Integration Documentation

Property Configuration

Prerequisites

To successfully integrate using Netacea, please ensure:

  1. You have access to the relevant API and Secret keys from Netacea.

  2. Akamai have configured the Netacea Fail Open on your behalf.

  3. You have completed the Proxy Property Configuration.

  4. You have completed the Edge Worker Installation.

Property Configuration

There will be a number of configurations that need to be completed on every property that Netacea will be protecting. These configurations consist of Variables and Rules.

Property Variables

We'll first set up the variables in the route of the property. These can be found in the Table below:

Variable NameInitial ValueDescriptionSecurity Setting

NETACEA_API_KEY

Blank

Netacea API Key. The value is set by a Rule.

Hidden

NETACEA_SECRET_KEY

Blank

Netacea Secret Key. The value is set by a Rule.

Hidden

CLIENT_IP

Blank

True Client IP

Visible

NETACEA_MITIGATION_TYPE

INGEST, MITIGATE, or INJECT

INGEST - Integration ingests only. MITIGATE - Integration ingests and mitigates.

INJECT - Integration ingests and returns mitigation header values rather than taking the action.

Visible

NETACEA_MITIGATION_URL

Proxy Property Hostname

Variable to proxy traffic to Netacea. This must contain a prefix of https://

Visible

NETACEA_DS2_CUSTOM_FIELD

Blank

Variable that contains bespoke session information

Hidden

FAILOVER_SECRET

<Netacea Provided Failover Secret>

Character string provided by Netacea to be used in the event of an EdgeWorker failure so that the EdgeWorker fails open

Sensitive

FAILOVER_HEADER_VALUE

Blank

The Value of the x-ew-failover header

Sensitive

ORIG_HOST

%(AK_HOST)

Host used for Netacea failover

Visible

NETACEA_INGEST_TYPE

ORIGIN

Defines ingest type, ensures Akamai does not default to HTTP

Visible

NETACEA_COOKIE_NAME

<Any Cookie Name>

Defines the name of the Netacea mitigation cookie.*

Visible

NETACEA_CAPT_COOKIE_NAME

<Any Cookie Name>

Defines the name of the Netacea captcha cookie.*

Visible

NETACEA_ENCRYPTION_KEY

<Netacea Provided Cookie Encryption Key>

Enables cookie encryption if not blank.*

Hidden

NETACEA_CAPT_REL_ASSETS

TRUE

Fetches CAPTCHA assets from Netacea server.

Visible

NETACEA_CAPT_CONTENT_NGT

FALSE

When this feature is enabled, the integration will choose whether to serve HTML or JSON based on the Accept header of the request.

Visible

NETACEA_CAPT_PATH

Blank

Used to support alternative captcha workflows where default HTML captcha is insufficient.

Visible

*These variables are used to increase security by concealing Netacea's default cookie names and values from public view. Please set the cookie names to values unrelated to Netacea.

Once these have been configured, we can then move on to configuring the rules within the Property.

Property Rules

The property will need a number of rules configuring before we can the property can be deployed. Each of the rules and the associated configurations needed can be found below.

New Rule (Blank Rule Template): Netacea

This will act as the rule Nest to group the Netacea rules.

New Rule (Blank Rule Template): Set Failover Variable

Within the Netace nest rule, add the following.

In order to compare the failover value header it must be read from the header and stored as a variable. Then the header is removed to prevent the leaking of the secret value.

Adding Criteria and Behaviors

Criteria

Match All

If

Request Header

x-ew-failover

exists

Behaviors

Set VariableValue

Variable

PMUSER_FAILOVER_HEADER_VALUE

Create Value From

Extract

Get Data From

Request Header

Header Name

x-ew-failover

Operation

None

Modify Incoming Request HeaderValue

Action

Remove

Select Header Name

Other...

Custom Header Name

x-ew-failover

New Rule (Blank Rule Template): Set Mitigation for <hostname>

Adding Criteria and Behaviors

Mitigation Rule

Add a comment...

