Oracle Cloud Infrastructure Documentation

Origin Management

An origin is an endpoint (typically an IP address) of the application protected by the WAF. An origin can be an Oracle Cloud Infrastructure load balancer public IP address. A load balancer IP address can be used for high availability to an origin. Multiple origins can be defined, but only a single origin can be active for a WAF.

Note

WAF supports default ports (80 and 443) on origin servers.

You can set HTTP headers for outbound traffic from the WAF to the origin server. These name value pairs are then available to the application.

Securing Your WAF

To secure your WAF, you must configure your servers to accept traffic from the WAF servers. Configure your origin's ingress rules to only accept connections from the following CIDR ranges:

  • 192.157.18.0/23
  • 205.147.88.0/21
  • 192.69.118.0/23
  • 198.181.48.0/21
  • 199.195.6.0/23

Using the Console

To add an origin to your WAF policy
To edit an origin
To delete an origin

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Each origin has a unique name (key). The name of the origin to be used by the WAF must be referenced in the wafConfig portion of the settings. For example, if you have the following origins in your configuration:

				{

				"compartmentId": "ocid1.compartment.oc1..aaaaatsdfssdfsdsdfsgxz",
				"lifecycleState": "ACTIVE",
				"displayName": "myWAFprotectedApp",
				"origins": {
				"primaryorigin": {
				"httpPort": 80,
				"httpsPort": 443,
				"uri": "67.205.161.231",
				"customHeaders": []
				},

				"secondaryorigin": {
				"httpPort": 80,
				"httpsPort": 443,
				"uri": "54.175.154.7",
				"customHeaders": [
				{
				"name": "OriginHeader",
				"value": "true"
				},        
				{
				"name": "OriginHeader2",
				"value": "true"
				}
				]
			}

Then within the wafConfig, the origin in use would be referenced by name:

				"wafConfig": {
				"deviceFingerprintChallenge": {"isEnabled": false},
				"origin": "secondaryorigin",
				"whitelists": [],
			

In this example, the WAF is actively using secondaryorigin.