Applying different OCI WAF Protection Rules to multiple web sites behind a single Load Balancer

December 13, 2023 | 6 minute read
Text Size 100%:

Companies typically have multiple websites for different applications. And these websites are usually behind a load balancer for high availability. Various deployment architectures can be employed depending upon business requirements - you may have a load balancer per website or a single load balancer can load balance different web applications. OCI load balancers can support both the use cases.

The following diagram depicts a single load balancer with multiple websites.

LB with multiple websites

                                                                                    Fig 1

There are different ways to configure the load balancer to handle multiple websites - I won't go into them now ( I will blog about the approaches later). The important point is, in the above scenario, the web applications can be vulnerable to web attacks. It will be prudent to have a Web Application Firewall (WAF) scan all incoming HTTP requests and take defensive actions if necessary. The following diagram depicts the improved scenario with the WAF in the mix.

LB and WAF with multiple websites

                                                                 Fig 2

In WAF, you would typically configure various protection rules which define various attack vectors. The WAF will match the incoming HTTP requests against these protection rules, and take the necessary actions (as configured) if the match is positive. Coming back to our use case, Fig 2 above, suitable protection rules need to be configured. However, the protection rules are typically alligned with the (web) application technology stack: no point in selecting Windows specific rules if the application is Linux based and vice versa. Hence, for Fig 2 above, we would require two sets of protection rules, one for and the second one for

The Real Thing

 In OCI, a single WAF policy (which contains the protection rule sets) can be attached to a load balancer. Now the question is, how to configure two different protection rule sets for two different websites within a single WAF policy?

OCI WAF allows to associate conditions and actions  with protection rule sets. For example, in my OCI tenancy, for demo purpose I have defined two websites - amitwebapps and amitmobile. I have configured two protection rule sets (named same as the websites) with conditions and actions for amitwebapps and amitmobile as shown in Fig 3 below.

Prot rules

                                                                          Fig 3

Both the protection rule sets have a single rule as in Fig 4 below.

XSS prot rule

                                                                          Fig 4

To ensure that the protection rule set amitwebapps is applicable to just the requests for the website amitwebapps, we can use the conditions in the rule sets.

amitwebapps condition

                                                                            Fig 5

The condition in Fig 5 checks the HTTP host header. Only requests destined for the website amitwebapps will trigger the protection rule set. Similarly, the protection rule set for the website amitmobile will have a corresponding condition.

amitmobile condition

                                                                             Fig 6

Now running the following test on amitwebapps with a XSS attack results in the following - 

amitwebapps req

                                                                             Fig 7

The return code of 401 is consistent with the action defined for amitwebapps in Fig 3. Looking into the WAF logs (only the relevant sections are shown), we see the following:

amitwebapps logs

                                                                            Fig 8

The logs confirm that the correct protection rules (as well as the response) are working. Similarly, running the same test on amitmobile website, results in - 

amitmobile req

                                                                             Fig 9

Again, this is consistent with the 'Check' action defined for amitmobile apps in Fig 3. Checking the logs confirm that just the protection rules configured for the amitmobile website get triggered.

amitmobile logs

                                                                            Fig 10


OCI WAF provides powerful constructs in protecting web applications. In this blog post, we looked into how to protect multiple websites behind a load balancer, with their unique protection requirements.

Amit Chakraborty

Amit is a Solutions Architect focussing on Cloud Security including Identity, Governance, Network Security and Architecture. Amit advises customers and helps them design and implement security solutions on the Oracle Cloud Infrastructure platform. Amit advises different levels of customers from executives to architects and developers. Before joining Oracle, Amit worked in software engineering as an architect and developer working on mobile, security, cloud, web, internet and wireless technologies. With a strong background in software engineering and Computer Science, Amit brings a unique perspective into solving customer security needs in the cloud.

Previous Post

OCI Network Best Practices for Windows Domains

Shawn Moore | 4 min read

Next Post

Getting Started with nVidia's Rapids AI

John Featherly | 3 min read