Criteria

Match All

If

Hostname

Is one of

<hostname>

And

Variable

PMUSER_FAILOVER_HEADER_VALUE

is not

{{user.PMUSER_FAILOVER_SECRET}}

And*

Request Protocol*

HTTPS*

*ONLY FOR PROPERTIES THAT FORWARD HTTP TO HTTPS

Behaviors

Set VariableValue

Variable

PMUSER_NETACEA_API_KEY

Create Value From

Expression

Expression

<Netacea API Key Value>

Operation

None

Set VariableValue

Variable

PMUSER_NETACEA_SECRET_KEY

Create Value From

Expression

Expression

<Netacea Secret Key Value>

Operation

None

Set VariableValue

Variable

PMUSER_CLIENT_IP

Create Value From

Expression

Expression

{{builtin.AK_CLIENT_REAL_IP}}

Operation

None

EdgeWorkersValue

Enable

ON

Identifier

Select EdgeWorker ID that you have created previously

Please re-create the above rule for each domain (hostname) within this property that is associated with with unique Netacea API and Secret Keys.

New Rule (Blank Rule Template): Netacea Fail Open

This Fail Open rule requires the use of Advanced XML behavior.

To add this advanced custom XML block, communicate with your Akamai account representative who can request that Akamai​ Professional Services create a custom behavior, which you can add to property configurations in your account.

Criteria

Match All

If

Metadata Stage

is

client-response

And

EdgeWorkers Execution Status

Failure

Behaviors

Site FailoverValue

Enable

On

Action

Use an alternate hostname in this property

Alternative Hostname in This property

{{user.PMUSER_ORIG_HOST}}

Modify Request Path

No

Custom BehaviourValue

Custom Behaviour

Add "x-ew-failover:true" header on failover request

*Failover Advanced Behavior will be unavailable until Netacea Fail Open XML has been added.

Once the custom Behavior has been added, it will display like below as Advanced.

New Rule: Conditional Origin Group

This rule, along with the DataStream Rule will be outside of the Netcea nested rule, after the other property rules.

Adding Criteria and Behaviors

Conditional Origin Group

Add a comment...

Behaviors

Allow Conditional OriginsValue

Enable

Yes

Honour Origin Base Path

Yes

Origin Purge Query Parameter

originId

Edit/New Rule: Conditional Origin Definition

This rule is created automatically as a child-rule under Conditional Origin Group.

Adding Criteria and Behaviors

Conditional Origin Definition

Add a comment...

Criteria

Match All

If

Conditional Origin ID

mitigations

Behaviours

Origin ServerValue

Origin Type

Your Origin

Origin Server Hostname

The URL of your Proxy Property

Forward Host Header

Origin Hostname

Cache Key Hostname

Origin Hostname

Supports Gzip Compression

Yes

Send True Client IP Header

No

Origin SSL Certificate Verification

Verification Settings

Choose Your Own

Use SNI TLS Extension

Yes

Match CN/SAN To

{{Origin Hostname}} {{Forward Host Header}}

Trust

Akamai-managed Certificate Authorities Sets

Akamai-managed Certificate Authority Sets

Akamai Certificate Store

Enabled

Third-Party Certificate Store

Disabled

Ports

HTTP Port

80

HTTPS Port

443

Allow POST

Behavior

Allow

Allow POST without Content-Length header

Allow

Order of Rules

The order of the rules is very important. They must be completed in the same order as detailed in this document and will display like below.

Other Property rules will go after this block.

Finally the rules below need to be at the end of the rule list, with Conditional Origin rules right at the end.

Activate the Property

Once all the Rules described above have been created, click Save and use the Activate tab to activate (deploy) your changes to the property's configuration.

The process above needs to be repeated on each property Netacea will actively protected.

Finishing Up

Once the latest version of the property has been deployed, the Netacea plugin will be active. Discuss the best way to test mitigation is active, this will include temporarily adding suitable IP addresses or User-Agents to trigger mitigation.

PreviousEdgeWorker InstallationNextCloudflare

Last updated

Copyright Netacea 2023