Location-based security settings, and Report Only mode
In this section, you can:
Define different locations and/or resources within your planet. For each one, you can:
Assign a security Profile. Profiles are defined elsewhere in the interface: this section is where you assign them and make them active for different locations within your planet.
Configure rate limiting (optional).
Configure content filtering (optional).
Set a site/application into Report Only mode (usually used only for testing).
The top right part of the screen shows the site that is currently being displayed for editing.
On the main part of this page, the various defined sections of the selected site are listed. The Default entry is always present.
Each entry is defined as follows:
To add a new Location, fill out the blank entry at the bottom and click Add. To delete a Location, click the Remove link next to its name.
Once you have defined a Location, you can assign a Security Profile to it.
Within each Location entry, the Profile field is autocomplete. Typing the first few characters of a Profile name will populate the list appropriately, then select the desired Profile.
Once you have defined a Location and assigned a Profile to it, you can also (if desired) configure rate limits and content filtering for it.
This is synchronized protection: you can limit the request rate, according to any desired parameter, per URL or section, across the entire cluster, while keeping all the proxy servers in sync.
If you need to whitelist an IP, Country, or ASN from being subject to this rate limiting, see Whitelisting and Creating Exemptions from Rate Limits.
At the end of the Location's entry, click on "More" to open the Location Settings dialog.
This displays whatever limits have been defined for this location, and another line to add a new limit.
Settings you make in this dialog will only apply to the location associated with the "More" button that opened the dialog.
Each limit defines the number of requests allowed for a specific time period, defined in the TTL field. When a request is received that matches one or more Keys, an internal TTL timer starts, and Reblaze begins counting. If the Rate Limit is reached before the TTL period has ended, subsequent requests are blocked until the current TTL period ends.
Here are the possible attributes:
When counting the number of requests, Reblaze searches for the value of a Key. Each value has its own cumulative count.
Combining Keys into one rate limit (by entering their names together, separated by a space) allows for more granularity. Examples:
remote_addr : Each IP will have its incoming requests counted, and evaluated separately against the Rate Limit.
remote_addr uri Each combination of IP and URI will be counted, and evaluated separately against the Rate Limit. In other words, Reblaze will count the requests from each IP for each URI, maintaining separate cumulative counts for each combination. So, if a specific IP asks for multiple pages within a site, it will be allowed; but if it asks for the same page too many times, it will be blocked.
Here are the possible values for Key Composition.
When using an argument in a rate limit (as mentioned in the arg_ArgName description above), the argument becomes mandatory. Any request received without the argument will be blocked.
You can use Lua to manipulate strings in the Key Composition field. Use the tostring() function to return a string into the field.
Usually there will also be a substring operation. This should come after the tostring(). Example: tostring():sub(1, 20)
Inside the tostring(), there must be a valid NGINX variable, usually from ngx.var or ngx.ctx. The full variables list can be found here.
Examples:
Substring - Suffix last 5 char :
tostring(ngx.ctx.args_table['foo']):sub(-,5)
Substring - Prefix from 1st char to 5th char: tostring(ngx.ctx.args_table['foo']):sub(1,5)
If you need assistance with this feature, please feel free to contact support.
For each Location, along with defining rate limits, you can also set up content filtering.
This is a powerful feature that allows you to require, or deny, exact values for specific headers, cookies, and arguments, based on regex matching.
Content filter example
The Filters do not have user-assigned descriptions or names (the Name field has a different meaning, described below) When a request is blocked based on the Content Filter, the request appears in the logs with a custom description constructed from the Filter's parameters.
To add a new Filter, enter values into the empty row in the list and click Add. Existing Filters can be deleted by clicking Remove.
When you are finished configuring rate limits and content filtering for a location, click Done. After you have edited all Locations, Save Changes and Publish Changes.
At the bottom of the screen, the Report Only switch allows you to test your Reblaze configuration. Enabling this setting means that Reblaze will not block any traffic for this site/application; it will merely report on what it would have blocked otherwise. This is useful during a new deployment, since you can fine-tune and optimize your settings while avoiding false positives.
This setting applies to the site/application currently being displayed. It is the same setting that is available for this site/application on the Planet Overview page. See the warning there about this setting.
Item
Description
Name
A descriptive label that you choose.
Matching Path
Defines a Location, i.e. everything within the planet that matches this Path. This entry uses Pattern Matching Syntax.
Profile
The Security Profile assigned to this Location.
More
Configures rate limiting for this location, explained below.
Field
Description
Name
A name that will describe the limit. (This will be shown in the View Logs for any requests that are blocked by this limit.)
Rate Limit
Sets the threshold for the requests. This is the number of requests allowed per the time period defined in the TTL field.
Key Composition
The value for which Reblaze searches in a request. Explained in Key Composition Values below.
TTL
The time period in seconds until the request count will be reset.
