Integrate with Origin Server
This page covers two integration stages:
- Direct integration — CDN edge forwards to the origin server directly (baseline testing)
- F5 XC insertion — F5 XC HTTP load balancer inserted between CDN and origin (security demo)
Start with direct integration to establish the baseline, then insert F5 XC when ready.
Origin Server Reference
Section titled “Origin Server Reference”The origin-server lab component provides vulnerable web applications for security testing.
| Property | Value |
|---|---|
| Documentation | f5xc-salesdemos.github.io/origin-server |
| Repository | github.com/f5xc-salesdemos/origin-server |
| Default Port | 80 |
| Health Check | GET /health |
Applications Available
Section titled “Applications Available”Fetch the current application catalog from the origin-server’s published manifest:
MANIFEST_URL=$(curl -sf https://api.github.com/repos/f5xc-salesdemos/origin-server/releases/latest \ | python3 -c "import sys,json; assets=json.load(sys.stdin).get('assets',[]); print(next((a['browser_download_url'] for a in assets if a['name']=='manifest.json'),''))")curl -sf "$MANIFEST_URL" | python3 -m json.toolIf no release exists yet, use the repository source directly:
curl -sf https://raw.githubusercontent.com/f5xc-salesdemos/origin-server/main/manifest.json | python3 -m json.toolThe manifest lists all application paths, health checks, container images, and demo feature mappings.
Application Paths
Section titled “Application Paths”| Path | Application | Demo Features |
|---|---|---|
/ | Landing page | — |
/health | Health check | — |
/juice-shop/ | OWASP Juice Shop | WAF, Bot Defense, API Security |
/dvwa/ | DVWA | WAF, Bot Defense |
/vampi/ | VAmPI | API Security |
/httpbin/ | httpbin | Diagnostics |
/whoami/ | whoami | Header verification |
/csd-demo/ | CSD Demo | Client-Side Defense |
Stage 1: Direct Integration (Baseline)
Section titled “Stage 1: Direct Integration (Baseline)”┌──────────┐ ┌──────────────────────┐ ┌─────────────────────┐│ Client │────▶│ CDN Edge (NGINX) │────▶│ Origin Server ││ │ │ 20.65.90.112 │ │ 20.12.78.159 │└──────────┘ │ 67+ CDN headers │ │ Juice Shop, DVWA, │ │ Disk cache │ │ VAmPI, httpbin, │ └──────────────────────┘ │ whoami, CSD Demo │ └─────────────────────┘Configure the Origin
Section titled “Configure the Origin”Set the origin server IP in the CDN edge NGINX config:
ssh azureuser@<CDN_EDGE_IP>sudo sed -i 's|proxy_pass .*;|proxy_pass http://<ORIGIN_IP>;|' /etc/nginx/conf.d/cdn-edge.confsudo rm -rf /var/cache/nginx/cdn/*sudo nginx -t && sudo systemctl reload nginxOr set it at Terraform deploy time via terraform.tfvars:
origin_server = "http://<ORIGIN_IP>"Verify All Applications
Section titled “Verify All Applications”Test each origin application through the CDN:
CDN=<CDN_EDGE_IP>
# Health check (CDN local)curl -sf "http://$CDN/health" | python3 -m json.tool
# Landing pagecurl -sf -o /dev/null -w "/ : HTTP %{http_code}\n" "http://$CDN/"
# Juice Shopcurl -sf -o /dev/null -w "/juice-shop/ : HTTP %{http_code}\n" "http://$CDN/juice-shop/"
# DVWA (follows redirect to login)curl -sf -o /dev/null -w "/dvwa/ : HTTP %{http_code}\n" -L "http://$CDN/dvwa/"
# VAmPI APIcurl -sf "http://$CDN/vampi/users/v1" | python3 -m json.tool | head -5
# httpbin headers (shows CDN headers in JSON)curl -sf "http://$CDN/httpbin/headers" | python3 -m json.tool | head -10
# whoami (shows ALL headers the origin receives)curl -sf "http://$CDN/whoami/"
# CSD Democurl -sf -o /dev/null -w "/csd-demo/ : HTTP %{http_code}\n" "http://$CDN/csd-demo/"All paths should return HTTP 200 (DVWA returns 302 then 200 on follow).
