Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Viewing current and historical traffic data
The Traffic section allows you to monitor your network activity on a monthly, weekly, daily, hourly, or even minute-by-minute basis. It contains two primary sections: the Dashboard and View Log.
Dashboard: Provides an overview and a breakdown of your traffic to the VPC, during specified time frames. In addition, the Dashboard also provides information about Top Activities (a sorted summary of your top events).
View Log: Provides the ability to view and query network traffic data. You can analyze and monitor traffic data in real time, or over custom time frames.
Before diving into the interface, it's helpful to first read Traffic Concepts: How Reblaze reports on the requests it receives.
Product overview, architecture, and how it works
Reblaze Technologies offers an all-in-one web security platform. It includes a next-gen Web Application Firewall (WAF), full-scope autoscaling Denial of Service (DoS)/Distributed Denial of Service (DDoS) protection, advanced bot management, real-time traffic monitoring & control, full historical logs & analytics, and more.
Reblaze is fully integrated with the top-tier public cloud providers (AWS, Azure, and GCP), and runs on the customer’s clouds of choice. The platform protects web applications, services and microservices, and API endpoints.
The platform is designed around a no-compromise approach to web security. All customers enjoy comprehensive protection, without having to purchase premium tiers or subscribe to additional services. Each customer receives a dedicated Virtual Private Cloud (VPC), eliminating multi-tenancy vulnerabilities. For maximum privacy, all traffic data is processed exclusively inside the customers’ clouds. Fine-grained ACLs enable precise traffic regulation. An intuitive web-based management console provides real-time traffic control. Multivariate threat detection, behavioral analysis, and machine learning ensure accurate, adaptive protection.
Reblaze deploys as a reverse proxy, geolocated immediately in front of the protected network for minimal latency. As incoming traffic passes through Reblaze, attack traffic is blocked and denied access. The platform's overall architecture is as follows:
Reblaze deploys a dedicated VPC for each customer: an entire full-stack environment for each protected web platform, deployed immediately and automatically, and running across one or more cloud vendors (usually AWS, GCP and Microsoft Azure, although private clouds are supported as well).
All incoming traffic is routed through the VPC and scrubbed as it passes through. Latency is negligible (generally 1.5 milliseconds or less).
Hostile traffic is blocked before it reaches the protected network. Legitimate traffic has normal access to the requested resources.
Attackers cannot reach, or even find, the targeted web platform.
Bandwidth, compute, and other resources scale automatically as needed, limited only by the capacity of the global cloud.
Remote management ensures minimal obligations (of time or expertise) from onsite staff.
Reblaze supports various methods of authentication such as Basic, Digest, and Kerberos. (Note that NTLM cannot work with reverse proxies, and thus Reblaze does not support NTLM sites/applications.)
With Reblaze, you can process and scrub your traffic exclusively within your clouds—the clouds you already trust for your other business processes.
Reblaze is integrated with, and runs natively on, multiple cloud platforms, including the top-tiers (AWS, GCP, and Azure). It can run on any combination of clouds, on your choice of accounts (Reblaze’s, yours, or a combination of the two), and it deploys in minutes.
Reblaze deploys slightly differently on each platform, to take full advantage of its inherent capabilities.
Here is an example deployment of Reblaze on Google Cloud Platform.
Static content is served by the CDN. Incoming dynamic requests are directed through Cloud Load Balancing (capable of handling millions of requests per second) to ensure that the request processing time is minimal and availability will be fully utilized.
Requests are routed through the Auto Scaled instance group of "Reblazers" (security logic units) that will inspect the traffic, and according to their security policies, will bypass, deny, or allow the requests. Rule updates are sent to Cloud Armor, which blocks hostile traffic at the edges.
All incoming requests and their disposition are displayed in the console admin, and also streamed into Cloud Security Command Center (not shown above for lack of space).
All events and requests are recorded in BigQuery, accessible to users at all times via full historical logs. Cloud Machine Learning is used to analyze the data. Reblaze identifies new traffic and behavioral patterns (both legitimate and hostile), and updates all deployments appropriately. Thus, even as new web threats arise, Reblaze hardens itself against them.
All Security policies are stored in secure Cloud Storage and constantly synchronized.
Here is an example deployment on AWS. The overall traffic flow and processing is similar to that described above for GCP, although it leverages AWS's native capabilities.
Here is an example deployment on Azure.
A quick-start guide
In this section you'll find a quick setup guide to get your planet (i.e., your entire Reblaze deployment, containing all its domains and web applications) up and running. After completing this section, it's advised to read through the rest of this Manual in order to understand the full capabilities of Reblaze.
Reblaze's support team is always available to assist you. At any step of this process, please feel free to contact us.
The flowchart below describes the process we are about to begin:
The initial login process is as follows:
Go to the link provided by Reblaze.
https://example-console.reblaze.com/
Enter the initial login credentials (in lowercase), which are:
Username = email
Password: Click on "Reset password" in order to set one.
A link will be sent to the provided email address. Click on that link, and on the page that follows, choose and enter a password for your user account.
You will be redirected to your console’s Login page. Please enter the email address specified above, and the password you just created. Then, next to the field which says “Multi-factor Authentication PIN,” select "Text me my code". During your initial setup request, you had provided a mobile phone number; that number will now receive an SMS message with an OTP (One Time Password), which you will enter here.
Click on the Login button.
After you login into the system, the first screen you will see is the Dashboard. This is the main screen for the Reblaze UI; once traffic statistics are available, they will be displayed here. (The Dashboard screen is described in-depth here.)
Before the Dashboard can show anything, your Reblaze planet must be set up. This is done in the Settings -> Planet Overview section.
To add a new web application to Reblaze, you will duplicate the pre-defined default application.
The Reblaze interface does not offer the ability to create a new site or application from scratch, because this process is complicated and error-prone. Instead, you will duplicate the default application and then edit it as needed.
Once you choose the right domain for your new application, you should be redirected automatically to the Settings -> Web Proxy page. If not, go there directly.
If your new application is not already selected for editing, select it now.
In the Frontend section:
Define the Domain Names (the aliases) for your application.
Add the Trusted source IPs.
For many or all of the remaining fields on this page, the default values might be acceptable. You should take a few minutes to go through them to verify this.
When you are finished, save your changes. Then go to the Settings -> Backend Services page.
In the Host field, enter the IP address of the backend server(s).
Then verify that the default values on the rest of the page are acceptable.
When you are finished, save your changes. Then return to the Settings -> Planet Overview page, and publish your changes.
Note: the deployment will not occur until you click "Publish Changes." In general, whenever you work within the Reblaze interface, saving and publishing is always necessary. More information is here: Saving and Publishing Changes.
Don't refresh the page until you get a confirmation that the changes were uploaded to the cloud.
Now it's time to set up your SSL Certificates.
All connections between your server and clients must be encrypted. This requires an SSL Certificate to be installed on the web server. Once a certificate is installed, client browsers can connect via HTTPS instead of HTTP.
With Reblaze, you can either upload an existing certificate into Reblaze, or you can generate a new one for free through the Let's Encrypt service.
Add your certificate to Reblaze, as explained under SSL Management.
Copy the relevant details from the DNS section, and redirect your traffic through Reblaze. (DNS setup varies widely depending on your current configuration, and this Manual cannot discuss every permutation. Contact support if you need assistance with this.)
Go back to "Planet Overview" and publish your changes as explained previously.
Your initial configuration is complete. Welcome to Reblaze!
Copy the relevant details from the DNS section, and redirect your traffic through Reblaze. (DNS setup varies widely depending on your current configuration, and this Manual cannot discuss every permutation. Contact support if you need assistance with this.)
Return to the Planet Overview page. Create a certificate using the "Generate Certificate" button in your application's listing there.
Publish your changes as explained previously.
Your initial configuration is complete. Welcome to Reblaze!
The DNS section doesn't exist for marketplace deployments.
Product Manual and documentation
This is a description of some general UI components used throughout the system.
Pages such as Tag Rules, Rate Limiting, Cloud Functions, and Backend Services are based on a common grid component that displays all the entries of the specified type in the system. For example, here is the grid in use on the Cloud Functions page.
The grid provides several administrative actions.
To add an entry, select the "+" button at the top of the display.
To edit an entry, select the pencil button at the right side of the corresponding grid row.
Above the grid, an input control accepts regular expressions for finding matching entries in the grid.
By default, all the grid columns are sortable. Just select the corresponding column header (the cursor view changes to a pointer when hovering).
This component appears after selecting a pencil button within the grid component. It consists of different fields depending on the displayed data type (cloud function, tag rule, etc.), but the common element is a fixed header. Consider the example of a tag rule details page.
The component header includes the following 3 blocks:
The entry's main info (on the left: the entry's name and id)
Entry selector (the dropdown on the right)
Actions block (a set of buttons on the right)
Each entry has a user-defined name, and an auto-generated id for internal use.
The entry selector dropdown allows you to change the entry currently being displayed and go directly to another without going back to the grid page. Also, since this selector is based on the autocomplete dropdown component (see below), it's possible to fast-search for a desired entry in the dropdown list using regular expressions.
The actions block usually consists of at least 3 buttons:
Close the details page and go back to the grid page
Delete the entry usually after confirming the deletion via a modal confirmation window. Sometimes this button is unavailable, depending on the specific entry type.
Save the entry, which means it's possible to change the entry details and save those changes. Sometimes this button is unavailable due to validation issues, depending on the specific entry type.
As shown on fig. 2 above, the actions block may include additional buttons depending on the entry type.
Some pages (such as Web Proxy and individual grid details pages) as well as some general UI components are using an autocomplete dropdown component. It's a dropdown list with a capability of quickly searching for a desired entry using regular expressions. Consider the example of a tag rules details page:
Initially the component looks like an ordinary dropdown, but after it is selected, it splits into 2 parts: a text input and, below it, an entries list. By typing in the text input, it's possible to filter the entries list, leaving only those entries which names contain the typed letters; regular-expressions notation also works here.
When there are a large number of entries, the dropdown list becomes scrollable. If the selected entry is hidden at the bottom of the list, it automatically scrolls down to make this entry visible when the list is opened. When an entry in the list is selected, it gets highlighted in blue and the parent component catches this change; in the example move, the details page will change to display the selected entry.
This component is used on the Rate Limiting and Tag Rules details pages. Initially, it's an ordinary dropdown labeled as "Action" with several options available:
503 Service Unavailable
Challenge
Tag Only
Redirect
Request Header
Response
Ban (not available in Tag Rules)
The request will be blocked with a 503 error. This is the default action for Rate Limits, and is also available for Tag Rules.
For a browser-based web application, a bot challenge will be issued to verify that the requestor is a human using a browser, and not a bot using a headless browser or emulator. If the challenge is failed, the request is blocked.
One or more tags are attached to the request, and processing continues (i.e., it is not blocked).
For a Tag Rule, the tags are those specified in the Tag Rule.
For a Rate Limit, the tag is the name of the Rate Limit.
This is the default action for Tag Rules.
This action blocks the request with the specified error code, and redirects the requestor to a specified URL. For example, the URL might be a page that says, "Your activity appears suspicious, and your access has been restricted. Contact support if you think this decision was made in error."
When this action is selected, the component changes as follows:
The component now has a Redirect Status dropdown, with five options for error codes: 301, 302, 303, 307, and 308.
The focus is automatically placed on the Location input, which is a mandatory entry with a regular expression format ^https?://.+$
. Until this contains a valid entry, the Save entry button at the top of the page will be disabled, and the control will be highlighted in red.
This action does not block the request; it merely adds a header to it for receipt and evaluation by the customer's backend.
When this action is selected, the component changes as follows:
Both input controls use regular expressions (^[0-9a-zA-Z-_]+$)
, and are mandatory. Until they contain valid entries, the Save entry button at the top of the page will be disabled, and the invalid control(s) will be highlighted in red.
This action blocks the request, and responds with a custom error code (0-999) and response.
When this action is selected, the component changes as follows:
The Status field (which should be a regular expression ^[1-5][0-9][0-9]$
) and both Header fields (as regular expressions ^[0-9a-zA-Z-_]+$
) are mandatory. Until they contain valid entries, the Save entry button at the top of the page will be disabled, and the invalid control(s) will be highlighted in red.
This action is only available for Rate Limits. When selected, the component changes as follows:
The Time Frame field is mandatory. Until it contains a valid value (an integer less than 86,400), the Save entry button at the top of the page will be disabled, and the control will be highlighted in red.
The Ban action dropdown is an instance of the Ban Action component, except that it does not contain a "Ban" option.
Common uses for Ban are described in the documentation for the Rate Limiting page.
This component is used on Rate Limiting, Cloud Functions, and Backend Services details pages. It consists of 2 sections: Add New Link and a list of linked sites. (In Backend Services, Add New Link is unavailable.)
Easy-to-use checklists for starting and testing Reblaze
An update is pending for this section. You can use the description below to gather information you'll need for the setup, but please contact Reblaze support for the current instructions.
Please go through these checklists, and verify that their actions have been completed, both before and after your traffic is routed through Reblaze.
There are three checklists below: two for setup, and one for testing.
Before going through the checklists below, you should already have performed the actions listed in Getting Started.
When the following checklist has been completed, you'll be ready to go.
Note: by default, Reblaze is deployed in Report mode for all applications. In this mode, it will not block traffic; it merely reports on the traffic it would have blocked, if that application had been set to Active mode.
How Reblaze reports on the requests it receives
The Reblaze and provide intuitive yet very powerful ways of viewing your traffic.
Within those sections, your traffic data is reported in terms of several statistics:
The Dashboard provides a variety of ways to view your traffic. Most of them do not include all of the above metrics in the same view (as in the first screenshot below), but some do (as in the second screenshot below).
The discussion below is for sites and web applications.
Most of the Reblaze interface focuses on configuration for:
The detection and mitigation of hostile requests.
The detection and mitigation of hostile behavior of requestors.
The challenge process is different. It is built into Reblaze, and provides a third approach to security. It mitigates threats based on the requestor's identity and environment.
When Reblaze receives the first request from a previously unknown traffic source (below described as the "user"), this is the typical process that is followed.
If the challenge is not passed, the request is suspected to be a bot, and another challenge is issued. This process continues until a challenge is passed, or a threshold is reached (e.g., via a Dynamic Rule) to ban the requestor.
If the challenge is passed, the browser's session is authenticated, and the browser receives cookies from Reblaze.
The browser then automatically resubmits the original request, but this time, the cookies are included. The user is granted access to the requested URL, resources, etc.
Subsequent requests will also include the cookies, and thus, they are not challenged.
This process happens quickly (in a few milliseconds), and is invisible to the user.
As noted above, this is the "typical" process that occurs in normal use. There are a variety of situations in which it might not be followed. For example, sometimes Reblaze is configured to whitelist certain IP addresses, and not to challenge them.
The discussion below will be based on the typical process described above.
The process described above will result in the following statistics being incremented.
For each challenge that was not passed:
Hits
Challenge
Bots
If the challenge was passed:
Hits
Challenge
Bots (see explanation below)
Hits (incremented a second time for the post-challenge resubmission of the request)
Passed
Humans
Within Reblaze, a request that does not have authenticating cookies is counted as a bot.