Value
Description
remote_addr
The request's source IP address.
request_uri
The request URI.
http_HeaderName
Arbitrary request header field; the last part of a variable name is the field name converted to lowercase with dashes replaced by underscores.
arg_ArgName
The name of an argument in the request. (See warning below.)
cookie_CookieName
The name of a cookie.
request
The full original request line (including the query string).
Custom
See below for explanation: Advanced String Manipulation in the Key Composition.
Parameter
Comments
Action
Required to block if a match from the specified Pattern is not found. Deny to block if a match is found.
Data Item
The source of content to examine. Options: Argument, Header, Cookie.
Name
The name of the Data Item from which to get the content.
Pattern
The matching conditions, specified as regex.
When you deploy Reblaze to protect your web assets, it acts as a proxy, receiving requests from clients (web visitors, mobile/native app users, etc.), blocking hostile traffic, and passing legitimate requests to your servers.
The Web Proxy section defines how Reblaze behaves in this role. It consists of three tabs:
Proxy settings are configured per site/application. To switch between them, click on the drop down menu on the right side.
After making edits to this section, don't forget to Save Changes and Publish them to the cloud.
Settings for security behaviors
The Application Profiles tab allows you to set appropriate security behaviors for your web applications.
Before configuring, ensure that the correct site is selected via the dropdown list at the upper right.
To add an entry to the list, click on the "+" button. To delete an entry, click on the "Remove" link next to its name.
As shown in the above screenshot, the default (“/”) profile will always be present. It applies to the entire site, except for those parts of the site that have specific profiles assigned to them.
Here are the fields for each Application Profile.
If you'd like to clear cache on one of your websites on the platform, you can click the "Purge" button. Usually, the action takes around 5 minutes.
Web Proxy - General Settings overview.
This part of the interface allows administration of three categories of settings, for the site that is currently selected at the top of the screen:
At the bottom, it also provides from the planet.
This section defines the servers that Reblaze will protect. In other words, these are the servers to which Reblaze will send the (legitimate) traffic it receives.
Within these settings, you can:
Enable and configure load balancing, weighting and distributing traffic across your primary servers.
Define backup servers, to which Reblaze will failover your traffic when your primary servers aren’t available.
Take servers offline for maintenance by ticking a single box in the interface.
Instruct Reblaze to keep individual users connected to the same server throughout their sessions.
Adding and deleting servers from this list is straightforward. To add a server, enter its IP in the “New Server” box and click Add, then fill out the rest of the information in the new entry. To delete an existing entry, click on the Delete link next to that entry.
The settings for each server in the list are as follows.
In addition to the features described above, Reblaze also has a stickiness capability that is not exposed in this version of the interface. Sometimes an application requires a user to be connected to the same server throughout the session. Reblaze can ensure that this occurs, and can do so using a variety of methods (tracking the user by IP address, session cookies, geographic location, and more).
The stickiness feature will be added to the Reblaze interface in a future version. Meanwhile, if you need this capability for your deployment, contact Reblaze support to set it up for you.
The Proxy Settings parameters define Reblaze’s behavior as a proxy, i.e. how Reblaze passes information back and forth between client and server.
The Client’s IP Header Name (Upstream Side) setting defines how Reblaze passes the client's IP address to the upstream server. In addition to the IP, Reblaze also sends the client's geographic information (if it is available). The field names are:
The Log Files Parameters enables you to control the contents of the Reblaze-generated traffic logs.
When you wish to remove a site from Reblaze, select it in the pulldown list in the upper right of the page. Then, at the bottom of the page, you will find a (disabled) Delete Site button.
To enable the button, check all three boxes next to it. (This is a safety measure to prevent accidental site deletions.) Once the button is enabled, clicking it will remove the specified site from Reblaze. Note that this action cannot be undone.
Before deleting a site from Reblaze, you should change your DNS settings to reroute your traffic, and then wait for the changes to propagate. Otherwise, Reblaze will still be receiving traffic, but the traffic will no longer be passed along to your server.
Field Name
Description
Label
The name you have assigned to this particular entry. In the example screenshot, the labels are “Static Content” , “Default,” and “JS CSS".
Pattern
The list of extensions to which this profile will be applied, expressed as PCRE (Perl Compatible Regular Expressions). An explanation and some examples are here: Pattern Matching Syntax.
Protect
When enabled, this tells Reblaze to inspect all requests for the specified destination. This should always be enabled, unless there is a specific reason not to do so.
WebSocket
Enables support for the WebSocket protocol for this resource.
Cache Mode
Defines Reblaze’s cache behavior for the resources specified in this profile. Modes are explained here: Controlling Caching Behavior.
Client TTL
Custom expiration time for the Client Side cache, in TTL Expression Syntax. (Entries will show as strikethroughs when the Cache Mode is set to an option where the TTL values are ignored.)
CDN TTL
Custom expiration time for the CDN Side cache, in TTL Expression Syntax. (Entries will show as strikethroughs when the Cache Mode is set to an option where the TTL values are ignored.)
