Skip to main content
Platform

Search

Alternate Upstream Routing for Cequence Defender

© 2024 Cequence Security. All Rights Reserved.

Alternate Upstream Routing for Cequence Defender

  • Updated on
  • ~ minute read
Download PDF

Cequence Defender routes traffic using the HOST header. In serverless environments, the host header is consumed before reaching Cequence Defender. Traditional upstream configuration methods using the Cequence Unified API Protection (UAP) platform, or Amazon S3, or HTTP endpoints, aren't always viable for all deployments.

To address this limitation, Cequence Defender implements three alternate upstream routing methods.

Default Upstream

In this configuration, Cequence Defender always forwards traffic to the default upstreams.

  • A single upstream for each protocol (HTTP/HTTPS)
  • Environment variables used: HTTP_UPSTREAM_SERVER, HTTPS_UPSTREAM_SERVER
  • Optionally, the USE_UPSTREAM_SERVER_AS_HOST_HDR variable sends the upstream server name as the host header

Alternate Host Header

In this configuration, Cequence Defender routes traffic based on a user-specified alternate host header value. When an alternate header is enabled and the header specified in the alternate header is not present in the request, the client receives an error with a status code of 400.

Configuration

  • Add an HTTP directive in nginx: "alternate_host_header": "X-Forwarded-Host"
  • Alternately, set a value for the ALTERNATE_HOST_HEADER environment to have Cequence Defender update the nginx configuration to add alternate_host_header.

Note: When both configuration methods are in use, Cequence Defender uses the nginx configuration override.

Alternate Origin Header

Routes traffic by dynamically resolving domains from header values at runtime.

Required Configuration:

  • ALTERNATE_ORIGIN_HEADER: Header containing target domain
  • RESOLVER: DNS resolver for domain lookup

Key Configuration Notes

  • Nginx configuration overrides environment variables when both are present
  • Alternate origin header requires both ALTERNATE_ORIGIN_HEADER and RESOLVER variables
  • Use USE_ALT_ORIGIN_AS_PROXY_NAME=true to set proxy headers from origin header instead of host header
  • Header values must be valid, resolvable domain names

Error Conditions

  • Missing alternate host header: 400 error
  • Invalid domain in alternate origin header: 5xx error
  • Missing resolver configuration: Feature disabled
Was this article helpful?
Japanese (Japan)