ECDHE-RSA-AES128-SHA256",14 "HeadersIn": [15 [ "Host", "soysauce.in" ],16 [ "Accept", "*/*" ],17 [ "Connection", "keep-alive" ],18 [ "Cookie", "" ],19 [ "User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/600.7.12 (KHTML, like Gecko) Version/8.0.7 Safari/600.7.12"],20 [ "Accept-Language", "en-us" ],21 [ "Referer", "https://soysauce.in/" ],22 [ "Accept-Encoding", "gzip, deflate" ],23 ],24 "PostData": "foo=bar&company=something"25}
This request was completely benign, so all that is returned is a 200
response (allow the request to proceed).
1{2 "WAFResponse": 2003}
And that is end of the request.
Benign request (with 404 error)
$ curl -v '127.0.0.1:8085/junk'* Trying 127.0.0.1...* Connected to 127.0.0.1 (127.0.0.1) port 8085 (#0)> GET /junk HTTP/1.1> User-Agent: curl/7.37.1> Host: 127.0.0.1:8085> Accept: */*>< HTTP/1.1 404 Not Found< Content-Type: text/plain; charset=utf-8< Date: Wed, 05 Aug 2015 18:38:24 GMT< Content-Length: 19<
would be converted into the following:
1{2 "ModuleVersion": "sigsci-sdk-golang 1.0",3 "ServerVersion": "go1.4.2",4 "ServerFlavor": "",5 "ServerName": "127.0.0.1:8085",6 "Timestamp": 1438799904,7 "RemoteAddr": "127.0.0.1",8 "Method": "GET",9 "Scheme": "http",10 "URI": "/junk",11 "Protocol": "HTTP/1.1",12 "HeadersIn": [13 [ "User-Agent", "curl/7.37.1" ],14 [ "Accept", "*/*" ],15 ],16}
Response is just 200
or allow the response to pass through.
1{2 "WAFResponse": 2003}
The server proceeds normally. If at the end of the request, we find that a error condition occurred or that it had an exceptionally large output or took an exceptionally long time to process, we would followup with a PostRequest
. Notice how ResponseCode
, ResponseMillis
, ResponseSize
and filled out as well as HeadersOut
.
1{2 "ModuleVersion": "sigsci-sdk-golang 1.0",3 "ServerVersion": "go1.4.2",4 "ServerFlavor": "",5 "ServerName": "127.0.0.1:8085",6 "Timestamp": 1438799904,7 "RemoteAddr": "127.0.0.1",8 "Method": "GET",9 "Scheme": "http",10 "URI": "/junk",11 "Protocol": "HTTP/1.1",12 "WAFResponse": 200,13 "ResponseCode": 404,14 "ResponseMillis": 1,15 "ResponseSize": 19,16 "HeadersIn": [17 [ "User-Agent", "curl/7.37.1" ],18 [ "Accept", "*/*" ],19 ],20 "HeadersOut": [21 [ "Content-Type", "text/plain; charset=utf-8" ]22 ]23}
Blocked Request with SQLI and 406
Here are the raw HTTP headers:
$ curl -v '127.0.0.1:8085/junk?id=1+UNION+ALL+SELECT+1'* Connected to 127.0.0.1 (127.0.0.1) port 8085 (#0)> GET /junk?id=1+UNION+ALL+SELECT+1 HTTP/1.1> User-Agent: curl/7.37.1> Host: 127.0.0.1:8085> Accept: */*>< HTTP/1.1 406 Not Acceptable< Content-Type: text/plain; charset=utf-8< Date: Wed, 05 Aug 2015 17:59:46 GMT< Content-Length: 19<406 not acceptable
This translates to the following flow.
Server/Module sends the following to the agent:
1{2 "ModuleVersion": "sigsci-sdk-golang 1.0",3 "ServerVersion": "go1.4.2",4 "ServerFlavor": "",5 "ServerName": "127.0.0.1:8085",6 "Timestamp": 1438796694,7 "RemoteAddr": "127.0.0.1",8 "Method": "GET",9 "Scheme": "http",10 "URI": "/junk?id=1+UNION+ALL+SELECT+1",11 "Protocol": "HTTP/1.1",12 "HeadersIn": [13 [ "Accept", "*/*" ],14 [ "User-Agent", "curl/7.37.1" ],15 ],16}
The Agent replies with the following. Notice the RequestID
is
filled in, along with an X-SigSci-Tags
header describing was found
(SQLi in this case).
1{2 "WAFResponse": 406,3 "RequestID": "55c24b96ca84c02201000001",4 "RequestHeaders": [5 [ "X-SigSci-Tags", "SQLI" ]6 ]7}
The request should be blocked, and at the end of the request, and UpdateRequest
message.
1{2 "RequestID": "55c24b96ca84c02201000001",3 "ResponseCode": 406,4 "ResponseMillis": 1,5 "ResponseSize": 19,6 "HeadersOut": [7 [ "Content-Type", "text/plain; charset=utf-8" ],8 ]9}
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.