Purge Content
Purges the cache and removes its content. See explanation below.
Setting | Description |
Host Header | Defines whether or not Reblaze will alter the Host field in the request header. The default value (“$host”) means that Reblaze will not change it; the server will receive the Host field that the client sent. A different string will replace the Host field in the header. For example, if you have multiple domains in your Reblaze planet, you might mandate that all incoming requests have a certain domain in the header, regardless of which domain the client is actually accessing. |
Client’s IP Header Name (Upstream Side) | Defines the field name that contains the client's IP address. Reblaze is a proxy, and it passes incoming client requests to the upstream server. This means that the server will receive request headers which contain Reblaze's cloud IP address as the "client" IP. This is not useful; almost always, the server will need the IP of the actual client instead. To facilitate server logging, analytics, and so on, Reblaze adds the IP address of the originating client to the headers that it sends to the server. The Client’s IP Header Name (Upstream Side) entry allows you to define the name of the field within which this information is passed. |
Client's IP Header Name (Client Side) | Defines one or more header fields within which Reblaze can find the client's IP address. When Reblaze receives an incoming request from a client, the request will have passed through a load balancer on its way to Reblaze. This means that the header will contain the client's IP and the load-balancer IP. These two IPs are usually found within the X-Forwarded-For field, which is the default entry for Client's IP Header Name (Client Side). In this situation, Reblaze knows how to extract the client IP from this field. In other situations, a different field name might be necessary. For example, if the Reblaze customer is using Akamai CDN, the incoming request will have the client IP in a field named True-Client-IP instead. |
Domain Names | The list of domains that Reblaze will protect. |
SSL Offload | Reblaze can send web traffic via HTTP instead of HTTPS. This improves server performance, because the server no longer needs to decrypt the traffic. Obviously, this decreases security, and so this setting should usually be disabled. However, under certain circumstances (e.g., when a VPN is established between Reblaze and the servers), it can make sense to enable this. |
Connect Timeout | The time (in seconds) for Reblaze to wait, before treating a connection with the upstream server as having failed. |
Send Timeouts | The time (in seconds) for Reblaze to wait, before treating an upstream data transfer attempt as having failed. |
Read Timeout | The time (in seconds) for Reblaze to wait, before treating a downstream (toward Reblaze) data transfer attempt as having failed. |
Mask Headers | Defines the response headers that Reblaze will mask (i.e., remove from the response), preventing them from being exposed to the client. For example: a default response header might include information about the server software (e.g. “Server: Microsoft-IIS/8.5”). This tells an attacker exactly which platform he is targeting, and so he can know which vulnerabilities to exploit. The Mask Headers entry defines all the headers to remove. It can contain multiple values, connected by pipes, with asterisks as wildcards. |
HTTP/HTTPS redirect lines | Used to redirect all requests coming into these ports. |
Field name | Description |
RBZ-GEO-Country | Client's country |
RBZ-GEO-CountryCode | Abbreviation of client's country |
RBZ-ORG | Client's organization |
RBZ-REGION | Client's region |
Log file Parameter | Description |
Challenge Domain | Defines the domain you want Reblaze to use when setting a challenge cookie. The default value (“$host”) tells Reblaze to use the domain being accessed by the user. |
Private Args | Defines the argument names which contain sensitive data, and therefore will not be saved in log files. Common examples of this are payment details and credit card numbers. |
Attribute | Description |
Host | The IP address for each server that Reblaze protects. This can be a normal web server, or it can be a load-balancer. Note that Reblaze also provides load-balancing capabilities in its own right, as seen in the next field. |
Weight | The relative weight of each server for load-balancing purposes. Reblaze distributes traffic with a round-robin sequence, according to these weights. For example, if two servers are both set to 'weight=1', they will receive equal amounts of traffic. If the first is set to 'weight=3' while the second is set to 'weight=1', the first server will receive three visitors for every single visitor that the second server receives. |
Max Fails | The maximum number of failed communication attempts that are allowed for this server. Once this number of failures occurs, Reblaze will consider the server to be inactive. If other servers are available, Reblaze will failover the traffic to them. If this was the only server available, Reblaze will return an error to the client (either 504 Timeout, or 502 Bad Gateway). |
Fail Timeout |
Is Down | When this box is checked, Reblaze will not attempt to communicate with this server. This allows you to easily take a server offline for temporary maintenance or some other purpose. |
Is Backup | When this box is checked, Reblaze will treat this server as a backup. In other words, Reblaze will not attempt to communicate with it unless all the primary servers (i.e., those for which this box is not checked) are unavailable. |
HTTP Port | The HTTP port for the server. |
HTTPS Port | The HTTPS port for the server. |
When a server fails, this is the length of time that Reblaze will wait before trying to send traffic to it again. Example: "10s" indicates a fail timeout of 10 seconds. This field uses .
