# Server Groups
## Overview
This section defines Server Groups: the highest level of organization within Link11 WAAP. A Server Group is based on a [Proxy Template](/console-walkthrough/sites/proxy-templates.md), and contains at least one [SSL Certificate](/console-walkthrough/sites/ssl/certificates.md) and at least one [Security Policy](/console-walkthrough/security/security-policies.md).
## Usage
The usage of Server Groups is explained in detail here: [Policy Mapping and Traffic Routing](/how-link11-waap-works/policy-mapping-and-traffic-routing.md).
Typically, a Server Group represents a single domain.
## Administration
The main window (shown above) lists all currently defined Server Groups.
The administration (addition/deletion/editing/versioning) of these Groups follows the conventions described [here](/how-link11-waap-works/ui-overview-and-common-elements.md#configuration-and-administration).
## Parameters
### Name
A name for this Server Group, to be used within the interface.
### Challenge's cookie domain
The domain to use when [bot challenges](/reference-information/hostile-bot-detection-lwcsi.md) are issued.
### Description
Information about this Server Group, to be used within the interface.
### Match Host/Authority Headers
The scope for this Server Group (typically this is a list of domains), specified as a regex. If this list is edited, the edits must be saved before [a new SSL Certificate can be generated](#server-certificate).
### Server Certificate
The [SSL certificate](/console-walkthrough/sites/ssl/certificates.md) for this Server Group. The **Generate** button will generate a new certificate.
{% hint style="info" %}
To avoid errors, the Server Certificate **Generate** button will be disabled if the *Match host/authority headers* field has been edited and the edits have not yet been saved.
{% endhint %}
### CA Certificate
The CA Certificate to use when enforcing mTLS for the domain ([read more about this](/using-the-product/how-do-i.../enable-mtls-mutual-tls.md)). The available certificates are those defined in the **CA Certificates** tab of the [Certificates](/console-walkthrough/sites/ssl/certificates.md) page.
In use, CA certificates are verified against the CRLs in the [CRL Distribution Points](#crl-distribution-points) list.
{% hint style="warning" %}
CA Certificate features will only be available if both of the following are true:
* An AWS NLB (Network Load Balancer is being used. (When using a Link11 Load Balancer, contact support.)
* CA Certificates have been [enabled within the System DB](/console-walkthrough/system/system-db.md#enabling-certificates-for-mtls).
{% endhint %}
### Mode
Specifies how clients (i.e., end users) should present CA certificates for mTLS validation. Options are:
* \[Off] **Client authentication is disabled**. The system will not request CA certificates from clients.
* \[On] **CA certificate is required for authentication**. The system will request and validate CA certificates from clients.
* \[Optional] **CA certificate is requested but not required for authentication**. The system will not require clients to provide CA certificates. However, if a client does provide a certificate, it must be valid in order for its request to be accepted. If the client provides an invalid certificate (e.g., expired, revoked, or forged), the request will be blocked.
#### Sending CA data to the origin
When CA Certificates are enabled, Link11 WAAP will add headers to requests before passing them to the backend.
If a CA Certificate is provided, Link11 WAAP will add it to the request header, along with these additional headers:
| Header | Description | Example Value |
| ------------------------ | ---------------------------------------------- | ---------------------------------- |
| SSL\_CLIENT\_VERIFY | Client certificate verification status | SUCCESS (valid) / FAILED (invalid) |
| SSL\_CLIENT\_CERT | Full client certificate in URL encoded | -----BEGIN CERTIFICATE----- ... |
| SSL\_CLIENT\_S\_DN | Client's Subject Distinguished Name (DN) | CN=John Doe, O=ExampleCorp, C=US |
| SSL\_CLIENT\_I\_DN | Issuer (CA) Distinguished Name (DN) | CN=Example CA, O=ExampleCorp, C=US |
| SSL\_CLIENT\_SERIAL | Unique serial number of the client certificate | 1234567890ABCDEF |
| SSL\_CLIENT\_FINGERPRINT | SHA-1 fingerprint of the client certificate | 5F:7C:1E:2B:... |
If no certificate is provided, the following headers will be passed:
| Header | Description | Example Value |
| ------------------------ | --------------------------------------------- | ------------- |
| SSL\_CLIENT\_VERIFY | Indicates no client certificate was provided | NONE |
| SSL\_CLIENT\_CERT | Empty (not passed or -) | - |
| SSL\_CLIENT\_S\_DN | Empty (no subject DN since no cert exists) | - |
| SSL\_CLIENT\_I\_DN | Empty (no issuer DN since no cert exists) | - |
| SSL\_CLIENT\_SERIAL | Empty (no serial number since no cert exists) | - |
| SSL\_CLIENT\_FINGERPRINT | Empty (no fingerprint since no cert exists) | - |
### CRL Distribution Points
Link11 supports CRLs (Certificate Revocation Lists). Admins can revoke client certificates that were previously allowed for mTLS authentication, so that unauthorized or compromised clients will be rejected without waiting for certificate expiration.
CRL Distribution Points (CDPs) are URLs where a CRL has been published. When **Enable CRL validation** is enabled, admins can add entries to the *CRL Distribution Points* list.
This list shows the current CDPs/CRLs, and for each one, shows whether and when the CRL was successfully obtained and verified.
During mTLS negotiation, if a CA certificate has been specified, the client certificate is validated against the specified CRL(s).
* If the certificate is **revoked**, the connection is rejected with a status code of 496. The Events Log will contain an entry with a *Block reason* of “General: Client certificate revoked.”
* If the certificate is **signed by another CA,** the connection is rejected with a status code of 495. The Events Log will contain an entry with a *Block reason* of “General: Client certificate could not be verified.”
* If the certificate is **not in the CRL**, the connection succeeds (assuming other validation checks pass).
{% hint style="info" %}
If the *CRL Distribution Points* list is populated, Link11 WAAP will fetch CRL data from the specified URL(s) every eight hours.
{% endhint %}
### Security policy
The [Security Policy](/console-walkthrough/security/security-policies.md) for this Server Group, with its parameters displayed for convenience.
### Proxy template
The [Proxy Template](/console-walkthrough/sites/proxy-templates.md) that this Server Group is based upon.
### Mobile Application Group
The [Mobile Application Group](/console-walkthrough/sites/mobile-application-groups.md) for this Server Group, if any.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://waap.docs.link11.com/console-walkthrough/sites/server-groups.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.