Property Configuration

Prerequisites

To successfully integrate using Netacea, please ensure:

  1. You have access to the relevant API and Secret keys from Netacea.

  2. Akamai have configured the Netacea Fail Open on your behalf.

  3. You have completed the Proxy Property Configuration.

  4. You have completed the Edge Worker Installation.

Property Configuration

There will be a number of configurations that need to be completed on every property that Netacea will be protecting. These configurations consist of Variables and Rules.

Property Variables

We'll first set up the variables in the route of the property. These can be found in the Table below:

Variable Name
Initial Value
Description
Security Setting

NETACEA_API_KEY

Blank

Netacea API Key. The value is set by a Rule.

Hidden

NETACEA_SECRET_KEY

Blank

Netacea Secret Key. The value is set by a Rule.

Hidden

CLIENT_IP

Blank

True Client IP

Visible

NETACEA_MITIGATION_TYPE

INGEST, MITIGATE, or INJECT

INGEST - Integration ingests only. MITIGATE - Integration ingests and mitigates.

INJECT - Integration ingests and returns mitigation header values rather than taking the action.

Visible

NETACEA_MITIGATION_URL

Variable to proxy traffic to Netacea. This must contain a prefix of https://

Visible

NETACEA_DS2_CUSTOM_FIELD

Blank

Variable that contains bespoke session information

Hidden

FAILOVER_SECRET

<Netacea Provided Failover Secret>

Character string provided by Netacea to be used in the event of an EdgeWorker failure so that the EdgeWorker fails open

Sensitive

FAILOVER_HEADER_VALUE

Blank

The Value of the x-ew-failover header

Sensitive

ORIG_HOST

%(AK_HOST)

Host used for Netacea failover

Visible

NETACEA_INGEST_TYPE

ORIGIN

Defines ingest type, ensures Akamai does not default to HTTP

Visible

NETACEA_COOKIE_NAME

<Any Cookie Name>

Defines the name of the Netacea mitigation cookie.*

Visible

NETACEA_CAPT_COOKIE_NAME

<Any Cookie Name>

Defines the name of the Netacea captcha cookie.*

Visible

NETACEA_ENCRYPTION_KEY

<Netacea Provided Cookie Encryption Key>

Enables cookie encryption if not blank.*

Hidden

NETACEA_CAPT_REL_ASSETS

TRUE

Fetches CAPTCHA assets from Netacea server.

Visible

*These variables are used to increase security by concealing Netacea's default cookie names and values from public view. Please set the cookie names to values unrelated to Netacea.

Once these have been configured, we can then move on to configuring the rules within the Property.

Property Rules

The property will need a number of rules configuring before the property can be deployed. Each of the rules and the associated configurations needed can be found below.

New Rule (Blank Rule Template): Netacea

This will act as the rule Nest to group the Netacea rules.

New Rule (Blank Rule Template): Set Failover Variable

Within the Netace nest rule, add the following.

In order to compare the failover value header it must be read from the header and stored as a variable. Then the header is removed to prevent the leaking of the secret value.

Adding Criteria and Behaviors

Criteria

Match All

If

Request Header

x-ew-failover

exists

Behaviors

New Rule (Blank Rule Template): Set Mitigation for <hostname>

Adding Criteria and Behaviors

Mitigation Rule

Add a comment...

Criteria

Match All

If

Hostname

Is one of

<hostname>

And

Variable

PMUSER_FAILOVER_HEADER_VALUE

is not

{{user.PMUSER_FAILOVER_SECRET}}

And*

Request Protocol*

HTTPS*

*ONLY FOR PROPERTIES THAT FORWARD HTTP TO HTTPS

Behaviors

Please re-create the above rule for each domain (hostname) within this property that is associated with with unique Netacea API and Secret Keys.

New Rule (Blank Rule Template): Netacea Fail Open

This Fail Open rule requires the use of Advanced XML behavior.

To add this advanced custom XML block, communicate with your Akamai account representative who can request that Akamai​ Professional Services create a custom behavior, which you can add to property configurations in your account.

Criteria

Match All

If

Metadata Stage

is

client-response

And

EdgeWorkers Execution Status

Failure

Behaviors

*Failover Advanced Behavior will be unavailable until Netacea Fail Open XML has been added.

Once the custom Behavior has been added, it will display like below as Advanced.

New Rule: Conditional Origin Group

This rule, along with the DataStream Rule will be outside of the Netcea nested rule, after the other property rules.

Adding Criteria and Behaviors

Conditional Origin Group

Add a comment...

Behaviors

Edit/New Rule: Conditional Origin Definition

This rule is created automatically as a child-rule under Conditional Origin Group.

Adding Criteria and Behaviors

Conditional Origin Definition

Add a comment...

Criteria

Match All

If

Conditional Origin ID

mitigations

Behaviours

Origin SSL Certificate Verification

Akamai-managed Certificate Authority Sets

Ports

Order of Rules

The order of the rules is very important. They must be completed in the same order as detailed in this document and will display like below.

Other Property rules will go after this block.

Finally the rules below need to be at the end of the rule list, with Conditional Origin rules right at the end.

Activate the Property

Once all the Rules described above have been created, click Save and use the Activate tab to activate (deploy) your changes to the property's configuration.

The process above needs to be repeated on each property Netacea will actively protected.

Finishing Up

Once the latest version of the property has been deployed, the Netacea plugin will be active. Discuss the best way to test mitigation is active, this will include temporarily adding suitable IP addresses or User-Agents to trigger mitigation.

PreviousEdgeWorker InstallationNextOptional Integration Configuration

Last updated

Copyright Netacea 2023