As a result, the Bot count can sometimes be incremented even when the visitors are humans. Examples:
When a human user visits a Reblaze-protected site for the first time, the first request does not yet have the authenticating cookies.
Static files (images, etc.) are often exempted from challenges for performance reasons. Direct requests for those URLs from a new visitor will not have cookies.
Sometimes, trusted IPs are whitelisted and exempted from challenges. They never receive authenticating cookies.
Therefore, although most of the Bot count represents non-human requests to your web application, the Bot metric is not an exact count of this.
When working with Reblaze's traffic statistics, the following relationships can be helpful.
The process described on this page is the active challenge process. Out of the box, this is the challenge process that Reblaze uses.
We recommend that whenever possible, customers also enable passive challenges.
In some situations, active challenges can interfere with certain metrics such as those provided by Google Analytics. (The initial referrer information is lost.) If this is a problem, active challenges can be disabled. In this situation, passive challenges can provide effective bot protection instead.
When caching is being done by a CDN, active challenges will not occur for pages being served from the cache. Passive challenges are necessary for Reblaze to perform bot detection in this situation.
If possible, we recommend that customers use both active and passive challenges.
An overview of traffic activity
After logging into Reblaze, the Dashboard screen is the first screen you'll see. It displays all incoming traffic and what happens to it. By default, this screen shows current activity; by using the archives, you can also 'go back in time' to see previous activity.
The user interface has three main sections:
Allows you to easily filter the display to show exactly what you want. The structure of a filter is operator:value.
For example, to show all traffic from France that was blocked:
country:France, is:blocked
Enables the user to select a pre-defined time frame, or a custom time period. See the video below:
This section shows the traffic that was processed by Reblaze: requests which passed through to the upstream servers, and requests that were blocked. Hits are distributed by time and sorted into three different categories: Humans, Challenges, and Blocked. As you can see in the example below, the data is shown in different colors to easily distinguish among the categories.
Counts the number of status codes in a certain time period.
HTTP Status response codes are divided into five categories:
1xx - Informational Response
2xx - Request Successful
3xx - Request For Redirection
4xx - Client Error
5xx - Server Error
As in the Passed vs. Blocked display, the data is shown in different colors.
The number of network requests during a certain period of time.
The downstream bandwidth limitation per response. Left-axis units are "k" for kilobytes, and "M" for megabytes.
This displays the time (in milliseconds) consumed by Reblaze's processing.
You can zoom in upon the various graphs, in order to examine a smaller window of time. The video below demonstrates this process.
This section displays traffic statistics according to a variety of "top" metrics: the Top Applications, Top Countries, Top Signatures, etc.
In many of these displays, entries contain links. Clicking on them will open the traffic log, filtered to show the item you selected. For example, in the "Top Countries" view, clicking on a country name will open the traffic log to display the most recent requests originating from that country.
Shows all protected sites for the current Reblaze deployment. Applications marked in red have a blockage rate above 30%. The blockage rate is the ratio of requests blocked by the system to the number of total network requests.
Note that in this section, "Passed" and "Latency" entries aren't shown, and "Cloud", "Anon" and "Blockage" are added. Their meanings are:
Shows your traffic sorted by country. Each country's flag is shown by its name.
On the screenshots below, IP addresses are censored for privacy reasons.
Shows traffic data according to IP address. The ASN (autonomous system number) for each IP is also shown.
Shows the nature of user sessions. Sessions that pass Reblaze's bot mitigation challenge are identified as originating from humans, and are listed here according to the user's RBZ (Reblaze) cookie ID. In the screenshot below, note that the first line shows "-" for the ID. These are sessions that did not pass the challenge.
Shows the URLs in your site(s) that were accessed the most frequently.
Shows the reasons that traffic was blocked. Unlike other displays, this section does not include hits, passed, blocked, etc.—the counter only shows the number of blocks per signature. Here you can see which types of attacks are most common in your environment. In the example screenshot below, the first entry is "-": this shows requests that were blocked, but not by Reblaze (i.e., they were blocked "by origin"—by the upstream server).
Shows the referers that were extracted from the request headers.
Allows you to view the various file types that are being used by the application. ("None" shows the network requests that weren't counted as file extensions.)
Shows all the user agents that initiated requests for the application(s).
Shows all of the ASNs (Autonomous System Numbers) from which requests were sent. The ASN can identify individual entities, or larger networks: for example, a telecom provider or a cloud provider.
Shows a list of all applications, with the corresponding latency for each.
Reblaze processes "web" requests (http/s traffic for a web site or application) differently than API requests from a mobile/native application. Mobile applications have different methods of client authentication, as discussed here: .
Reblaze challenges the user's browsing environment. Reblaze uses a variety of proprietary, multi-faceted techniques to verify that this requestor is a human using a browser, instead of a bot using a headless browser or emulator. (For more detailed information, see .)
Passive challenges still include, while adding three additional benefits:
They enable : a much more powerful means of identifying automated traffic, and an important part of Reblaze's behavioral analysis.
To learn more about passive challenges, go here:
For a full explanation of Reblaze's Query box, including operators and syntax, .
Queries run in the Dashboard will display the results graphically. To see the results as a full list of the requests and their details, you can copy the filter string and paste it into the Query box in the .
For a detailed list of response codes, .
In the example screenshot below, the third and fourth entries include a "ref" value. These are Reblaze reference IDs, .
Item
Action
More Information
Web Server Firewall
& Hosting Firewall
Verify that Reblaze IPs are whitelisted in the firewall.
Also, please ensure that only Reblaze IPs are able to access your web server, i.e. block access for all non-Reblaze IPs. This can be done via a set of rules for your firewall, or via .htaccess files.
Rate Limits
Verify that you're not using any Rate Limit/QOS rules that apply to Reblaze IPs.
This avoids potential blacklisting of Reblaze, and other availability issues. (If Rate Limits are applied, Reblaze can be misidentified as a DDoS source.)
Website Cache Settings
Ensure that each site/application returns the correct caching instructions.
You can also control caching behavior through Reblaze using Cloud Functions.
Item
Action
More Information
Upstream Server
Verify that the settings for each domain/site are correct.
Servers are defined in Backend Services. Security policies are assigned to domain/site URIs on the Web Proxy page.
SSL
Verify that your SSL setup (which should have been performed already, as described in Getting Started) is complete before routing traffic to Reblaze. (Note that if you want Reblaze to generate Let's Encrypt certificates for you, the traffic must be routed to Reblaze before the certificate can be generated.)
You can use pre-existing certificates, or generate new ones via Reblaze. More info.
Non- Browser Applications
If your application serves bots or other non-browser clients (e.g., monitoring services, mobile/native applications using an API, etc.), you will need to exempt them from Reblaze's browser challenges.
Mobile/native applications are exempted by using the Mobile SDK.
For other non-browser clients, you should disable Active Challenges. It is highly recommended that you enable Passive Challenges to replace them. More info on the overall challenge process is here.
Web Application Firewall (WAF)
Review the default ACL Policy and WAF/IPS Policy, to ensure they meet your needs. If more customized rulesets are needed, define new Policies.
The Policies are assigned to URIs within the sites/domains in the Security Profiles section of the Web Proxy page.
Block Known Sources
Reject traffic from sources known to be hostile (e.g., IPs, countries, etc.)
Lists of sources are selected/defined in Session Profiling. Their associated tags are included within ACL Policies with an operation of "Deny".
Whitelist Known Sources
Exempt specific traffic sources from inspection and filtering.
Lists of sources are selected/defined in Session Profiling. Their associated tags are included within ACL Policies with an operation of "Allow" or "Bypass".
DDoS Settings (Rate Limits)
Review the rate limits to ensure they match your site's capacity. For most use cases, the default settings should work well.
Some settings are in Advanced Frontend Settings; others are in Dynamic Rules. More info about this.
Alerts
Review and customize alerts and notifications according to your needs.
Done within the Planet Overview.
Account
Review your account settings to ensure they are correct.
Sometimes new customers enter placeholder values at first. Ideally, correct values would be in place by the time Reblaze is active.
Item
What to verify
More Information
Check DNS
Run a DNS query for the website, and validate that the DNS records of the HTTP/S services are pointing to Reblaze CNAME /IPs only.
You can use tools such as https://dnschecker.org/.
Test Traffic
Both the Dashboard and View Log include a Query box to filter their displays. Here's how to use the Reblaze Query Box.
Test Non-Browser Clients
If applicable, generate and test traffic from non-browser clients, and verify via the Dashboard that the requests are not blocked/reported.
This is to validate the (optional) settings configured for non-browser clients, as described in the checklist above.
Monitor and Optimize Settings
As traffic is processed by Reblaze, review the Dashboard (and ideally, the View Log) to see the decisions that are being made. Optimize Reblaze until it is performing as expected. Once you are satisfied with Reblaze's traffic scrubbing, move your application(s) from Report mode to Active mode.
Reblaze's logs are a rich source of insights into incoming traffic. Highly recommended reading: Understanding and Diagnosing Traffic Issues.
Name | Description |
Cloud | Cloud Providers (GCP, AWS, etc.) |
Anon | Anonymous Proxy Browsers |
Blockage | Blockage rate |
Defining how Reblaze processes your traffic
This section defines the parameters with which Reblaze scrubs traffic.
The user interface is divided into these sections:
Dynamic Rules: Thresholds for banning sources of hostile traffic.
Quarantined: The "warehouse" of traffic sources that are currently banned. This contains blacklists and whitelists, allowing you to manually control quarantines when necessary.
Profiles: Creation of security rule sets for assignment to specific resources, locations, and applications.
Args Analysis: Settings for allowing requests based on their arguments, in a procedure that occurs before normal WAF inspection and filtering.
Session Profiling: Settings for assigning tags to incoming requests.
Rate Limiting: Settings for rate limits and the actions that will be performed when a rate limit is violated.
Cloud Functions: Custom code that can be executed at specified times during traffic processing.
The Security section is where you define the "under the hood" settings for Reblaze. When defining or editing the information in this section, careful consideration is necessary.
Before investigating each section of the interface, it's recommended to read the "Security Concepts" discussion on the next page of this Manual.
Name | Description |
Hits | Total amount of requests |
Passed | Requests that reached the upstream server |
Blocked | Requests that were blocked by one of Reblaze’s correlation engines. |
Humans | Requests that passed Reblaze's human vs. bot challenge process. |
Bots |
Challenges | Requests that were served with bot detection challenges. |
Latency | How much time it takes for a packet of data to get from one designated point to another. Displayed in milliseconds. |
Dn | Amount of traffic in MB that originated from the upstream server towards the clients. |
Up | Amount of traffic in MB that originated from the client towards the upstream server. |
Statistic | Comment |
Hits | Total incoming requests |
Humans | Requests originating from humans. |
Bots | Requests originating from traffic sources not (yet) verified to be human. Most of the requestors will be bots, but some will not be. More on this below. |
Passed | Requests accepted by Reblaze and passed upstream to the origin (i.e., the web server, API endpoint, etc.). |
Blocks | Requests deemed to be hostile, and blocked. |
Challenges |
Revealing the composition and details of your traffic
This page provides the ability to review and analyze the most recent traffic, up to and including real time. At first glance, you'll see the origin country, IP address, HTTP message type, the targeted location, time stamp, and status code.
If a security event occurs, this page will allow you to quickly find its root cause.
On the top right of the page, you can select the range of requests displayed: from the most recent 200 events up to the most recent 2500. Choose the desired range (200, 500, 1000, 1500, 2000, or 2500) and then click on the checkmark to set the display.
In the screenshots below, IP addresses are censored for privacy reasons.
The main tool in this section is the Query box for filtering the display; this is quite similar to the one on the Dashboard. It allows you to filter the display and see only the data you wish to analyze. For a full explanation of how to use it, click here.
The Query box allows you to filter and display specific requests and their details. To show the results graphically instead, you can copy the filter string and paste it into the Query box on the Dashboard.
At the top right of the screen, you can choose the application you want to analyze. The drop-down menu allows you to search for and choose your desired application.
Next to the Query box, you'll see several buttons.
The search icon is for applying the requested filters on the log. (Or, just hit "Enter" on the keyboard after typing your query.)
The calendar button allows you to specify a certain date or period of time.
The Search History button displays your recent searches, so you can re-run them without having to enter them completely from scratch.
Export to CSV creates a text-based spreadsheet file.
The Help button opens a display with a quick-reference guide to Query box operator syntax.
The Clear button removes your current Query box entries.
Log entries are color-coded depending on their type.
Passed requests: Black text on a white background.
Blocked by Reblaze: Red text on a red background.
Blocked by origin (i.e., the upstream server): Red text on a white background.
Challenge: Brown text on a yellow background.
Clicking on any log entry will display its details:
This will reveal:
The URL that was requested
The user agent
Optional additional information (not shown in the example above), depending on the request. Example: the referrer.
A row of colored labels:
Green: Passed request
Red: Blocked request
Yellow: Explanatory
Blue: Informational
HTTP Request Method (GET / POST / PUT...)
HTTP Version
HTTP Response code, and which server sent the code: either the upstream server (noted as "Origin," as in the example above), or the Reblaze proxy.
Resource that was requested (JPG / PNG / HTML / JS, etc.)
Origin Country and Country Initials
Block reason: The reason, if any, that the request was denied. Standard reasons are listed in the Reblaze WAF Signatures list, while others are constructed dynamically (e.g., from a rate limit). A hyphen ("-", as in the example above) means that the request was not denied.
IP Classification: Whether the requestor is using an IP from a cloud provider, VPN, TOR, etc. In the example above, the requestor is using a cloud provider. Note that this does not indicate that the request was blocked for this reason. If the current Profile had included an ACL to block cloud users, then the Block reason would say "acl:cloud", and then this "Cloud" notification would appear after it for the IP Classification.
Origin IP address (censored in the example above)
Autonomous System Number (organization/ISP/etc.)
The example above shows a request that was answered with a challenge. It came from a known cloud provider, by curl, to www.example.com.
The above screenshot shows a log entry for a request that was blocked. Note that the Block reason is "Generic Attack [ref 22400000]". The "ref" number is a Reblaze Signature reference ID.
How to search for one IP (censored in the screenshot below), only showing requests with a GET method during a specific time frame.
Using this regex syntax:
status:[4]\d\d
Provides all status codes for 4xx.
How to display all requests from a certain country, for "EXE" files, which produced error code 403.
A full explanation of filter syntax, a listing of operators, and tips for quickly building queries is found here: Using the Reblaze Query Box.
The View Log page has many uses, and it will allow you to learn a lot about your traffic.
This page is a powerful tool for traffic control, and is especially useful when you are first starting to use Reblaze. By revealing the composition of your traffic, it can help you decide which requests you should begin blocking.
How Reblaze scrubs incoming traffic
Reblaze evaluates incoming traffic in a multi-stage filtering process. An HTTP/S request which passes all security tests will be forwarded to the backend.
This decision-making is done in several stages.
