Security
No laughing matter
Open source
Announcing CVE-2021-35368: OWASP ModSecurity Core Rule Set Bypass
In early June 2021, I identified a request body bypass vulnerability in the OWASP ModSecurity Core Rule Set (CRS). Loadbalancer.org appliances themselves are unaffected...
Open source
ModSecurity and the Case of the Never Decreasing Variables
In the world of web application security, it can be invaluable to consider a user's behaviour across the entire duration of their web app session...
WAF
How to train your Web Application Firewall (WAF)
Let's look at the best way to use the WAF with as little pain as possible!..
WAF
Secure connections: encrypt, inspect and decrypt traffic when using a WAF
We’re often asked how to configure our load balancer to protect both web servers and users...
Open source
How to tackle bugs and vulnerabilities – a solutions architect’s opinion
Dealing with bugs and vulnerabilities is quite common in the tech space. Aaron West, the head of Solutions at Loadbalancer.org shares some insights about our approach of tackling such issues, and more...
Security
Healthcare IT should listen to Amazon's Werner Vogels: “Dance Like Nobody’s Watching. Encrypt Like Everyone Is”
Find out why Werner Vogels' comments ring especially true for healthcare data...
Security
Update on HAproxy HTTP/2 HPACK Decoder Vulnerability (2 April 2020)
A critical vulnerability in HAProxy’s HTTP/2 HPACK decoder in versions 1.8 and above has been discovered. This does not impact the majority of Loadbalancer.org customers...
How-tos
Security through geography: blocking traffic by country, continent, or IP address using ModSecurity
Imagine you’re running a business and you often see malicious-looking web traffic from the other side of the globe hitting your website...
Security
SACK Panic: What is it, and is it actually time to panic?
Four closely related vulnerabilities regarding TCP handling in the Linux and FreeBSD kernels were publicly disclosed on 17 June 2019...
Security
Huawei root access is BAD! VERY, VERY BAD: Or, how we reasoned ourselves out of root access by default
As you probably know, the notorious Chinese tech company was blacklisted OK, so Trump didn't actually say that about Huawei. But, given his recent declaration, it wouldn't surprise me if he did...
How-tos
How do I secure my load balancer with Active Directory, LDAP or RADIUS?
I’ve noticed a lot more of our customers are asking to use their Active Directory login details with the load balancer appliance. And it can get a bit fiddly, so I wanted to explain the process in more detail...
Security
FTPS Implicit vs FTPS Explicit: Who will win?
Implementation of FTP and configuration of your firewalls can be cumbersome, especially when it comes to being secure during your file transfer...
WAF
Why use a WAF? Because what doesn't kill you makes you stronger
Our helpdesk often encounters confusion about Web Application Firewalls, or WAFs - what they are, how to use them, and what issues they can potentially cause...
HAProxy
New year, new vulnerability: HAProxy critical security update
An incorrect frame length check could result in a read-past-bound which can cause a crash...
WAF
Brute force login: Simple protection techniques with the ModSecurity WAF
The web-based login to your application is a juicy target for hackers. And once they get past the login, they can cause you some serious pain...
WAF
Darktrace: When looks aren't everything
An engineer at a business using Darktrace, confessed that many IT staff ignored the pricey security software because it sent so many false alerts...
HAProxy
HAProxy critical security update — to avoid simple(ish) DoS attack (20 September 2018)
A critical security issue has been found in HAProxy, leaving certain systems vulnerable to remote attack. We want to keep you informed, and we understand that this news might cause you some anxiety. But be reassured - most of our customers won’t be affected...
Security
Let's Encrypt — how did we survive without it?
Let’s Encrypt is awesome! Not only is it more secure than your existing certificate authority. It's also reliable, scalable, fully automated — and free!..
AWS / Azure / GCP
FC Barcelona choose Loadbalancer.org in AWS for flexibility and security
With our 9 years expertise in making applications within AWS indestructible, Loadbalancer.org was able to provide FC Barcelona with an intelligent application delivery controller built on 15 years' worth of battle‑hardened software...
Application Management
Nutanix Ready, a great platform now comes with a certified load balancer
We have built upon our existing strengths in virtualized environments to become Nutanix certified, with the addition of support for Nutanix AHV positions...
AWS / Azure / GCP
How to add Cloudflare in front of HAProxy
Cloudflare provides a content delivery network (CDN). A CDN is a worldwide network of servers that delivers web content to clients based on the geographic location of the client...
Application Management
Load Balancing Web Servers with OWASP Top 10 WAF in Azure
In the Azure Management Portal, select the Virtual Machines option, click on the newly deployed Load Balancer VM, click on Network interfaces and then select the network interface attached to the load balancer, then click IP configurations and ensure that IP forwarding is Enabled...
Security
Load Balancing Apache Web Servers with OWASP Top 10 WAF in Azure
The WAF addresses the OWASP Top 10 vulnerabilities and is very quick and simple to deploy...
Security
Security through obscurity - double login protection made easy...
Security through obscurity is not a great idea when it is your ONLY protection technique. For example moving your SSH port from 22 -> 23 won't fool any hackers for long! However, I've always liked putting a 'double login' in front of important web sites to frustrate simple automated hacking tools...