Security Policies
Applying security rules to paths and resources
Overview
Security Policies assign security rulesets to specific paths within applications and APIs. Whenever a request is received, Reblaze determines the security rules to enforce upon it, using the Security Policy that is applicable to its destination URL.
Each Security Policy also includes a definition of the Session ID to use within its scope. This is an important setting, as discussed below.
Usage within applications and APIs
Security Policies are used within Server Groups. Every Server Group includes a Security Policy.
Every Reblaze deployment contains a default Security Policy. (This default Policy cannot be deleted.) Admins can define additional Policies as well.
Administration
The main page (shown at the top of the page) lists all current Security Policies.
The administration (addition/deletion/editing/versioning) of Policies follows the conventions described here.
Components
Each Security Policy contains the following:
A list of paths within which this Policy will be applied.
The Content Filter Profile, ACL Profile, and (optional) Rate Limit Rule(s) that will be enforced on requests sent to the specified paths.
Optional Edge Functions(s) to run when requests are sent to the specified paths.
One or more Tags that will be attached to requests sent to the specified paths.
What to use as a Session ID for requests sent to the specified paths. This is used elsewhere by the system; for example, Rate Limit Rules can be enforced on a per-session basis.
General parameters for administration.
Individual parameters
Name
A name for this Policy, to be used within the Reblaze interface. An Automatic Tag (shown below the Tags field) will include it as well.
Match Host/Authority Header
A regex describing the (sub)domain(s) within which the paths in the Path Mapping list will be found.
When you create or revise a Security Policy, its Match Host/Authority Header must be unique. For this reason, when a new Security Policy is created, the UI generates a unique value for this field. It should be changed to a correct value before the Security Policy is saved.
Tags
A list of one or more tags, separated by spaces. Whenever this Security Policy is applied to a request, these tags will appear in the Events Log.
In addition to these admin-defined tags, the system also shows some Automatic Tags that will be attached as well.
Description
Information about this Policy, for use within the interface.
Main Session ID & Other Session IDs
Some types of settings within Reblaze allow admins to track user activity and enforce security rules based on the user's Session ID. (Examples of this include Flow Control Policies and Rate Limit Rules.)
However, the definition of a Session ID can vary. The optimal combination of request parameters can differ, depending on the circumstances.
The Main Session ID and Other Session IDs define the request parameters that should be combined and used as the Session ID within the scope of this Security Policy.
Main Session ID: This is the header, cookie, argument, or attribute that will be the Session ID by default.
Other Session IDs: This is a list of additional headers, cookies, arguments, and/or attributes that might, or might not, be available, depending on the situation. When they are available, they are combined with the Main Session ID to form the Session ID used by Reblaze.
Example: the Main Session ID is set to Header / user_id, and Other Session IDs contains one entry for an authentication token (Header / auth_token). Initially, the Session ID will consist of the user_id alone. Once the user is authenticated and the requests begin to include auth_token too, the Session ID will then be a combination of those two values.
Another example: the Main Session ID is set to Header / user_id. In Other Session IDs, there is one definition (Header / device_id) for a field that is sent by a mobile application.
If the user is using the mobile application, then
device_idwill be included in the incoming requests, and the Session ID will be a combination ofuser_idanddevice_id.If the user is using a browser instead, then
device_idwill not be defined, and the Session ID will consist solely ofuser_id.
The choice of parameters for the Session ID should be carefully considered, because it can affect the performance of various security settings and rules. Sometimes, a narrowly-defined Session ID is better, while in other situations, a broader definition should be used.
For example, an admin has defined a Rate Limit Rule based on Session ID. A threat actor then begins a session in a web browser, copies its session tokens, and tries to use them in a brute force attack across different IPs and distributed networks in the cloud.
If the applicable Security Policy has a Session ID based on the session tokens, then the Rate Limit Rule will detect and block the attack.
If however the Session ID also includes the IP address, then a Rate Limiting Rule would maintain separate counts for each of the various IPs that are used, and the Rule would not perform as the admin had intended.
Path Mapping
This is a list of paths, and the security settings (Content Filter Profiles, ACL Profiles, Rate Limit Rules, and Edge Functions) assigned to each one.
Every incoming request targets a specific URL. Reblaze finds the best match for that URL in the Path Mapping list, and applies the security rulesets defined for it.
The "best match" is determined by regex evaluation. The order in which the paths are listed in the interface does not matter.
As mentioned previously, every Reblaze deployment includes a default Security Policy. If a request does not match any other Security Policy, the default one is applied.
Managing the Path Maps
A new Security Policy will include a default Path Map. Clicking on its listing will expand it for editing.
To add a new Path Map, select an existing one, expand it, and select "Fork Path Mapping" at the bottom. The existing one will be cloned, and the new one will be displayed for editing.
Note that the controls at the top of the window are for administering Security Policies (which generally correspond to domains). Administering Path Maps (for paths and URLs within the specified domain) is done in the Path Mapping list.
Path Map Fields
Field | Value |
Name | A descriptive label for use within the interface. |
Match path | An expression for the path, expressed as PCRE (Perl Compatible Regular Expressions). If several Path Maps are defined for a Security Policy, the longest matching regex will determine which Path Map gets selected. If no regex matches, then the default Path Map will be selected, i.e. the Path Name whose name is |
Content Filter Profile | The Content Filter Profile applied to this path. Its name will be displayed in green if it is active; if displayed in red, it is currently disabled. |
ACL Profile | The ACL Profile applied to this path. Its name will be displayed in green if it is active; if displayed in red, it is currently disabled. |
Backend service | The Backend Service associated with this path. Requests that pass through Reblaze without being blocked will be forwarded here. |
Rate limit rules | The Rate Limit Rule(s) assigned to this path. |
Edge functions | The Edge Function(s) assigned to this path. |
In addition to editing the fields discussed above, the expanded Path Mapping dialog also provides the ability to:
Activate or deactivate the Content Filter Profile (by changing its active mode toggle).
Activate or deactivate the ACL Profile (by changing its active mode toggle).
Add an existing Rate Limit Rule to this Path Map, via the + New button. (The + New button will only be shown if there are Rate Limit Rules available.) An existing Rate Limit Rule can be removed by selecting the trash icon at the end of its entry.
Add an existing Edge Function to this Path Map, via the + New button. (The + New button will only be shown if there are Edge Functions available.) An existing Edge Function can be removed by selecting the trash icon at the end of its entry.
Create a copy of this Path Map, and open it for editing, via the "Fork Path Mapping" button.
Last updated