Administer the lists of which requestors are banned and/or permitted access
The quarantined section will show requestors that have been banned for violation of the Dynamic Rules and Rate Limiting rules, requestors that have been blacklisted, and requestors that have been whitelisted. You can add and remove requestors, and transfer them among the various lists.
There are four lists of requestors in this section:
Banlist
Simulation Banlist
Blacklist
Whitelist
Each is described in more detail below.
For each entry, it's possible to see the following: IP address, origin country, AS number, the violation that was triggered, "CNT/Limit" (the number of violations compared to the allowable limit), when the ban began, and when the ban will expire.
All requests from these requestors are currently being rejected. These requestors violated a rule that was set to “Ban” mode.
These requestors are NOT having all their requests rejected. These requestors violated a rule that was set to “Simulated Ban” mode. Simulated Bans are used mainly for testing new rules and seeing how they function, before converting those rules to Ban mode.
All requests from these requestors are currently being rejected. These requestors were placed here by a Reblaze admin.
These requestors are exempted from the Dynamic Rules and Rate Limiting Rules. For example, even if they violate a rate limit, they will not be banned.
Requestors are added to the Banlist and Simulation Banlist automatically when they violate a Dynamic Rule or Rate Limiting Rule.
You can add a requestor manually to the Whitelist or Blacklist using the "Add New Entry" option in the section menu. This is demonstrated in the following video:
The fields are:
Requestors can be transferred among the various lists with this procedure:
Select the requestor(s) by checking the box at the left of each entry.
Open the section menu.
Choose the desired "Move to" command (e.g., "Move to Whitelist").
Moving an item to the Banlist can only be done from the Simulation Banlist.
Requestors on the Banlist, Simulation Banlist, or Blacklist will be automatically removed when their expiration time is reached. (The Whitelist has no expiration time.)
Requestors can be manually removed from the list they are currently on:
Select the requestor(s) by checking the box at the left of each entry.
Choose "Delete".
Security rules with time-based thresholds
The Dynamic Rules section defines security rulesets that evaluate various criteria over time. When requestors commit activities that exceed defined thresholds, they can be banned, or merely reported on within the interface.
Note that Dynamic Rules do not block requests; they ban the sources of requests. Individual incoming requests are blocked for reasons defined elsewhere, e.g., in ACL Policies.
When requests are blocked, or display other hostile characteristics, Dynamic Rules are used to monitor their sources. If the sources continue their hostile activities, they can be banned. A ban means that all subsequent requests from that source will be blocked for a configured length of time.
In some situations, either Rate Limiting Rules or Dynamic Rules could be used. Rate Limiting Rules are the preferable option. They are more powerful, more flexible, and in a future release, they will fully replace Dynamic Rules.
The interface displays the Dynamic Rules that are currently defined. At the top are the default rules supplied by Reblaze, marked with the Reblaze icon.
The default rules from Reblaze are useful for most customer deployments. If you wish to edit them, one approach is to preserve the originals by duplicating them, deactivating them, and then editing and using the copies.
To edit a rule, click on its name, and its parameters will appear below.
It provides these abilities:
The interface also provides a search box, which can be used to find a rule according to a string within its name.
To create a Dynamic Rule, click on "Add new rule" in the Dynamic Rules section menu and provide the Rule Name.
Newly-created Rules are always disabled, and must be enabled before they will be active.
Each Dynamic Rule contains the following parameters:
Note that it is theoretically possible to construct a Dynamic Rule so that a specific request can match both the Monitor and Ignored conditions simultaneously. (This usually indicates a mistake in constructing the rule.) If a request ever matches both condition sets at the same time, nothing happens.
The monitor list includes many useful arguments for identifying relevant traffic.
Some of the matches rely on the results of ACL Policies. For example, an Anonymizer value of "true" will match a request that was denied by the "Deny Anonymous Proxies" ACL Policy.
Scrolling down the list will reveal additional fields. These tend to be used by more advanced users.
The video below sums it all up:
The Block Reason field allows you to construct a Dynamic Rule that will be triggered when requests are blocked for specific reasons. When this is included in a Rule, Reblaze will compare its value to the reasons that a request was blocked.
The comparison is based on a "contains" substring search, and is case-insensitive. Therefore, when a request is blocked for Over-capacity
, Block Reason values of capacity
, over-capacity
, and Over-capacity
will all match.
There can be multiple Block Reasons OR'd together, e.g.: autoban|over-capacity
.
There are several ways to obtain values for constructing Block Reasons. The first is the list of standard Reblaze WAF signatures (example: Autoban/etc.
). Other possible values are custom, created dynamically by Reblaze as the result of user configuration. Example: Rate limit 2/1s
.
In both cases, recent values can be obtained from individual events in the View Log, or from the Signatures tab on the Dashboard page.
After creating or modifying Dynamic Rules, it is recommended that you test them to ensure that they are behaving as expected.
You can safely test Dynamic Rules against actual traffic data, without actually banning any traffic sources. This is done by running the rules in Simulated Ban mode.
There are two ways to do this: testing all rules globally (most useful when setting up a new planet), or testing individual rules (useful in daily operation).
Select Activate global simulation mode from the section menu, which will change all Dynamic Rules that were set to Ban to Simulated Ban.
This means that requestors who violate Dynamic Rules will not be banned; instead, they will appear within the Simulation Ban List in the Quarantined section. You can observe the requestors who appear there, and evaluate if the Dynamic Rules are identifying the requestors you expected.
Note that during this process, all Dynamic Rule traffic scrubbing will be disabled. Therefore, it is most useful during the initial setup of a new planet.
To test individual rules, set each one to Simulated Ban mode. Save and Publish your changes. Then from the section menu, choose Test All Rules.
This will evaluate the current set of Dynamic Rules against the most recent traffic data. Example: a rule with a Period of five minutes will be evaluated against the requests that were received in the last five minutes.
You can compare each rule's performance with what you expected. Once you are satisfied with a rule's performance, you can make it active by changing its mode to Ban.
Note that you can accomplish a similar result by observing the Simulated Ban list in the Quarantined section. However, testing is faster using Test All Rules: you get the results immediately, instead of having to wait for a full Period to see how a Rule performed.
In the example below, this Dynamic Rule limits the number of requests that are sent to /login
from a specific IP.
Limiting could also be done globally for all IPs by changing the Target to "Planet."
By using a cookie threshold, it is possible to eliminate Denial Of Service attacks originating from the same session, even if the attacker is changing IP addresses. In the screenshot below, requests are counted toward the threshold if they have the same value for the "rbzid" cookie. Requests are not counted toward the threshold if they were Bypassed by an ACL, or if the requestor has already been banned.
This rule blocks HTTP GET requests from a specific IP for 10 hours, under these conditions:
The IP has submitted more than 3600 GET requests in the previous three minutes.
The requests were not for a static file (.png , .jpg, .ico, .gif).
The requests were not already blocked
The requests were not from IP 1.2.3.4.
A page for administration of security Profiles
Within the Security section, this tab provides an interface for administering Profiles.
Existing Profiles are shown on the left.
To create a profile, click the Create New button toward the top of the screen, and then choose Profile. Or select an existing one and choose Duplicate, then edit the newly-created copy.
To edit a profile, select it from the list on the left. Its contents will appear in the middle part of the screen.
To add a new Policy, select the desired Policy from the Link More Policies list on the right, and click the Add button. To remove an existing Policy from the Profile, click on the X to the right of its name.
Within a Profile, the order of Policies does not matter. When evaluating an incoming request, Reblaze combines the Bypass, Allow, and Deny Rules from all the ACL Policies in the Profile. It evaluates all the Bypass Rules first, then all the Allow Rules, then the Deny Rules.
Most Profile administration will not be possible until the appropriate Policies have been created. Similarly, complete Policy administration will not be possible until there are Rules to add to them.
Administration of built-in Security Policy modules
This section allows you to administer WAF/IPS Policies, which define the sets of defined behaviors for the WAF. The Policies are assigned to paths/URLs in the .
Existing WAF/IPS Policies are listed on the left side; selecting one will display its contents on the right for editing. A default Policy must always exist. Additional Policies for specific situations can be defined if needed.
When viewing or editing a WAF/IPS Policy, the Active Modules section allows you to enable/disable some of the modules. The four on the left are always active and cannot be turned off. (However, an ACL Policy that resolves to an action of Bypass will exempt a requestor from them.) These four modules are:
The next three modules are optional, but are recommended in most situations:
A fundamental part of traffic evaluation
Version 2.14 has introduced a significantly changed workflow for Reblaze's traffic processing. Some of the features in this section of the UI are included mostly for backwards compatibility. Specific information is noted in the discussion of each feature.
As mentioned earlier in , Reblaze's decision-making can vary depending on the context. In a typical Reblaze deployment, much of the traffic evaluation is done using Profiles. When Reblaze receives a request for web resources, it first determines the Profile that is in effect for the resource that was requested.
Reblaze's Profiles are hierarchical structures, so that you can set up your security framework in a modular fashion. Rules and collections of rules can be set up once, and re-used throughout your planet as needed.
The hierarchy has several levels:
Profile
Policy
Rule
Condition and Operation
A Profile contains one or more Policies. A Policy contains one or more Rules. A Rule is a combination of a condition and an operation. Let's illustrate these with examples, from the bottom of the hierarchy upward.
Example conditions:
Is the request coming from a specific country? Or ASN?
Is the request coming from a specific IP address?
Is the request coming from a proxy? Or a VPN? Or a Tor network?
Is the request for a specific URI?
Is the request originating from an allowed (or a disallowed) HTTP referer?
Does the request contain (or not contain) specific arguments?
Is the request using (or not using) a specific method or protocol?
Does the request contain (or not contain) a query string in a specific format?
Does the requesting client have (or not have) specific cookies, or a specific cookie structure?
Possible operations:
Deny
Allow
Bypass (similar to "Allow", but the request will not be subject to further evaluation or filtering by other rules)
Example Rules:
If the requestor IP is within 131.253.24.0/22 [a known range of Bing crawlers], Allow.
If the requestor IP is within 157.55.39.0/24 [a known range of Bing crawlers], Allow.
If the requestor IP is within 1.10.16.0/20 [a range within the Spamhaus DROP list], Deny.
If the requestor IP is within 1.32.128.0/18 [a range within the Spamhaus DROP list], Deny.
If the requestor is a bot, Deny.
If the requestor is using a proxy anonymizer, Deny.
If the requestor's Company is [our company], Bypass.
If the requestor submitted an HTTP/S request, Deny.
Example Policies:
Allow Bing Crawlers [contains example Rules 1-2 above]
Deny requestors on Spamhaus DROP list [contains example Rules 3-4]
Deny bots [contains example Rule 5]
Deny proxy users [contains example Rule 6]
Allow users from our company [contains example rule 7]
Deny all requests [contains example rule 8]
Example Profiles:
Default:
Allow Bing Crawlers
Deny requestors on Spamhaus DROP list
Deny bots
Deny proxy users
Private area of our website, for internal use only:
Allow users from our company
Deny all requests**
** "Allow" Policies are evaluated before "Deny" Policies. When a match is found, no further evaluation is performed. In this example, company users will be Allowed, which exempts them from the Policy which Denies all requests.
For creating custom matching conditions
Starting with version 2.14, this feature is being replaced with , which is more flexible and has more capabilities. For now, Custom Signatures are still being supported. However, it is recommended that you do not create any new Custom Signatures, as they will be deprecated in the future.
Custom signatures are custom matching conditions that you can use in Rules and Policies to evaluate client requests.
These allow the administrator to "catch" traffic based on any parameter in the request or the response. They can be used in a number of situations. Some examples:
"Virtual patching": Identifying an incoming exploit attempt for a newly-discovered vulnerability in the upstream network.
Identifying logged-in admin users, so that their requests can be Bypassed.
Identifying specific patterns of traffic that are suspected to be malicious, so they can be blocked.
Identifying specific types of requests (e.g., XMLHttpRequest), so they can be blocked from specific sections of a website.
Custom Signatures give you tremendous power and flexibility for evaluating your traffic. They are composed of one or more matching conditions, which can be combined using Boolean AND/OR operators.
Each matching condition combines the entries in Either one of the following fields and Is matching with.
This text box accepts strings or PCRE (Perl Compatible Regular Expressions).
When you first create a Signature, one condition appears for editing. If you wish to create more than one, click on the Append Condition button at the bottom. This will add another condition for editing.
You can continue for as many conditions as you want. The conditions will be evaluated according to the Boolean operator specified by the Condition Type selector.
Requests with originators that were not (yet) verified as humans. For a full explanation, see .
Requests that were challenged. The is an important part of Reblaze's traffic processing, as seen below.
To see full log details for an entry, click on the small magnifier on the right side of the log. This will show all the headers, cookies, and session details.
On the right part of the screen is the section menu, invoked via the button with three vertical dots:. Depending on context, the section menu will offer the management abilities described below.
Open the section menu by clicking on its button ().
To disable or enable a rule, click on the Activation trigger:
To delete a rule, click on the small button at the end of its listing: That button will display options to Delete this rule, or to Duplicate it. (Sometimes, it is faster to Duplicate a rule and edit the copy than to create a new one from scratch.)
At the top right screen, this larger button is shown : . Clicking on it will cause the section menu to appear:
In previous versions of Reblaze, a Profile would include one . Now, a WAF Policy is assigned directly to each resource/location in the .
At the bottom of the page are the Request Arguments Limitations, Whitelist Argument Names, and Whitelist Rule IDs. These allow you to permit or deny requests based on the arguments contained in the request. For assistance with these entries, please .
Note that while Profiles are defined in this section of the Reblaze UI, they are assigned to specific resources/locations in the .
Signatures that have already been defined are listed in the left column, while you can edit and create new ones on the right. Once a Signature has been created, it will be available in the section within the tab.
An explanation and some examples are here: .
Field Name
Description
Type
Cookie, Country, ASN, IP, Request Body, Request Header.
Name
Will appear for specific types: Cookie (Name), Headers, etc.
Value
The value which will activate the blacklisting. For example, when Type is "IP", the blacklistable IP address would be entered here.
Reason
User description of the reason for adding this entry.
Expiration
The expiration of the entry, in Hours or Minutes (only relevant for blacklists).
Name
Description
Add new rule
Creates a new Dynamic Rule.
Activate global simulation mode
The rules currently set to "Ban" will be changed to “Simulated Ban”. This is useful for testing. See also How to Test Dynamic Rules, below.
Test All Rules
Explained in How to Test Dynamic Rules, below.
Set new TTL globally
Sets TTL (described below in Dynamic Rules settings) for all Dynamic Rules.
Help
Brings up a help screen describing the settings for a rule. See also Dynamic Rules settings, below.
Refresh and discard changes
Discards all changes that you have made, and refreshes the display to show the current settings within the system.
Save Changes
Saves all changes that have been made. Note that this makes your changes go live immediately. Unlike other administrative activities within Reblaze, when editing Dynamic Rules it is not necessary to Publish Changes after saving them.
Field Name
Description
Description
Your description of the rule. This is useful for internal purposes, e.g., noting why a particular rule is necessary.