Verify CDN Headers at Origin
Section titled “Verify CDN Headers at Origin”The /whoami/ endpoint shows every header the origin receives. When accessed through the CDN, it displays all 67+ vendor headers:
curl -sf "http://$CDN/whoami/"Verify these key headers are present:
| Vendor | Header | Expected Value |
|---|---|---|
| Standard | X-Forwarded-For | <your_ip>, <cdn_edge_ip> |
| Akamai | True-Client-Ip | <your_ip> |
| Cloudflare | Cf-Connecting-Ip | <your_ip> |
| CloudFront | Cloudfront-Viewer-Country | US |
| Fastly | Fastly-Client-Ip | <your_ip> |
| Azure FD | X-Azure-Clientip | <your_ip> |
Cross-Reference Logs
Section titled “Cross-Reference Logs”Compare access logs on both servers to verify the traffic flow:
# CDN edge log — shows your client IP as sourcessh azureuser@<CDN_EDGE_IP> "sudo tail -5 /var/log/nginx/access.log"
# Origin log — shows CDN edge IP as sourcessh azureuser@<ORIGIN_IP> "sudo tail -5 /var/log/nginx/access.log"The origin log should show the CDN edge IP as the connecting client, while the real client IP is carried in X-Forwarded-For and vendor-specific headers.
Cache Behavior
Section titled “Cache Behavior”# First request — MISS (fetched from origin)curl -s -I "http://$CDN/whoami/" | grep X-Cache-Status
# Second request — HIT (served from CDN cache)curl -s -I "http://$CDN/whoami/" | grep X-Cache-StatusStage 2: F5 XC Insertion (Security Demo)
Section titled “Stage 2: F5 XC Insertion (Security Demo)”After baseline testing, insert an F5 XC HTTP load balancer between the CDN and origin:
┌──────────┐ ┌────────────────┐ ┌──────────────────┐ ┌─────────────────┐│ Client │────▶│ CDN Edge │────▶│ F5 XC HTTP LB │────▶│ Origin Server ││ │ │ (NGINX) │ │ WAF + Bot + API │ │ │└──────────┘ └────────────────┘ └──────────────────┘ └─────────────────┘- Create the F5 XC HTTP load balancer with the origin server in its origin pool
- Update the CDN edge to point to the F5 XC VIP instead of the origin directly:
ssh azureuser@<CDN_EDGE_IP>sudo sed -i 's|proxy_pass .*;|proxy_pass https://<F5XC_LB_VIP>;|' /etc/nginx/conf.d/cdn-edge.confsudo rm -rf /var/cache/nginx/cdn/*sudo nginx -t && sudo systemctl reload nginx- Verify WAF enforcement through the full chain:
# SQL injection through CDN → F5 XC WAF should blockcurl -I "http://$CDN/dvwa/vulnerabilities/sqli/?id=%27+OR+1%3D1--"
# Normal request should passcurl -sf -o /dev/null -w "%{http_code}" "http://$CDN/juice-shop/"- Configure Trusted Client IP Header in F5 XC to read the real client IP from CDN headers (e.g.,
True-Client-IPfor Akamai simulation,CF-Connecting-IPfor Cloudflare simulation)
Multi-Component Architecture
Section titled “Multi-Component Architecture”| Component | Repository | Purpose |
|---|---|---|
| CDN Edge (this) | cdn-simulator | Caching, vendor headers |
| Origin Server | origin-server | Vulnerable web apps |
| F5 XC Config | Various (waf, api-protection, bot-*, etc.) | Security policies |
Each component publishes documentation that AI assistants read to deploy the infrastructure. The origin-server publishes an endpoint manifest as a GitHub Release artifact listing all application paths and health checks.