Security Section Concepts
How Reblaze scrubs incoming traffic
Last updated
How Reblaze scrubs incoming traffic
Last updated
When Reblaze receives an incoming request, it decides whether to pass the request through to the upstream server, or block it.
This decision-making is done in several stages.
Stage | Comments |
Quarantines and Dynamic Rules | Traffic from requestors that are currently on the Banlist or Blacklist is blocked. Other requestors are evaluated for potential addition to the Banlist using Dynamic Rules. |
Static Rules and Rate Limits | Requests that do not conform to specified size, time, and rate limits are blocked. More information: Static Rules |
ACLs | Filtering based on Access Control Lists, including Custom Signatures. |
Rate Limits | Enforces rate limits defined for specific locations/resources within the planet. More information: Setting Rate Limits for a Location. |
Challenges | Verifies that requests are coming from humans. More information: The Challenge Process. |
Content Filtering | Blocks requests that do not conform to specified rulesets for required or disallowed content. This is the location-based filtering described in Filtering on Content. |
Argument Analysis | Examination of characters in arguments. Possible results are to exempt a request from WAF filtering, to send the request to the WAF for inspection, or to block the request. More info: Args Analysis. |
WAF/IPS Policies | Blocks requests that do not conform to the WAF/IPS Policy settings. |
Some of the criteria for the decisions are global. In other words, they apply throughout your entire planet. For example, the settings in the Static Rules section are globally applicable, and do not change depending on the context of the request. They will be applied to all traffic for all resources within your planet.
Conversely, some criteria are non-global, and they do depend on the context. For example, you can assign different security rulesets for different resources or locations within your planet. In other words, you can assign different rules to specific domains, subdomains, folders, filetypes, etc.
These non-global criteria are primarily defined within the Profiles section. They have their own structure, explained in more detail in that section of this Manual (see especially the Profile Concepts page).
Once Profiles are defined, they are available to be assigned to specific resources/locations within your planet. Those assignments are done in the Settings->Web Proxy->Security Profiles section.