Target
Defines the source of aggregated requests which will be evaluated, and the recipient of the specified action if a violation occurs. The most commonly-used target is IP. Other options are Cookies, Country, ASN, Planet, Request Body, Request Header, or User Agent. ("Planet" means "all requests." This is used in the Global Request Count default rule.)
Alert
If a notification should be sent when a violation of this rule occurs.
Mode
Defines the action that will happen when a requestor exceeds the specified Threshold during the Period.
Ban will block the violator (available for IP, Cookie, Request Body, Request Header, Country, and ASN), and will add the violator to the Quarantined Banlist.
Simulated Ban does not actively ban the violator; it only adds the violator to the Quarantined Simulation Banlist.
Report Only does not actively ban the violator. If this rule has been included within a Notification Group, then the defined notifications will be sent.
Threshold
The maximum allowable number of http/s requests by the Target in the specified Period.
Period
The time period within which requests will be counted, and if the Threshold is exceeded, will trigger the defined action. Note that each Period should be 3 minutes or longer. (A few example screenshots in this Manual have shorter periods. These were taken from a demo site, and are for illustration only. Periods in a production deployment should be 3 minutes or more.)
TTL
Time To Live: If the violator is banned, this is the length of the ban. If the violation is merely reported (as in Report Only mode), this is the amount of time before a new report can be issued on this violation.
Monitor
A list of matching conditions. If a request matches all the conditions in this list, it will be included in the aggregated count toward a potential violation. Multiple conditions are ANDed together. See further discussion below.
Ignore
A list of matching conditions. If a request matches any of the conditions on this list, it will be ignored, and will not be included in the count toward a potential violation. Multiple conditions are ORed together. See further discussion below.
Field Name
Description
Block Reason
The reason for the traffic being blocked. See Defining Block Reasons below for a full explanation.
Blocked
True if the request was blocked, otherwise False.
Cookie
An exact match of the cookie name and value.
Domain Name
Which domain names should be monitored.
File Extension
Which file extensions should be monitored. Example: (exe|jpg|tar)
City
The abbreviation of the country. Example: "US" for "United States."
Country
Country name.
Host Name
Any name that was configured as Host.
Reblazer ID
ID of the Reblaze proxy
Anonymizer
Boolean value (True/False)
Cloud
Boolean value (True/False)
Human
Boolean value (True/False)
Proxy
Boolean value (True/False). [This is different than the Anonymizer field above. It uses an internal value of Reblaze that is not otherwise exposed in the interface.]
TOR
Boolean value (True/False)
VPN
Boolean Value (True/False)
Method
HTTP method type (e.g., GET, POST, etc.).
ASN
The ASN Value.
Referer
The Referer value.
IP
The IP Address.
Complete URL
URL with the query string.
URI
URI
Request Body
Text boxes will appear for "Name" and "Value" parameters. Both can be regex.
Request Headers
Text boxes will appear for "Name" and "Value" parameters. Both can be regex.
Response Status
HTTP response code (200, 404 etc.).
User Agent
The request's user agent name.
Parameter | Functionality |
Essential Headers Checkup | A request without a header is illegitimate (and generally is an indication of a bot). This module blocks these requests. |
HTTP Methods | This module defines the HTTP Methods that are allowed in requests. |
Argument Limitations | This module enforces the Request Arguments Limitations that are specified below the list of Allowed HTTP Methods. |
RFC Compliance | This module ensures that every request is RFC compliant. Most penetration tools are non-compliant (often deliberately so)—thus, this module alone defeats and excludes a high amount of hostile traffic. |
Field Name | Description |
Args | Arguments in the request’s header |
Arg Names | Argument names in the request’s header |
Autonomous System Number (ASN) | The ASN for a specific entity |
Country Name / City | Geolocation |
Host Name | Destination Hostname |
Query String | Regex value inside the query string |
Referer | Referer / Via values |
Remote Address | Client Address in the request |
Request Cookies | Cookie in the request’s header |
Request Cookies Names | Cookie names in the request’s header |
Request Filename | The GET request resource |
Request Headers | Specific headers inside the requests |
Request Headers Names | Scan the request for specific header values |
Request Method | An HTTP method: PUT, POST, GET, etc. |
Request Protocol | HTTP / HTTPS |
Request URI | The URI of the resource being requested |
User Agent | The User-Agent of the requestor |
Parameter | Functionality |
Bad Robots |
Dual Encoding | A common penetration technique is to encode a hostile request multiple times, in an attempt to evade detection and filtering. For example, an injection attack might be encoded in binary, and then sent as if it were plain text. Or, different types of encoding might be mixed together in the same request. This module detects and defeats these attempted attacks. |
* Injection Proof | This module detects and defeats different kinds of injection attacks: SQL, XSS, and OSC. (The "*" is a wildcard.) |
Stage
Comments
Pre-Processing Cloud Functions
The Cloud Functions marked "Request Pre Reblaze" are executed.
Quarantines & Dynamic Rules
Traffic from requestors that are currently on the Banlist or Blacklist is blocked. Other requestors are evaluated for potential addition to the Banlist using Dynamic Rules.
Static Rules & Rate Limits
Requests that do not conform to specified size, time, and per-IP rate limits are blocked, according to the Advanced Frontend Settings for the application.
Session Profiling
Reblaze assigns automatically-generated tags, and user-defined tags (configured in Session Profiling) to the requests.
ACL Policies
ACL Policies are enforced.
Rate Limits
Rate Limit Rules are enforced.
Challenges
Verifies that requests are coming from humans. More information: The Challenge Process.
Argument Analysis
Examination of characters in arguments. Possible results are to exempt a request from WAF filtering, to send the request to the WAF for inspection, or to block the request. More info: Args Analysis.
WAF/IPS
The active WAF Policy is enforced, assuming that the request was not previously Bypassed in the ACL Policy.
Post-Processing Cloud Functions
The Cloud Functions marked "Request Post Reblaze" are executed.
Access Control List Policies
The ACL Policies section allows you to define Policies and Rules by which Reblaze will scrub your incoming traffic. Once the Policies have been defined, they are assigned to specific resources (e.g., a section of your website) in the Web Proxy section.
In the discussion below, "ACL" and "ACL Policy" refer to the same thing: the Policies that can be administered in this section.
Existing ACLs are listed on the left. Selecting one will display it in the middle of the screen for editing.
To create a new ACL, click the "Create New" button toward the top of the screen, then "ACL Policy." Or, duplicate an existing ACL and then edit the newly-created copy.
As shown above, Reblaze comes with a default set of ACL Policies. (They are designated with the Reblaze logo.)
These Policies are not editable, because they are managed and maintained by Reblaze. They are updated as necessary with no action required on your part. (Typically these include dynamic elements that need frequent updating—for example, a list of IP addresses with a recent history of malicious activity.)
Each ACL contains one or more Rules. These are listed in the middle of the screen. To create a new Rule and add it to the current ACL, use the settings on the right part of the screen. (See below for more on this.) When you are finished with the Rule setup, click on the Add button. The Rule will be added to the Policy that you are currently defining or editing.
To remove a Rule from a Policy, click on the "X" to the right of its name.
Each of these fields is explained further below.
The Operation field has three possible values:
Bypass: the requestor will be granted access to the requested resource, without further evaluation or filtering of the request. However, although a Bypassed request will not be subject to further filtering, it will still show up in the logs (as “reason:bypassed”).
Allow: the requestor will not be presented with a challenge, but will still be evaluated by the WAF.
Deny: the requestor will not be allowed to access to the requested resource
When constructing an ACL Policy from multiple Rules, the Rules are arranged in the hierarchy shown above (Bypass, then Allow, then Deny). Rules are evaluated in order from top to bottom. When a Rule resolves to an action, that action is implemented, and further evaluation ceases.
There are five available options for Match:
Tag
Company
Country
IP Address
Custom Signature
The first four of these are common matching conditions that are always available. The fifth choice allows you to select custom matching conditions that you constructed by using the Custom Signature feature (however, note that Custom Signatures have been deprecated. Session Profiling should be used instead).
This is the third, unlabeled field in the New Rule dialog. The correct entry will depend on the option that was selected for Match.
If you selected Tag, enter one or more tags as the Match Argument.
If you selected either of these, enter the first few characters of the company name or country, and then choose the full name from the list that appears. (If the text box does not populate itself appropriately as you type the first few characters, check your spelling.)
Enter the specific IP or range of IPs (e.g., 178.184.0.0/16).
Enter the first few characters of a Signature that you created previously in the Custom Signature tab, and then choose the one you want from the list that appears. (If the text box does not populate itself with matching Signatures, check your spelling.)
By adding the following characters as a suffix to the ACL's name, the ACL will behave as follows:
For an example of using the OC suffix, see Bypassing Rate Limits for Loadtesting.
For an example of using XDeny, see Quickly Blocking an Attacker.
Profile: A re-usable collection of security policies
In a typical deployment, Reblaze performs much of its traffic evaluation according to security Profiles. There are four tabs within the interface:
The Custom Signature feature is being deprecated, and will be phased out in a future release of Reblaze. It is recommended that instead of constructing new Custom Signatures, use Session Profiling instead.
Before discussing each tab, it will be useful to discuss Profile Concepts.
A Cloud Function (CF) allow you to extend Reblaze's tools and functionality. Each CF consists of Lua code that can be run at different points in Reblaze's traffic processing.
Cloud Functions are defined here. They are assigned to URLs within the web application in the Security Profiles section of the Web Proxy page.
When creating a Cloud Function, do not rely on Reblaze to validate the code. Please ensure that the code is valid and, ideally, tested before adding it. If the code has errors, undefined behavior can occur when Reblaze attempts to execute it.
The top right of the screen provides a pulldown for selecting a CF for editing, an Add button to create a new CF, and a Save button for saving edits that were made on the currently-displayed CF.
The CF itself consists of a name (for display within the Reblaze interface), an automatically-generated ID, the Code itself, and a specified Phase. The Phases pulldown allows you to specify when the CF will execute:
Request Pre Reblaze: Execute immediately when Reblaze receives an incoming request, before any other processing occurs.
Request Post Reblaze: Execute after Reblaze has finished processing the request, and before it accesses the backend server.
Response Pre Reblaze: Execute when Reblaze receives the response from the backend.
Response Post Reblaze: Execute as the last action before Reblaze sends the response to the client.
Cloud Functions are a very powerful tool. If you need assistance with this feature, please feel free to contact support.
Early in the traffic evaluation process (immediately after evaluation of Quarantines and Dynamic Rules), Reblaze can assign one or more Tags to an incoming request. Subsequently, the Tags can be used to make decisions about how the request is processed. After processing, a request's Tags remain associated with it, and they are available for display in the View Log.
This page allows you to administer Tag Rules, which are combinations of Tags and the criteria for assigning them to requests.
The actions that can be performed as a result of the Tag assignments are administered separately, in ACL Policies.
Each Tag Rule consists of:
Match conditions: A list of possible characteristics that a request can match (e.g., a list of IP addresses that it might originate from), plus the logical operator to use when evaluating the match.
One or more Tags to assign when a match occurs.
For each request, Reblaze will evaluate all active Profiles. A single request will receive Tags from all Profiles which match it.
Tag Rules can be either Internet-sourced or self-managed.
Internet-sourced Rules are based upon online lists (e.g., Spamhaus DROP lists). These lists are not editable within the interface, because they are obtained automatically; Reblaze updates them every 24 hours. You can also trigger an immediate update via the "update now" button.
Self-managed Rules are created manually. These lists are fully editable within the interface.
At the top of the page, the pulldown list specifies the Rule currently being displayed for editing. Next to it are four buttons: Fork (to create a copy of the profile being displayed), Download, Add, and Save.
To add a Tag Rule, either:
The new Rule will be displayed for editing:
Enter values into the following fields:
Name. A description that will be displayed within the Reblaze interface.
Tags. One or more Tags (separated by spaces) that will be assigned to requests if the match conditions are fulfilled. Example: internal team-devops
Active. By default, this Profile will be applied to incoming requests. To prevent this, unselect the checkbox.
Notes: An optional field for including information about this Profile.
Next, specify the match conditions, as discussed below.
Match conditions consist of two parts:
A list of one or more criteria to match. The list will be entered differently for the two types of Tag Rules.
The logical condition to apply (either OR or AND), specified in the Entries Relation pulldown
For a Profile based on an online source, simply enter its URL into the Source field. For example, to create a list based on the Spamhaus ASN DROP list, you would enter https://www.spamhaus.org/drop/asndrop.txt, and then select the "update now" button. Reblaze will then populate the list automatically.
If the list contains more than category--which is unlikely for an Internet-sourced Profile, but not impossible--also choose the appropriate value for Entries Relation, as discussed below.
At this point, the new Profile should be complete. Before exiting the page, be sure to save your work.
To add a match criterion, select the "+" button at the top of the criteria list. The following dialog will appear.
For most of the categories, the dialog will appear as it is above. Multiple entries can be made at once, with each entry on a separate line. Each line contains the value, plus a pound sign (#) followed by an annotation (a label for display within the Reblaze interface). Example:
For some categories, one entry can be made at a time, with each entry requiring multiple lines. Annotations are not preceded by a pound sign.
Match criteria are case-sensitive.
Here are some sample entries for the various categories. Notice that the logical operators are available.
Once created, these entries cannot be edited. If one needs to be modified, remove it and re-create it.
This specifies the logical operation used when evaluating a request against the match criteria.
When all the match criteria are in the same category, the operation is OR. For a request x
and list of criteria a, b, c
, then the evaluation will be (x==a) OR (x==b) OR (x==c)
For example, if the match criteria are all IP addresses, then a match will occur if the request matches any of the IPs in the list.
When there are two or more categories, the default operation is still OR (in which case, a match will occur if the request matches any of the criteria in the list). However, when there are multiple categories, you can select AND instead. In this case, OR will still apply within each category, while AND will apply between the categories. Thus, for one list a, b, c
and a second list i, j, k
, the evaluation will be ((x==a) OR (x==b) OR (x==c)) AND ((x==i) OR (x==j) OR (x==k))
. For example, if the match criteria are IP addresses and headers, then a match will occur if the request matches any of the IPs and any of the headers, but it will not occur if it matches an IP but none of the headers.
Analyzing the values of arguments within incoming requests
This feature is still available within the UI. However, in the future it will be deprecated. It is recommended that customers switch to using Session Profiling instead, which is more powerful and more intuitive.
The Arguments Analysis feature has two primary functions:
Examining incoming requests for specific whitelisted characters in specific arguments (i.e., parameters in the URL query string or within the request body). Alphanumeric characters are allowed by default; all others must be allowed via a whitelist. When all characters in all arguments are found in the respective whitelists, the request is allowed, and no further inspection or filtering by the WAF is performed. If one or more characters are encountered that are not whitelisted, the request is either forwarded to the WAF for further inspection (when Inspect Unknown mode is enabled), or the request is denied (when Strict Whitelist mode is enabled).
Automatically updating the whitelists: As non-whitelisted characters are encountered, they can be added to the argument whitelists, depending on the Adaptive Mode selected.
The first function is often used in complicated sites; it offers a positive-security approach for analyzing traffic. Arg Analysis makes it easy to whitelist values that should be allowed in various request parameters. Another possible use is to bypass specific parameters that are too long for the WAF to efficiently process, or where WAF inspection is not relevant.
