Property Configuration
Last updated
Last updated
Copyright Netacea 2023
To successfully integrate using Netacea, please ensure:
You have access to the relevant API and Secret keys from Netacea.
Akamai have configured the on your behalf.
You have completed the .
You have completed the .
There will be a number of configurations that need to be completed on every property that Netacea will be protecting. These configurations consist of Variables and Rules.
We'll first set up the variables in the route of the property. These can be found in the Table below:
| Variable Name | Initial Value | Description | Security Setting |
|---|
*These variables are used to increase security by concealing Netacea's default cookie names and values from public view. Please set the cookie names to values unrelated to Netacea.
Once these have been configured, we can then move on to configuring the rules within the Property.
The property will need a number of rules configuring before the property can be deployed. Each of the rules and the associated configurations needed can be found below.
This will act as the rule Nest to group the Netacea rules.
Within the Netace nest rule, add the following.
In order to compare the failover value header it must be read from the header and stored as a variable. Then the header is removed to prevent the leaking of the secret value.
*ONLY FOR PROPERTIES THAT FORWARD HTTP TO HTTPS
Please re-create the above rule for each domain (hostname) within this property that is associated with with unique Netacea API and Secret Keys.
This Fail Open rule requires the use of Advanced XML behavior.
To add this advanced custom XML block, communicate with your Akamai account representative who can request that Akamai Professional Services create a custom behavior, which you can add to property configurations in your account.
Once the custom Behavior has been added, it will display like below as Advanced.
This rule is created automatically as a child-rule under Conditional Origin Group.
The order of the rules is very important. They must be completed in the same order as detailed in this document and will display like below.
Other Property rules will go after this block.
Finally the rules below need to be at the end of the rule list, with Conditional Origin rules right at the end.
Once all the Rules described above have been created, click Save and use the Activate tab to activate (deploy) your changes to the property's configuration.
The process above needs to be repeated on each property Netacea will actively protected.
Once the latest version of the property has been deployed, the Netacea plugin will be active. Discuss the best way to test mitigation is active, this will include temporarily adding suitable IP addresses or User-Agents to trigger mitigation.
| Criteria |
|---|
| Behaviors |
|---|
| Criteria |
|---|
| Behaviors |
|---|
| Criteria |
|---|
| Behaviors |
|---|
*Failover Advanced Behavior will be unavailable until has been added.
This rule, along with the Rule will be outside of the Netcea nested rule, after the other property rules.
| Behaviors |
|---|
| Criteria |
|---|
| Behaviours |
|---|
Match All |
If |
Request Header |
x-ew-failover |
exists |
Mitigation Rule |
Add a comment... |
Match All |
If |
Hostname |
Is one of |
<hostname> |
And |
Variable |
PMUSER_FAILOVER_HEADER_VALUE |
is not |
{{user.PMUSER_FAILOVER_SECRET}} |
And* |
Request Protocol* |
HTTPS* |
Match All |
If |
Metadata Stage |
is |
client-response |
And |
EdgeWorkers Execution Status |
Failure |
Conditional Origin Group |
Add a comment... |
Conditional Origin Definition |
Add a comment... |
Match All |
If |
Conditional Origin ID |
mitigations |
NETACEA_API_KEY | Blank | Netacea API Key. The value is set by a Rule. | Hidden |
NETACEA_SECRET_KEY | Blank | Netacea Secret Key. The value is set by a Rule. | Hidden |
CLIENT_IP | Blank | True Client IP | Visible |
NETACEA_MITIGATION_TYPE | INGEST, MITIGATE, or INJECT | INGEST - Integration ingests only. MITIGATE - Integration ingests and mitigates. INJECT - Integration ingests and returns mitigation header values rather than taking the action. | Visible |
NETACEA_MITIGATION_URL | Variable to proxy traffic to Netacea. This must contain a prefix of https:// | Visible |
NETACEA_DS2_CUSTOM_FIELD | Blank | Variable that contains bespoke session information | Hidden |
FAILOVER_SECRET | <Netacea Provided Failover Secret> | Character string provided by Netacea to be used in the event of an EdgeWorker failure so that the EdgeWorker fails open | Sensitive |
FAILOVER_HEADER_VALUE | Blank | The Value of the x-ew-failover header | Sensitive |
ORIG_HOST | %(AK_HOST) | Host used for Netacea failover | Visible |
NETACEA_INGEST_TYPE | ORIGIN | Defines ingest type, ensures Akamai does not default to HTTP | Visible |
NETACEA_COOKIE_NAME | <Any Cookie Name> | Defines the name of the Netacea mitigation cookie.* | Visible |
NETACEA_CAPT_COOKIE_NAME | <Any Cookie Name> | Defines the name of the Netacea captcha cookie.* | Visible |
NETACEA_ENCRYPTION_KEY | <Netacea Provided Cookie Encryption Key> | Enables cookie encryption if not blank.* | Hidden |
NETACEA_CAPT_REL_ASSETS | TRUE | Fetches CAPTCHA assets from Netacea server. | Visible |
Origin SSL Certificate Verification Akamai-managed Certificate Authority Sets Ports |
Hostname
| Set Variable | Value |
|---|
| Modify Incoming Request Header | Value |
|---|
| Set Variable | Value |
|---|
| Set Variable | Value |
|---|
| Set Variable | Value |
|---|
| EdgeWorkers | Value |
|---|
| Site Failover | Value |
|---|
| Custom Behaviour | Value |
|---|
| Allow Conditional Origins | Value |
|---|
| Origin Server | Value |
|---|
| Allow POST |
|---|
Variable | PMUSER_FAILOVER_HEADER_VALUE |
Create Value From | Extract |
Get Data From | Request Header |
Header Name | x-ew-failover |
Operation | None |
Action | Remove |
Select Header Name | Other... |
Custom Header Name | x-ew-failover |
Variable | PMUSER_NETACEA_API_KEY |
Create Value From | Expression |
Expression | <Netacea API Key Value> |
Operation | None |
Variable | PMUSER_NETACEA_SECRET_KEY |
Create Value From | Expression |
Expression | <Netacea Secret Key Value> |
Operation | None |
Variable | PMUSER_CLIENT_IP |
Create Value From | Expression |
Expression | {{builtin.AK_CLIENT_REAL_IP}} |
Operation | None |
Enable | ON |
Identifier | Select EdgeWorker ID that you have created previously |
Enable | On |
Action | Use an alternate hostname in this property |
Alternative Hostname in This property | {{user.PMUSER_ORIG_HOST}} |
Modify Request Path | No |
Custom Behaviour | Add "x-ew-failover:true" header on failover request |
Enable | Yes |
Honour Origin Base Path | Yes |
Origin Purge Query Parameter | originId |
Origin Type | Your Origin |
Origin Server Hostname | The URL of your Proxy Property |
Forward Host Header | Origin Hostname |
Cache Key Hostname | Origin Hostname |
Supports Gzip Compression | Yes |
Send True Client IP Header | No |
Verification Settings | Choose Your Own |
Use SNI TLS Extension | Yes |
Match CN/SAN To | {{Origin Hostname}} {{Forward Host Header}} |
Trust | Akamai-managed Certificate Authorities Sets |
Akamai Certificate Store | Enabled |
Third-Party Certificate Store | Disabled |
HTTP Port | 80 |
HTTPS Port | 443 |
Behavior | Allow |
Allow POST without Content-Length header | Allow |