The second function (i.e., automatically updating whitelists) is less applicable for most deployments, and in most situations, is not encouraged. If Args Analysis is used incorrectly, large whitelists can be inadvertently built that will match most or all incoming requests. Thus, most or all incoming requests will bypass the WAF's traffic inspection and be sent directly upstream. In effect, this will disable Reblaze's traffic scrubbing. Therefore, we discourage the use of this function unless you are sure you need it, and you fully understand how it works.
For both functions, an argument list must be built.
Initially, this section will look like this:
Note the pulldown list on the right, which specifies the domain that you are currently administering.
Each time the system performs an analysis, arguments that were not previously known will be learned and added to the argument list, automatically (even in Supervised mode). The new character whitelists will consist of those characters that were encountered with each argument.
This can have some important and potentially nonintuitive consequences. See the warning below in the discussion of conflicted arguments.
Upload arguments file: The system allows you to upload a HAR file (that can be recorded using the browser’s dev tool). From the HAR file, the system will learn all the arguments and their values.
Creating an argument manually: You can also create individual arguments by selecting "New Argument," after which this dialog will appear:
When an argument is encountered in a query string or request body, its Argument Name is sought within the Args list for the relevant domain. If not found, it is added to the list, as noted previously.
If found, its value is analyzed. If each character within it is found in its corresponding Argument Characters, then this argument is passed.
If every argument in a query string or request body is passed, then the entire request is passed. It is sent to the origin (the upstream server), without being subjected to further inspection or filtering by Reblaze.
if the request is not passed, further processing occurs. See Handling Requests with Unmatched Characters, below.
In addition to the "New Argument" and "Upload Arguments File" options, the pulldown menu also offers additional capabilities.
Download as JSON - When this option is selected, the system will start a browser download of a JSON file that contains all the arguments and their values.
Delete App Args - Removes all the arguments in the current domain.
Analyze Now - Manually triggers the analysis process (described below), starting from the previous day.
Learning Resources - Displays the list of all ACL Policies defined in your planet, except for the default ones supplied by Reblaze. Example:
By default, Args Analysis learns from every request. The Learning Resources feature allows you to filter this, so that it only learns from specific requests.
When you select an ACL Policy from this list, Args Analysis will be limited to the requests which match that Policy. (If the ACL Policy happens to be empty, then the most recent 100,000 requests will be analyzed, or the most recent 24 hours' worth of data, whichever limit is reached first.)
If the selected ACL Policy has an Operation of Allow, then Args Analysis will analyze all the requests that were not blocked by the WAF or other ACL Policies. If the Policy is instead set to Bypass, then Args Analysis will also learn from blocked requests. (This can be useful when in Report-Only mode).
Show Regex/Characters - Toggle the display of all values on this page in regex, and then back into characters. Note when showing regex, alphanumeric characters are also explicitly included in the whitelist. In character mode, the Reblaze interface does not display these; the user should understand that all alphanumerics are whitelisted by default.
Refresh and Discard Changes - This allows you to discard all the changes you made to the arguments table.
Save Changes - When making any changes to the arguments table, you must save them afterward. This includes any modified or accepted conflicts in the system (more on these below).
In daily operation, Reblaze analyzes arguments in incoming requests. When they match the character whitelists, the requests are allowed, as described above.
Additionally, Reblaze goes through the traffic logs, analyzing and mapping all arguments received since the last analysis. This occurs every night around 3am UTC.
The system creates a list of argument characters that were encountered in requests, but were not in the whitelists.
Then in this Args Analysis section of the interface, Reblaze displays the current whitelists as follows:
Unchanged Arguments: This is at the bottom of the screen. It shows all the arguments for which Reblaze did not encounter any new (i.e., non-whitelisted) characters.
Conflicted Arguments: This shows the results of the most recent analysis: all the arguments for which Reblaze encountered characters that were not in the whitelists.
Here you have the opportunity to update the whitelists, accepting some or all of the proposed updates listed in the Conflicted Arguments section.
The manner in which these updates are accepted or rejected will depend on the New Args Adaptive Mode.
There are four possible modes: Automatic, Supervised, Locked, and Preview.
The system will discover and deploy new args without any human intervention. Everything occurs automatically.
The system will discover new args, but it will not deploy them. Instead, it will present them as Conflicted Arguments, and await approval or rejection by a human admin.
The system will not discover any new args. All configuration changes must be done manually.
The system will discover new args, but this is for informative purposes only. Traffic processing is not affected.
In the interface, there is a help section that lists the first mode as Automatic (Recommended). This is deprecated; we no longer recommend Automatic mode for most customers. As mentioned previously, this introduces the risk that erroneously large whitelists will be built. For most customer deployments, we now recommend Supervised or Locked mode.
For each of the first 3 operation modes (Automatic, Supervised, and Locked), another setting is available:
This defines Reblaze's behavior when non-whitelisted characters are encountered for known args.
A request that contains an argument that contains one or more non-whitelisted characters will be forwarded to the WAF for inspection and potential filtering.
A request that contains an argument that contains one or more non-whitelisted characters will be blocked.
After the request is processed, this argument is added to the list of Conflicted Arguments.
When new (non-whitelisted) characters are encountered, the arguments in which they were found are listed in the interface as Conflicted Arguments. Reblaze suggests updates (the New Values) for each argument's whitelist, and awaits the user's decisions.
Every time an analysis is performed, the previous list of Conflicted Arguments is discarded, and a new one generated. Thus, the interface displays only the Conflicted Arguments that were found in the most recent analysis.
Sometimes, argument names contain a designation for an ampersand ("amp;"), while others do not. This results from differences in decoding URLs versus arguments found in the body. It doesn't affect anything within the interface or its usage.
Each Conflicted Argument contains a set of New Values. These are updates that Reblaze is proposing to make. There are three available actions:
Deleting
Modifying
Accepting
Deleting - selecting the Trash icon will remove the Conflicted Argument from the list. This can produce unintended consequences: see warning below.
Modifying - You can edit the New Values. For the character field, only valid regex will be accepted.
Accepting - Clicking on the green Accept Conflicts button will accept all the Conflicted Arguments, updating the args list to the New Values.
It might appear that the "Delete" command (the trash can button) is merely a method of resolving the Conflict by rejecting the New Values and retaining the Current Values. This is incorrect.
When an argument is deleted from the list of Conflicted Arguments, this does not remove the conflict, it removes the argument. This has two consequences, both of which might not be intended by the user:
Until the next analysis is run, this argument will be unknown to Reblaze. Therefore, every incoming request that contains it will either be sent to the WAF for further inspection (when Inspect Unknown mode is enabled), or it will be denied (when Strict Whitelist mode is enabled).
When the next analysis is performed, Reblaze will learn the "new" argument, and create a new whitelist containing whatever characters were encountered within it. It's possible that this whitelist will contain some or all of the characters that previously caused that argument to appear as Conflicted.
The second point is especially important. If the user thinks that "Delete" will reject the New Values, the opposite can actually occur. When the argument is deleted and subsequently re-added, its character whitelist might automatically contain the same characters that the user was trying to reject previously.
The correct way of resolving a Conflict while retaining the same whitelist is to edit the New Values to match the Current Values, before selecting Accept Conflicts.
Or, the user can do nothing, and merely leave the Conflict unresolved in the interface. This will leave the argument's whitelist unchanged.
At the bottom of the screen is a list of Unchanged Arguments.
This shows the arguments for which Reblaze has not encountered any non-whitelisted characters.
You can edit these arguments if desired, or even delete them (by clicking on the trash icon to the right—but see the warning above about the potential consequences of deleting arguments).
Rate limiting defines the actions that will occur in response to events in the incoming traffic. This page is used to define Rate Limit Rules.
Existing rules are listed on this page. To add a new rule, select the "New Rule" button on the upper right of the window. To edit or delete a rule, select the "edit" button at the end of its listing. The following window will appear.
Each Rate Limit Rule consists of the following types of parameters:
Each is discussed further below.
The Limit can be zero. If so, the specified Action will occur immediately when an incoming request matches the Event Criteria.
Event criteria have two components:
Key(s). These define the events that are being counted. See "Composing Keys," below.
Include/exclude filters constrain the requests whose Keys are being counted. In other words, they define the segment of the incoming traffic stream that is being evaluated for possible events. See "Including/Excluding Requests," below.
A Key consists of a field and a value. Within a Rate Limit Rule, they play a role like this:
"More than <LIMIT> requests with the same <KEY-VALUE> <KEY-FIELD> sent to <ASSIGNED-LOCATION> within <TIME-PERIOD> will cause <ACTION>."
Example: "More than three requests with the same username argument sent to the login form within one hour will cause the requestor to be banned for six hours."
A Key can be built upon any one of these four fields:
Multiple Keys can be defined within the same Rule. To create a new Key and open it for editing, select the "+" button next to the Key label.
If multiple Keys are defined, they are evaluated by combining them together with a logical AND. In other words, the cumulative count toward the Limit will be incremented whenever a request is seen that matches all of the Keys simultaneously. Different combinations of Keys will have separate Limit counts maintained for them.
Example. A Rule contains two Keys: "Attribute / Remote Address" and "Argument / Username". When the first request is received, an internal counter is created (set to a value of one) for this unique combination of Remote Address and Username. A second request is then received, originating from the same Remote Address and for the same Username; this causes the internal counter to be incremented up to two. A third request is then received from the same Remote Address but with a different Username; this causes a new internal counter to be created (and set to a value of one) for this combination.
Below the list of Key(s), there is a checkbox labeled "Pair with." If this is checked, then a different type of Key can be added below it.
In the following discussion, "Key" will refer to the Key (or combination of Keys) defined above the "Pair with" checkbox.
"Paired Key" will refer to an optional, additional Key that is defined below the checkbox.
Adding a Paired Key changes the evaluation process. A Paired Key is not logically combined with the preceding Key; it is always evaluated separately.
Also, adding a Paired Key changes the meaning of the Rate Limit.
If a Paired Key is not defined, an internal counter is maintained for each Key value, and incremented each time that value is encountered in a request.
If a Paired Key is defined, an internal counter is maintained for each Key Value, and incremented each time a new, previously unobserved Paired Key value is encountered in a request.
Therefore, if a Paired Key is defined, the Rate Limit constrains the number of allowable Paired Key values for any given Key value.
So, the evaluation becomes something like this:
"More than <LIMIT> <PAIRED-KEY-VALUE> <PAIRED-KEY-FIELD>s per any one <KEY-VALUE><KEY-FIELD> sent to <ASSIGNED-LOCATION> within <TIME-PERIOD> will cause <ACTION>."
Note that the number of Key values is not being limited here. The limit is on the number of Paired Key values that each Key value is allowed.
Example: Let's say we want to allow an individual user to login from a maximum of two ASNs within one hour. (Perhaps the user is accessing our web application from a coffee shop's WiFi, and then a few minutes later, leaves the coffee shop and begins using the cell network instead.) We want to allow this possibility; however, if we receive requests from the same user originating from three or more ASNs within an hour, we want to treat this traffic more suspiciously. This is not possible merely by specifying two Keys, as described earlier in the "Multiple Keys" section. If we set up two Keys ("Argument / Username" and "Attribute / Organization") with a limit of 2, and assign it to our login form, then this will merely limit the number of times that the user can login from each ASN within an hour. Instead, we can set up one Key ("Argument / Username"), check the "Pair with" checkbox, and then set up the Paired Key ("Attribute / Organization"). Now the Limit will apply to the number of combinations of Username and Organization that are received for each specific Username.
The Include and Exclude filters allow you to constrain the requests against which this Rate Limit Rule will be evaluated.
By default, an active Rate Limit Rule will be enforced upon all incoming requests. Specifying an Include and/or an Exclude filter will set limits to this enforcement.
The Include filter will limit enforcement to requests matching its parameters. All other requests in the traffic stream will not have this Rate Limit Rule enforced upon them.
The Exclude filter will exempt requests from enforcement that otherwise would have been evaluated. These requests, which otherwise match the Include filter's parameters, will not have the Rate Limit Rule applied to them.
When a Rate Limit is triggered, the specified Action will occur.
There are various Actions available for selection here: 503 Service Unavailable, Challenge, Tag Only, and more. They are described in the documentation for the Action Response dropdown.
The Ban action is a unique option for Rate Limiting, and is described in detail below.
Most of the available Actions will not fully exclude an attacker that continues pressing the attack.
Example: Access to a login form is rate-limited to three requests per minute. An attacker tries to brute-force the login, and sends 60 requests per minute. The Rate Limit allows the first three requests, but then blocks the next 57 requests with a 503 error. However, after the minute has passed, the Rate Limit resets. The attacker is allowed another three attempts before being temporarily blocked again. This cycle can continue for as long as the attacker wishes. In effect, the Rate Limit is not preventing the attack; it is merely slowing it from 60 attempts per minute down to three attempts per minute.
The Ban action can be used to block (or take some other Action in response to) a Rate Limit violator for an extended period of time.
Example: As described above, a Rate Limit is created to allow three requests per minute, with an Action of 503 Service Unavailable. However, an additional Rate Limit rule is also defined: nine requests per three minutes, with an Action of Ban. The Ban has an Action of 503 Service Unavailable, and a duration of one hour. Reblaze allows multiple Rate Limits to be assigned to a single URL. Thus, both of the above rules can be assigned to the login form. Now an attacker tries to brute-force the login form, sending 60 requests per minute. The first three requests are allowed. The next six requests are blocked by the first Rate Limit. The tenth request triggers the second Rate Limit, and the Ban occurs. For the next hour, the attacker's requests will be blocked with a 503 error.
Second example: A hostile bot receives a bot challenge, which it fails. Reblaze will block the request. If the bot keeps re-submitting its request, it will continue to fail the challenges. However, each time the bot tries again, Reblaze has to issue a new challenge . To solve this problem, a second Rate Limit is created with a Ban action. Now a persistent bot will simply be Banned, saving the overhead of issuing continuous challenges.
Note that when setting up a Ban, the most common choices for its Action are to deny the violator's requests (via 503 Service Unavailable, Response, or Redirect). However, you can also choose Tag Only (to observe the violator's actions during the ban period), Challenge (to verify that the violating activity is not being done by bots), or Request Header (to mark the requests for further scrutiny by the backend).
In the main window, each Rule listing has a number for Linked URLs.
The number represents the number of URLs to which this Rule is currently assigned. To assign a Rule to a URL, click on this number. The following window will appear.
On the left, a summary of this Rule is shown.
On the right, clicking on Add New Link will show a list of web applications that are currently defined in the Planet Overview.
After selecting a web application, a pulldown list will appear. It will contain the locations defined for this web application within the Security Profiles section of the Web Proxy page. To assign the current Rule to this location:
Select a location from the pulldown
Select the "+" button to add it to the list of assignments.
Select the Save button at the upper right of the window.
More than one assignment can be performed at once. After adding the first assignment to the list, simply add additional ones as needed. When the list is complete, select the Save button.
This section allows you to customize the error messages that are displayed to users. There are separate tabs for the most common types of errors, with the HTTP status code for each one. The defaults can be used, or you can customize the content and/or contact details as needed.
A straightforward use of this feature is to enter text into the fields. More advanced usage (for example, iframes) is also possible.
Select the web application to edit by using the pulldown on the upper right. When you have completed your edits, select the Save Changes button on the upper right, and then .
Planet configuration and other parameters
The Settings section has an extensive number of configuration values for Reblaze. These tend to be parameters that once set up, usually will not change during your use of Reblaze.
There are five sections in this part of the interface.
contains parameters for the overall architecture of Reblaze and its interaction with the downstream clients and the upstream network. It includes settings for proxy behavior, load balancing, failover, and more. It is also where you assign Security Profiles to specific areas of your website.
is where SSL Certificates are uploaded and managed.
is where DNS records are configured.
shows you information relevant to your entire planet: the active domains and applications, what notifications are issued in response to events, and the ability to Publish changes that were made elsewhere in the interface.
is where your user account settings are managed.
An optional but recommended capability
DNS Management is an optional capability. Your DNS management does not need to be done within Reblaze, but it can be.
Reblaze provide a full DNS service, based on. Reblaze also supports DNS on other cloud platforms, but they are not yet supported natively within the Reblaze interface. If you need this capability within your deployment, .
Many site administrators use their domain registrars as their DNS providers, but this is often a poor choice. In general, domain registrars do not place a high priority on DNS security (since DNS management is not a primary part of their business model), and attackers frequently target their DNS servers. A successful DNS poisoning attack can result in your site getting hijacked.
Managing your DNS through a secure platform like Reblaze is a better choice. This ensures your full stack is protected—even the DNS layer.
A full explanation of DNS setup is beyond the scope of this Manual. The discussion below is an overview of Reblaze's capabilities and interface. Please if you need assistance for your particular situation.
Related video:
You can manage millions of DNS zones and records using the Reblaze interface.
The DNS Management feature of Reblaze is for both external and internal DNS administration. Internally, Reblaze maintains a special name for every planet (planetname.d1.rbzdns.com), and every domain protected by Reblaze is mapped to an entry in this domain. This system can also be used for domains accessible externally.
To display existing records, a "search" feature is provided at the upper left.
This will control the DNS entries being displayed, by filtering them according to the search value and selected record type.
To add a new DNS entry, click on the "New" button. The following dialog is displayed:
Once a record has been created, it can be deleted (via the trash icon shown to the right of its entry in the list) or edited (via the blue edit icon shown to the right of its entry in the list).
Reblaze supports the following types of DNS records:
Expected formats for the respective values are given below.
The value for an A record is an IPv4 address in dotted decimal notation.
Example:
example: 192.150.2.1
The value represents an IPv6 (128bit) address in a colon separated notation.
Example:
20541:0da8:85a3:0:0:8a2e:0370:7334
A CNAME value is a domain name.
Example:
www.sample.com
Each record includes a priority (integer) and an email server domain name. It is possible to add multiple records.
Example:
10 mail1.sample.com
20 mail2.sample.com
Delegates a DNS zone to use the given authoritative name servers. (It is possible to include multiple name servers.)
Example:
ns1.amazon.com
ns2.amazon.org
ns3.amazon.net
ns4.amazon.co.uk
Includes a text record. (Enclose the text in quotation marks. Multiple entries are allowed.)
Example:
"test1"
"test2"
SPF records were formerly used to verify the identity of the sender of email messages. It's now deprecated, and a TXT record should be used instead.
Example:
"v=spf1 ip4:192.168.0.1/16-all"
A generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX.
The syntax is based on the following: [Priority][Weight][Port][Domain Name]
Example:
2 12 5050 sip-server.example.com
3 15 5060 network.example.com
Pointer to a canonical name. Unlike a CNAME, DNS processing stops and the name is returned.
Example:
www.example.com
This section defines the Services that Reblaze will protect. In other words, these are the destinations to which Reblaze will send the (legitimate) traffic it receives.
Each Service can receive traffic for multiple web applications, and for multiple resources/locations within each web application. These assignments are made on the page.
At the top of the window, the title on the left displays the Service currently being displayed for editing. The pulldown on the right allows the selection of a different Service.
To add a Service, click on the "Add" button (the plus sign).
For a single Service, you can define multiple endpoints. Within them you can:
Enable and configure load balancing, weighting and distributing traffic across your primary endpoints.
Define backups hosts, to which Reblaze will failover your traffic when your primary hosts aren’t available.
Take hosts offline for maintenance by ticking a single box in the interface.
Adding and deleting endpoints from this list is straightforward. To add an endpoint, click on the Add button (the plus sign) and fill out the new entry. To delete an existing entry, click on the delete link next to that entry.
The settings for each endpoint in the list are as follows.
The Name field defines the description for this Service within Reblaze.
Use HTTP/1.1: selecting this can speed up communication, via the use of connection pooling.
Transport Protocol: this configures the communication between Reblaze and the backend.
Sometimes an application requires a user to be connected to the same Reblaze instance and backend endpoint throughout the session. Reblaze can ensure that this occurs, and can do so using a variety of methods.
Administration of certificates
This section allows you to manage your SSL Certificates. You can create, edit, attach, and remove certificates. The certificates themselves can be uploaded and stored into Reblaze's cloud, or a cloud load balancer.
If you are reading this Manual as part of an initial evaluation of Reblaze, and if you have large numbers of certificates to manage, you should know that Reblaze treats certificates differently than most other security solutions.
It's not unusual for some companies (especially SaaS platforms) to have dozens or even hundreds of certificates to manage. Unfortunately, most security solutions treat each SSL Certificate as a separate "site," and they charge their customers on a per-site basis. Thus, these solutions can be extremely expensive.
Contrary to this, Reblaze does not treat certificates as sites. A certificate is merely a certificate. For customers with tens or hundreds of certificates to manage, Reblaze's monthly pricing can be one or two orders of magnitude less than its competitors'.
The SSL Management interface is split into 2 tabs: Load balancers and Certificate store.
The Load balancers list shows the load balancers for the current site, and the certificates that are attached to them. Certificate store is where certificates are managed.
For each load balancer shown in the list, the displayed parameters are:
Table 1: Max number of certificates depending on the load balancer type
Table 2: Cloud vendor regions
The Filter by name input control at the top accepts regular expressions, and quickly filters the list to show matching entries.
Selecting an entry in the list expands it to show that load balancer's details: a default certificate, and a list of any additional attached certificates.
The expanded list provides several buttons to perform administrative actions.dnnd
To change the default certificate for the load balancer, select the Set default button next to the name of the desired certificate.
To remove a certificate from the list, select the Detach button next to its name.
To attach a certificate from the certificate store, select Attach certificate. See discussion below.
Additional certificates can be attached to a load balancer until it reaches its full capacity, i.e. the maximum number of certificates shown in Table 1. (Full capacity is indicated when the "# Of Certs" column contains two similar numbers, e.g., "15 / 15". Also, the Attach certificate button will change to the message "You have reached the max certificates quota for the load balancer.")
To attach a certificate, select the Attach certificate button. This will open a modal window with a list of unattached certificates from the certificate store:
The Filter by name input control at the top accepts regular expressions, and quickly filters the list to show matching entries.
To attach a certificate, press the Attach button next to its name. The certificate will disappear from this list ail appear in the list of the certificates attached to the load balancer (see Figure 2).
This tab displays certificates according to the site to which they are attached.
The Filter by name input control at the top accepts regular expressions, and quickly filters the list to show matching entries.
For each entry, the displayed parameters are:
Certificates are loaded console. After that they can be loaded to a cloud provider. The AWS/GCP columns indicate which provider has the certificate. It can be none, one, or both.
SSL certificates can be added to Reblaze in two ways:
Uploading a PFX file.
Manually entering the certificate information.
In both cases, begin by clicking the "+" button. This dialog will appear:
To upload a PFX file, select "Extract pfx file." Otherwise, enter the Private Key, Certificate body and Intermediate chain values into their respective text boxes.
To remove an existing certificate, click on its trash icon to the right of its entry in the list. You can delete a certificate if it's not linked to a site. However, you cannot remove the last certificate on a load balancer.
To edit a certificate, click on its edit icon to the right of its entry in the list. This dialog will appear:
The following options are offered:
Attach to application - Select an application/site and attach it to this certificate.
Replace existing certificates - When this is chosen, a "Select Certificate" dropdown list will appear. Selecting one and then clicking "Save" will result in all sites/applications being transferred from the selected certificate over to the certificate you're currently editing.
Auto Replacement by Let's Encrypt: See discussion below.
Download PFX: Download the certificate information as a file in PFX format.
When managing certificates through one of these options (except for "Download PFX"), you must click the Save button to preserve your changes.
Let's Encrypt is a free certificate authority service. Reblaze integrates with it, and offers this service by default.
Once a day, Reblaze will check each application it protects. If that application's certificate is going to expire in the coming week, and itsAuto Let's Encrypt Replacement option for that certificate is enabled, Reblaze will generate a new certificate using Let's Encrypt, and will attach all of its sites to the new certificate.
Identifies and blocks malevolent bots, based on their user agents. This works differently than the process to identify bots. Therefore, when active challenges are disabled, this WAF capability can still be used.
Create a new one by selecting the "Add" buttonin the top right of the page.
Duplicate an existing one with the Fork button.
When all match conditions have been specified, be sure to select the Save buttonon the upper right part of the page, to save the new Profile.
In the top right menu you will see this button: . Clicking on it will open the main menu:
When editing is complete, click on the Save button and then .
To remove a Service from Reblaze, click on the Delete Service button at the bottom of the window.
Reblaze provides the capability to generate an SSL Certificate for free using the Let's Encrypt service. This can be done using the "Generate Certificate" button on the page.
Fields
Description
Operation
The action that will result when the Rule’s Match condition occurs.
Match
The type of parameter that will be tested to see if a Match occurs.
(unlabeled)
The value for the Match condition.
Suffix
Description
Examples
OC
Over-capacity override: ignore rate limits.
Loadtest OC
XDeny
"God Mode": bypass the Rule Operation hierarchy.
Global DR XDeny
Field Name
Description
Argument Name
The parameter in the query string or request body
Argument Characters
A regex pattern to match against the values specified for the Argument Name. This is a whitelist of allowable characters.
Max Length
Maximum allowed length of the argument, in characters
Type
Values
Meta
A name and description for the Rule.
Rate Limit
Defines the maximum allowable number of events within a certain time period.
Event Criteria
Specifies which events will be counted toward the Rate Limit.
Action
Specifies what will happen when the Rate Limit is exceeded.
Assignments
The resources/locations/URLs within the web application where the Rate Limit Rule will be enforced.
Field
Value
Name
A name for this Rule. It will be used within the Reblaze interface, and will also be used to create a Tag that will be assigned to requests which trigger the Rate Limit.
Description
A description of this Rule which will be used within the Reblaze interface.
Field
Value
Limit
The maximum number of allowable events within the specified Time Frame. Subsequent events within the Time Frame will trigger the Action.
Time Frame
The time period within which the Limit is enforced, specified in seconds.
Field
Result
Header
All requests with the same value for the specified header will be counted together toward the Limit.
Cookie
All requests with the same value for the specified cookie will be counted together toward the Limit.
Argument
All requests with the same value for the specified argument will be counted together toward the Limit.
Attribute
All requests with the same value for the specified attribute will be counted together toward the Limit.
Record Type | Description |
A | Address record |
AAAA | IPv6 address record |
CNAME | Canonical name record |
MX | Mail exchange record |
NS | Name server record |
PTR | PTR resource record |
SOA | Start of [a zone of] authority record |
SPF | Sender policy framework (now discontinued, as of RFC 7208) |
SRV | Service locator |
TXT | Text record |
ALIAS CNAME | Alternative to CNAME that can coexist with other records on that name. |
ALIAS A | Alternative for an A record |
Option | Value |
Per Request | This is the default mode. Incoming HTTP requests will go over HTTP, and incoming HTTPS requests will go over HTTPS. |
HTTP Always | All communication between Reblaze and the backend will be over HTTP. (This mode should not be used unless Reblaze runs within the same cloud as the backend.) |
HTTPS Always | All communication between Reblaze and the backend will be over HTTPS. |
Port Bridge Mode | Reblaze will use the same port as the incoming request. This is not limited to ports 80 and 443; Reblaze will use whatever port was specified. Note: this mode is not available when more than one host is defined. |
Parameter | Description |
Name | A unique identifier for use elsewhere in the interface. |
#Of Certs | Number of certificates attached to the load balancer / Max number of certificates can be attached to a load balancer of this type (as shown in Table 1 below) |
Cloud Provider | AWS, Azure, GCP or a custom cloud provider. |
DNS Name | The balancer's dns name. |
Region | The cloud vendor region name (from Table 2 below) |
Type | Load balancer type (from Table 1 below) |
Load balancer type | Max number of certificates |
gcp | 15 |
application | 25 |
classic | 1 |
GCP | AWS | Azure | Digital Ocean |
asia-east1 asia-east2 asia-northeast1 asia-northeast2 asia-northeast3 asia-south1 asia-southeast1 asia-southeast2 australia-southeast1 europe-north1 europe-west1 europe-west2 europe-west3 europe-west4 europe-west6 northamerica-northeast1 southamerica-east1 us-central1 us-east1 us-east4 us-west1 us-west2 us-west3 us-west4 | us-east-2 us-east-1 us-west-1 us-west-2 af-south-1 ap-east-1 ap-south-1 ap-northeast-3 ap-northeast-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ca-central-1 eu-central-1 eu-west-1 eu-west-2 eu-south-1 eu-west-3 eu-north-1 me-south-1 sa-east-1 | eastasia southeastasia centralus eastus eastus2 westus northcentralus southcentralus northeurope westeurope japanwest japaneast brazilsouth australiaeast australiasoutheast southindia centralindia westindia canadacentral canadaeast uksouth ukwest westcentralus westus2 koreacentral koreasouth francecentral francesouth australiacentral australiacentral2 uaecentral uaenorth southafricanorth southafricawest switzerlandnorth switzerlandwest germanynorth germanywestcentral norwaywest norwayeast | NYC1 NYC2 NYC3 AMS2 AMS3 SFO1 SFO2 SFO3 SGP1 LON1 FRA1 TOR1 BLR1 |
As described in Traffic Concepts, out of the box Reblaze includes an Active Challenge process. This is very useful in distinguishing humans from bots.
Active Challenges work well, but an even better option is Passive Challenges.
Active Challenges temporarily redirect the user's browser. This can affect site metrics gathered by products such as Google Analytics. (Specifically, the initial referrer information is lost.) Passive Challenges are simple pieces of Javascript. They do not redirect the user's browser; they merely ask it to solve a challenge, and then insert the Reblaze cookies.
Active Challenges will not occur when site content is served from a CDN. Passive Challenges can still detect bots in this situation.
Most importantly, Passive Challenges allow Reblaze to use Biometric Bot Detection—an advanced and sophisticated means of distinguishing humans from automated traffic sources.
With Biometric Bot Detection, Reblaze continually gathers and analyzes stats such as client-side I/O events, triggered by the user’s keyboard, mouse, scroll, touch, zoom, device orientation, movements, and more. Based on these metrics, the platform uses Machine Learning to construct and maintain behavioral profiles of legitimate human visitors. Reblaze learns and understands how actual humans interact with the web apps it is protecting. Continuous multivariate analysis verifies that each user is indeed conforming to expected behavioral patterns, and is thus a human user with legitimate intentions. More information about this.
We recommend that all customers enable Passive Challenges if it is possible to do so. Biometric Bot Detection provides much more robust detection of automated traffic than is possible without it.
Implementing Passive Challenges is simple. Place this Javascript code within the pages of your web applications:
The code snippet can go into the header or at the end of the page. The best practice is to place it within the header. This ensures that subsequent calls contain authenticating cookies.
(This matters for the first page served to a visitor. Subsequent pages will already have the authenticating cookies to include with their requests.)
Most customers set up the code snippet as a tag within their tag manager. This makes it simple to install it instantly across their entire site/application.
If desired, the script code can include async
and/or defer
attributes:
These usually are not necessary, and their effect will depend on the placement of the script within the page. Their use is left to your discretion.
To test the implementation, use a browser to visit a page containing the Javascript snippet. Once it runs, the browser should have a cookie named rbzid.
There are two primary situations where customers sometimes want to disable Active Challenges:
When a customer needs site analytics to correctly reflect all referrers. (Active Challenges can interfere with this.)
For API endpoints. Active Challenges are designed to verify the client's browser environment; for most API calls, there is no browser environment to verify. (For users of our Mobile SDK, this is not a problem. They can still use active challenges for these endpoints.)
Other than those situations, Active Challenges can be very beneficial.
We recommend that you keep Active Challenges enabled if possible. They automatically eliminate almost all DDoS traffic, scanning tools, and other hostile bot traffic.
If you wish to turn off Active Challenges, do the following.
For specific URLs/locations: remove the default "Deny Bot" ACL Policy from all Profiles that are assigned to those locations.
For an entire site/application: remove the "Deny Bot" ACL Policy from all Profiles within the site.
For specific traffic sources: Add an ACL Policy that will 'Allow' those specific requestors. The requestors should be defined as narrowly as possible.
Turning off Active Challenges will disable the direct blocking of bots (where a requestor is blocked merely for being identified as a bot). However, automated traffic will still be excluded via all other relevant means.
If you merely remove the Deny Bot ACL Policy from the relevant Profiles, then bots will still be excluded by the other active ACL Policies, Dynamic Rules, content filtering, and so on. If instead you added an "Allow" ACL Policy to specific requestors, then other ACL Policies will not block those requestors; they will be exempted from ACL Policy filtering.
If you have not enabled Passive Challenges (and successfully tested them), disabling Active Challenges is not recommended.
Attribute | Description |
Host | The name or IP address for each endpoint that Reblaze protects. This can be a normal web server, or it can be a load-balancer. Note that Reblaze also provides load-balancing capabilities in its own right, as discussed below. |
HTTP Port | The HTTP port for the server. |
HTTPS Port | The HTTPS port for the server. |
Weight | The relative weight of each server for load-balancing purposes. Reblaze distributes traffic with a round-robin sequence, according to these weights. For example, if two servers are both set to 'weight=1', they will receive equal amounts of traffic. If the first is set to 'weight=3' while the second is set to 'weight=1', the first server will receive three visitors for every single visitor that the second server receives. |
Max Fails | The maximum number of failed communication attempts that are allowed for this server. Once this number of failures occurs, Reblaze will consider the server to be inactive. If other servers are available, Reblaze will failover the traffic to them. If this was the only server available, Reblaze will return an error to the client (either 504 Timeout, or 502 Bad Gateway). |
Fail Timeout |
Is Down | When this box is checked, Reblaze will not attempt to communicate with this server. This allows you to easily take a server offline for temporary maintenance or some other purpose. |
Stickiness Model | Action |
None |
Auto Cookie | Reblaze will automatically generate a cookie to maintain the session on the same endpoint. |
Custom Cookie | You can provide the name of the cookie that Reblaze will use to track the session, e.g. one generated by an AWS or GCP load balancer. |
IP Hash | Routing will be determined from a hash of the client and destination IP addresses. |
Least Connection | Requests will be sent to the endpoint with the fewest number of connections. |
Parameter | Description |
Name | A unique identifier for use elsewhere in the interface. |
AWS | Whether the certificate is loaded to AWS (see explanation below). |
GCP | Whether the certificate is loaded to GCP (see explanation below). |
Expiration Date | When the certificate expires. |
Linked To |
Administering your entire planet
The Planet Overview page enables the following actions:
Add and manage a site/application.
Generate an SSL certificate for a site/application using the Let's Encrypt service.
Configuring Notifications and Alerts.
Note that in the discussion below, "site" and "web application" are synonymous.
This section allows you to add and modify web applications. It does not provide the ability to delete them.
Deleting a web application is done at the bottom of the Web Proxy page.
Creating a new web application is done by duplicating an existing one, and then editing the one that is created.
Select an existing site that is the most similar to the one you want to add.
Select its "Duplicate Application" button.
This will clone the site and create a new one with identical settings, which you can then edit.
Clicking on a site name will open it in the Web Proxy page, where it can be edited.
Reblaze integrates with Let's Encrypt to provide free SSL Certificates.
By clicking on the "Generate Certificate" button at the end of an entry in the site list, you can:
Generate a new certificate without attaching it to a site
Generate a new certificate and immediately attach it to a site. If the site has an existing certificate, it will be replaced by the new one.
In either case, this is the dialog you will see:
Just choose the button for the activity you want.
At the bottom of the Planet Overview are the Notification Settings.
When a Dynamic Rule is violated, Reblaze can send immediate alerts to a list of one or more email addresses, SMS numbers, and hooks (e.g., Slack).
In addition, a cumulative report of the previous week's violations can be sent to one or more email addresses.
This section defines one or more Notification Groups for these notifications. Clicking on the "+" button on the right will display this dialog:
The settings for a Notification Group are as follows.
An existing Notification Group can be edited by clicking on its listing, or deleted by clicking on the trash button at the right end of its listing.
When you deploy Reblaze to protect your web assets, it acts as a proxy; it receives requests from clients (web visitors, mobile/native app users, etc.), blocks hostile traffic, and passes legitimate requests to your servers.
The Web Proxy page defines how Reblaze behaves in this role. It contains these sections, from top to bottom:
After making edits to this section, Save Changes and Publish them to the cloud.
At the top of the page, the title shows the web application currently being displayed below for editing.
The pulldown on the right selects the web applications to edit. The save button on the far right saves the edits that have been made to the current application.
This section shows a list of URLs/resources within the application, and defines Reblaze's behavior for them.
Every incoming HTTP/S request targets a specific URL. Reblaze finds the best match for that resource in this list, and applies the security configuration defined for it.
The "best match" is determined by regex evaluation. (The order in which the Match strings are listed in the interface does not matter.) If no matching resource definition is found, Reblaze applies the rulesets from the default resource definition (shown in the screenshot above as the fourth entry).
An HTTP/S request which passes all security tests will be forwarded to the Backend Service defined for the requested resource.
Reblaze evaluates incoming traffic in a multi-stage process. The stages include the tests defined here for each resource (WAF Policy, ACL Profile, Rate Limits, and Cloud Functions), and other tests as well (Dynamic Rules, Static Rules, etc.) The complete list of tests and their order of evaluation are described in Security Section Concepts.
This section is where security rulesets are assigned to resources within your site, application, API, etc.
Some rulesets are defined within the Security section of the interface: the ACL Profiles, WAF Policies, Rate Limiting, and Cloud Functions. Others are defined farther down on this page, such as the Request Rate Limits discussed below.
To edit a definition, click on the "expand" button at the end of its listing. The following window will appear.
The entries in this window correspond directly to the various fields discussed earlier in the definition listing.
This section configures Reblaze's behavior as the frontend for traffic.
This section (shown above in the previous screenshot) configures Reblaze's communication with the backend.
This section lists the signatures of recognized applications and available remote profiles.
App Signatures lists the SHA-256 digests of recognized certificates.
To find the signature for an iOS app, you can open the Apple Development Certificate in the Keychain app, and copy the SHA-256 fingerprint. Alternatively, you can extract this fingerprint from the ipa bundle.
For Android app, you can get the SHA-256 fingerprint from the keystore or extract it from a signed APK with the apksigner tool (part of the Android SDK). See detailed instructions here.
When uploading the fingerprint to the Reblaze Console, make sure that it contains hexadecimal characters only, in lowercase, without spaces.
Any number of signatures may be 'Active' at given time. While debugging the app on emulator, it will present a special signature "abadbabe"
: make sure it is not activated on production.
Profiles lists the remote profiles that can override the parameters of the SDK on all mobile clients. The Default profile is always empty, and when it is active, the SDK parameters are fully determined by the app local configuration. Only one remote profile may be active at given time.
Grace period defines the allowable time between the timestamp of a request and the time that Reblaze receives the request from the application. Requests with a longer delay will be rejected.
UID Header Name determines the name of the header that contains the user authentication token. With the new versions of Mobile SDK, it can be empty.
Support for old versions of Mobile SDK is disabled by default, but if your app has not fully migrated to Mobile SDK v2.0, you can enable backwards compatibility:
Documentation for the old versions of Mobile SDK is available here. Note that the Grace Period field is read-only; it only reflects the global setting above.
This section defines several types of limits: Timeouts, Size Limits, and Request Rate Limits.
The Timeout settings allow the system to monitor the time required to serve resources to each client. Any connection that exceeds the specific limits will be dropped.
Why timeouts are important
Some DDoS tools (e.g., R-U-Dead-Yet, or RUDY) send a relatively small quantity of traffic requests, but do so as slowly as possible (often with each byte sent separately). While a legitimate request can be resolved in milliseconds, a single RUDY machine can tie up server resources for several minutes. Even a few hundred of these machines attacking your server can be very destructive.
The Timeout settings allow Reblaze to block unresponsive requestors, whether their unresponsiveness is malicious or not. For most Reblaze deployments, the default timeout settings work very well. They are sufficient to filter out hostile traffic, while still accommodating even those users with low bandwidth.
All times are specified in seconds.
You can place limits on the amount of data that users can upload to the system. The defaults usually work well; however, if your application accepts user-generated content or other large files, then changes to these settings might be necessary.
Please note that if you increase these settings within Reblaze, then the upstream server should also be configured to accept and store the quantity of data that Reblaze will (potentially) pass through.
These settings allow you to limit the amount of resources consumed by an IP address. Reblaze can limit consumption by the average number of requests per second, while also allowing temporary bursts at a higher rate.
When a requestor exceeds any of these thresholds, subsequent requests will be answered with error code 503 (Service Unavailable).
Note that this rate limiting is a global metric; it applies across the entire application. For example, if one IP address is submitting requests to multiple URLs within a web application, all the requests are combined when determining if rate limits have been violated.
Request Rate Limits are active even when the domain is in Report-only mode.
Reblaze can track a session by using a header, argument, or cookie. This parameter allows you to specify which one to use.
This section is for advanced configurations only. To use it, please contact support.
To delete the current site or application being displayed on the page, enter its name into the textbox and click on the Delete site button. Note: this action cannot be undone.
Before deleting a site from Reblaze, you should change your DNS settings to reroute your traffic, and then wait for the changes to propagate. Otherwise, Reblaze will still be receiving traffic, but the traffic will no longer be passed upstream to your server.
This section describes best practices for some common tasks.
Changing user settings
The Account Settings page allows you to manage your Reblaze user accounts.
From this tab, you can reset your password, name, and phone number.
Reblaze uses 2FA (two factor authentication). There are several options for sending an OTP when you login:
If only an email address is provided, the OTP will be sent via email.
If a phone number is provided, the OTP will be sent over SMS message.
This tab also offers a personal API key, to be used in all requests to the Reblaze API.
This tab allows you to manage users that are attached to your organization. It is only available to users with administrator permissions.
An admin can:
Create a new user
Edit an existing user
Reset a user's password
Delete a user
When a user account is being edited, this will appear:
The available Access Levels are:
Viewer: can see the Traffic section, i.e. the Dashboard and View Log.
Organization Admin: has all Editor permissions, and can also manage users via the Users Management page.
Reblaze Admin: has all Organization Admin permissions, and can also edit and view the Notes, Init and Run pages.
This tab allows SSO to be configured so that users have the ability to log into Reblaze with their Okta or Microsoft accounts.
Configuration options will vary depending on the type of account.
Whenever you change the configuration of the Reblaze platform, you must save your changes, and in almost all cases, you must publish them to the cloud as well.
If you do not save your changes, they will be lost when you go to a different page within the user interface. You will not be prompted or asked to confirm the abandonment of your changes.
The Publishing process checks the saved changes for errors. If no errors are found, they are pushed to the cloud.
The Reblaze interface has several ways in which to save changes.
In many places, this button appears on the upper right part of the screen:
In other places, the Save functionality is part of a pull-down menu, which is designated by three vertical dots:
Remember that you must select Save Changes, in whatever format the button is offered, whenever you make any edits within the Reblaze interface.
Also remember that in almost all cases, Save Changes only saves your changes within your local session. To push them to your planet in the cloud, you must Publish Changes as well.
When editing Dynamic Rules, saving your changes will apply them to your planet.
In all other cases, after Saving your changes, you will also need to Publish them, which will push everything to the cloud.
Rather than trying to remember which activities require publishing and which do not, it is best to get into the habit of always Publishing after Saving.
In some cases, choosing the Save button will be followed by an immediate prompt to Publish. In other cases, it will not, but Publishing is still required. Again, it is recommended that you adopt the habit of always Publishing after Saving.
Publishing is done on the Planet Overview page, via the button on the upper right. The outcome will appear on the screen once it is complete.
Web clients can cache resources from a server. Afterwards, a client can access its local cache, which reduces the number of requests sent to the server.
Servers can instruct clients to implement caching in certain ways. Servers can also set separate caching policies for any intermediary proxies in-between the server and the client.
Reblaze is a proxy between the clients and the backend. When the backend responds to clients, the outgoing responses pass through Reblaze. You can instruct Reblaze to preserve or alter the caching instructions in those responses.
This can be done through . A future update will provide multiple cache policy templates. Meanwhile, if you need immediate assistance in customizing Reblaze's caching behavior, .
Sometimes a customer wishes to "attack" an application or server as part of a loadtest. Under normal circumstances, Reblaze would prevent this, because it would enforce rate limits and block the excessive requests from reaching the upstream network.
The test can be accomplished by creating an which allows the source IP (or range of IPs), then naming that ACL Policy with a suffix of "OC." (For example, the ACL Policy might be named "Loadtest OC.")
As discussed in the section, the "OC" suffix means that the IP will not be subjected to normal rate limit testing. This allows that IP to generate a large amount of traffic, which will be passed through upstream without being filtered by Reblaze.
A task-based FAQ
This section answers questions that often arise about using Reblaze.
The section shows a list of traffic sources (i.e., sources of incoming requests) that are currently banned, blacklisted, and whitelisted.
A traffic source is banned automatically when it violates a . You cannot manually ban a requestor.
However, you can accomplish the same effect by blacklisting the requestor. .
You can manually remove a requestor from the Banlist or Blacklist. .
Whitelisting a traffic source will make it exempt from Dynamic Rules. .
How to filter results
The Reblaze query command box allows you to query the data in order to present only the records that you want. The structure of a filter is operator:value.
For example, to view only traffic from IP 10.11.12.13:
ip:10.11.12.13
An exclamation mark ("!") can be used with various filters as a "NOT" operator. So, to exclude requests from an IP, add "!" as a prefix:
ip:!10.11.12.13
Note that filters can be combined to fine-tune a search, by chaining them with a comma. For example, in order to show all traffic from France that was blocked:
country:France, is:blocked
The fastest way to build query strings is to double-click on labels of existing log entries. This will add the value of each label as a filter to the query box. When you have constructed the entire query string, click on the search button, or place the cursor into the text field and hit "Return" on your keyboard.
For example, when looking at this entry for a blocked request (the IPs have been censored for privacy reasons):
Let's say you wanted to quickly see what other requests produced a 403 error that came in from the United States on a cloud IP. Double-clicking on the "403" label, the "United States" label, and the "Cloud" label builds the query string for you automatically:
Then select the "search" button, or place the cursor within the query box and hit "Return" on your keyboard, to process the query.
In some situations, this technique has limited usefulness. In the example screenshot above, double-clicking on the label beginning with "XSS" would add a (very) long filter string to the query, because that label contains the full script from the injection attempt (although the label itself only displays the first few characters in the interface).
If this is what you want (perhaps you need to search only for logged requests which contain that exact script), then this is effective. But if you wanted to build a more general query, then this is not useful.
A better approach is to choose a representative substring.
Queries can be based on substrings. Internally, Reblaze executes a "contains" search, so queries will return everything that contains the string that was specified.
In some situations, you'll want to build queries that produce exact matches. But in many other situations, it's faster just to search for a relevant substring instead.
Examples:
reason:XSS
will show all records with "XSS" in their reason label.
url:login
will include all URLs that include "login".
ip:191
will display all IP addresses containing "191".
Regular expressions can be applied to the filter value to make the search more accurate. The regex matching is done by wrapping the search value with re(REGEX here). Examples:
is:re(200|401)
ua:re(iOS!iPhone!iPad)
If you wish to display login requests with method “POST” which were blocked, but not by the origin (upstream server):
url:/login,is:POST,is:blocked,is:!origin.
This displays those requests which produced 502-504 error codes:
is:re(502|504)
This displays the requests that contain a specific value in an argument:
arg_name:text, arg_value:free_text
Leveraging Reblaze's traffic data
A typical security solution provides information about the traffic that it has blocked. Contrary to this, Reblaze shows all of the traffic that it receives.
This provides you with a powerful ability to dig into your traffic data and gain deep understanding about the nature and disposition of incoming requests.
Metrics about blocked requests are very useful, but their usefulness is multiplied when you can compare them to passed requests. By showing all requests, Reblaze allows you to understand what "normal" requests look like. This gives you more insights into abnormal traffic.
The discussion below assumes you have already read the .
Reblaze provides multiple ways to view your traffic. The discussion below will focus on the . Similar tactics can be applied when viewing different parts of the .
Sometimes the View Log is used to answer a specific question about a request or a traffic source. At other times, it might be a more general exploration; for example, a beginning-of-the-day review of what happened over the last 24 hours.
Let's discuss the latter scenario (a general exploration). Because the View Log shows all requests, it can be overwhelming. It's helpful to start by excluding requests that aren't as relevant to your current purpose. Examples:
Exclude passed requests, and show only the challenges or blocked requests: reason:challenge
(to show only challenges), or is:blocked
(to show only blocked requests).
Exclude requests being rejected by the origin (i.e., the upstream server): reason:!by origin
Exclude requests from a banned IP: ip:!1.2.3.4 .
Another approach: reason:!autoban/etc.
Exclude requests that are obviously invalid, e.g. those with unrecognized host headers.
Eventually, you can filter the display down to a list of challenges or blocked requests that might produce some insights.
From this point, you are looking for possible patterns, or unusual outliers, and considering possible actions to take. For example:
Is the same IP failing multiple challenges? It might be interesting to filter on that IP only, and go through all of its activity, to see what that traffic source was trying to do. (You can see that a challenge is being failed when the challenge itself appears in the logs, but it is not followed by a successful request by the IP for the same URI.)
Are there many blocked requests for the same URI, but from different traffic sources? This might be a False Positive alarm. See below for more on this.
There is no set procedure for this process. Essentially, you are browsing the list of challenges or blocked requests, thinking about why you are seeing the entries there, and asking further questions.
Sometimes, request data will be encoded. Here's an example of a XSS attempt.
The script in the request is HTTP encoded. To see it in plain text:
Double-click on the reason (the yellow label beginning with XSS).
The full contents of the label will appear in the query box, decoded.
For some forms of encoding, more processing is required.
Reblaze does not perform all possible forms of decoding in the interface.
Double-encoded requests will only have their first level of encoding undone.
A “False Positive” (FP) alarm occurs when a security system misinterprets a non-malicious activity as an attack. These errors are a critical issue for cybersecurity.
Although it might seem that FP errors do not necessarily have serious consequences, incorrect security alerts can lead to significant monetary losses. For example, an e-commerce site might incorrectly exclude real online shoppers. Or, it might reject "good" web crawlers, which would reduce its Internet visibility.
FP diagnosis is often done when Reblaze is first deployed, before it has been fine-tuned for the customer's applications. It can also be done later, when you discover that certain requests are being blocked, but you do not understand why.
When examining blocked request(s), it can be helpful to ask questions such as the following.
Sometimes an application will expect and accept inputs that Reblaze blocks by default. Example: the site might use a CMS which accepts HTML/Javascript POST requests. However, out of the box, Reblaze is often configured to block requests containing POST. Thus, Reblaze would need to be re-configured to match the application it is protecting. (In this example, it's a simple toggle switch in the WAF/IPS Policies interface.)
If the range of valid inputs has changed, but Reblaze was not re-configured, then FP errors can result.
Is the block happening to multiple users?
If a single IP is being blocked, but other requestors for the same URI are being allowed through, the block is more likely to be the correct response to this IP's request. This is especially true when the single IP has attempted other questionable activities.
Conversely, if multiple requestors are being blocked, and they seem to be innocuous otherwise, this indicates the problem might be a FP.
There are some situations where a request is blocked even though Reblaze has no obvious reason to be blocking it. This can occur when Reblaze is not actually the entity making the decision.
The upstream server can reject requests. These requests can be displayed in the View Log withreason:by origin
as the filter.
Reblaze can use ACLs with external sources of information, e.g. Spamhaus. Example: a request is blocked with a reason of acl-ip
. The reason indicates a Reblaze ACL blocked the request because of its IP—but what if you didn't configure any ACLs to reject specific IPs? The answer is that there are several ACLs which rely on external lists of hostile IPs, such as Spamhaus DROP and eDrop.
Example: a web user visited a landing page, entered contact details into a form, and then tried to proceed to the next page. However, the request to proceed was blocked.
This could be a FP due to "junk input." Perhaps the user entered a phone number of "1111111111" and it was rejected by the upstream application. Or perhaps the page itself autocompleted a field and inadvertently created junk input on its own.
If requestors are being blocked for violating rate limits, and the rate limits are very stringent, then perhaps the limits are too tight, and they need to be relaxed.
Or, perhaps the block is the result of content filtering. This feature is powerful, and it is possible to mistakenly configure it to be too restrictive.
Looking up the custom signature shows that its "Is matching with" condition is the following regex:
(?i)(select|create|drop|\<|>|alert)\W
The admin wrote this regex in order to identify SQL injection attempts (i.e, SELECT, CREATE, and DROP commands. Normally SQL and code injection attempts are blocked automatically by the WAF, but occasionally customers choose to disable this).
Now let's examine one of the blocked requests in the View Log. Its Capture Vector is this:
https://www.pinterest.com/pin/create/button/?url=https%3A%2F%2Fexample.com%2Fpitbull-2012%3Frt%3Dstorefront%26rp%3Dpitbull%26rn%3DPitbull%26s%3Dhanes-S04V%26c%3DBlack%26p%3DFRONT&media=&description=
https://www.pinterest.com/pin/create/button/?url=https://example.com/pitbull-2012?rt=storefront&rp=pitbull&rn=Pitbull&s=hanes-S04V&c=Black&p=FRONT&media=&description=
Notice the highlighted (in yellow) part of the string in the bottom textbox. This shows which part of the bottom string matches with the regex in the box above it.
We see that the expression that was meant to identify an SQL command of CREATE, is also matching with the URL generated by a user who was trying to feature this site's product on Pinterest.
This indicates that the regex should probably be modified, so that it only accomplishes its intended purpose. In this example, it could be modified as follows:
(?i)(\sselect|\screate|\sdrop|\<|>|alert)\W
This would require a space to be found before each potential SQL command, thus eliminating matches when those words are found in a URL.
As mentioned earlier, there is no set procedure for the process of identifying the underlying reasons why requests are blocked. It requires digging into the requests, gathering data, and asking questions.
Hopefully the examples above are helpful in illustrating the necessary thought process, and some of the tools that are available.
When a server fails, this is the length of time that Reblaze will wait before trying to send traffic to it again. Example: "10s" indicates a fail timeout of 10 seconds. This field uses .
This is the default. Requests will be distributed across the endpoints in a round-robin fashion, according to the Weights assigned to them (described above in the ).
This field is populated when this certificate is chosen for use in the section.
To add a resource definition, click on the "expand" button in an existing definition. Within the window that appears, click on the Fork Profile button.A new definition will be created for editing.
To delete a definition, expand its listing. In the window that appears, select the Delete button.
Are there a lot of requests for a Wordpress file, but your site does not use Wordpress? These are coming from malicious traffic sources. It might be useful to set up a , e.g. to Ban requestors who submit more than one request for that file in a three-minute period.
In these cases, you can highlight the string in the query box, copy it, and run it through decoding tools. (For example, .)
Example: requests are being blocked because of a (reason:acl-custom-sig
).
This can be decoded with a tool such as . It now becomes this:
Now let's see why the regex condition matched the request. On , it's possible to paste in regex and a string, and see if/where a match occurs.
Field
Value
Name
A descriptive label that you choose, for use within the Reblaze interface.
Match
An expression for the resource's location, expressed as PCRE (Perl Compatible Regular Expressions). This entry uses Pattern Matching Syntax.
Backend Service
An HTTP/S request which passes all tests (as defined in the assigned rulesets, plus other applicable tests such as dynamic rules) will be forwarded to this service.
WAF
The WAF Policy applied to this resource. Its name will be displayed in green if it is active; if displayed in red, it is currently disabled.
ACL
The ACL Profile applied to this resource. Its name will be displayed in green if it is active; if displayed in red, it is currently disabled.
RL
The number of Rate Limits assigned to this resource.
Fn
The number of Cloud Functions assigned to this resource.
expand
A button to expand this definition and display it for editing.
Field
Value
Domain Names
The list of domains that Reblaze will protect.
Trusted Sources
The ranges of IP addresses which are trusted for providing forwarded IP addresses: for example, the load balancers in front of Reblaze, or the CDN.
Client IP Header Name
Defines one or more header fields within which Reblaze can find the client's IP address. When Reblaze receives an incoming request from a client, the request will have passed through a load balancer on its way to Reblaze. This means that the header will contain the client's IP and the load-balancer IP. These two IPs are usually found within the X-Forwarded-For field (which is the default entry here). In this situation, Reblaze knows how to extract the client IP from this field. In other situations, a different field name might be necessary. For example, if the Reblaze customer is using Akamai CDN, the incoming request will have the client IP in a field named True-Client-IP instead.
Challenge Content-type
The Content-Type entity header of the response when a challenge is executed.
Challenge's cookie domain
Defines the domain you want Reblaze to use when setting a challenge cookie. The default value (“$host”) tells Reblaze to use the domain being accessed by the user.
Mask Post Args
Defines the argument names which contain sensitive data, and therefore will not be saved in log files. Common examples of this are payment details and credit card numbers.
Field
Value
Proxy Connect Timeout
The time (in seconds) for Reblaze to wait, before treating a connection with the backend as having failed.
Proxy Send Timeout
The time (in seconds) for Reblaze to wait, before treating a data transfer attempt to the backend as having failed.
Proxy Read Timeout
The time (in seconds) for Reblaze to wait, before treating a downstream (toward Reblaze) data transfer attempt as having failed.
Backend Service Host Header
Defines the value of the Host header passed to the backend. The default value (“$host”) sets it equal to the Host header in the incoming request.
Real IP Header Name
Defines the field name that contains the client's IP address. Reblaze is a proxy, and it passes incoming client requests to the upstream server. This means that the server will receive request headers which contain Reblaze's cloud IP address as the "client" IP. This is not useful; almost always, the server will need the IP of the actual client instead. To facilitate server logging, analytics, and so on, Reblaze adds the IP address of the originating client to the headers that it sends to the server. The Real IP Header Name defines the name of the field within which this information is passed.
Field
Value
Secret
When a mobile application sends requests into Reblaze, it includes a secret value in each call that will be used as part of the client authentication process, to verify that the requestor is a legitimate human user. This field allows you to specify that value.
Variable Name
The name of the header that carries the user authentication token. It can not be empty. For more information, see SDK Method Arguments.
Hashing mechanism
To be edited only with the help of support.
Grace Period
Defines the allowable time between the timestamp of a request (provided in the Grace variable name, below), and the time that Reblaze receives the request from the application. Requests with a longer delay will be rejected. This will prevent replay attacks.
Grace variable name
The name of the header, cookie, or argument used to transmit the request's timestamp.
Parameter
Timeout
Client Body Timeout
If the body is not obtained in one read-step, this timeout begins. If the timeout expires and the client has still sent nothing, the Reblaze Gateway returns error 'Request time out (408)'.
Client Header Timeout
How long to wait for the client to send a request header.
Keepalive Timeout
The timeout for keep-alive connections with the client. The Reblaze Gateway will close connections after this time. This setting increases server efficiency; it allows the server to re-use browser connections and save resources. When changing this value, special care should be taken; in some cases, it depends on specific cloud vendor and load balancer settings.
Send Timeout
Specifies the response timeout to the client. This timeout does not apply to the entire transfer but, rather, only between two subsequent client-read operations. Thus, if the client has not read any data for this amount of time, the Reblaze Gateway shuts down the connection.
Size
Functionality
Client Max Body Size
Specifies the maximum accepted body size of a client request, as indicated by the request header Content-Length. Size in MBs.
IP Parameter
Functionality
Global Limit - Requests per second per IP address
Sets the allowable request rate per IP, per second: i.e., the allowable per-second average of incoming requests, enforced on an incremental basis (where "increment" refers to the number of milliseconds allowed for one request).
Example: This is set to 100. Thus, 100 requests are allowed per second. However, the system does not enforce rate limits on a per-second basis; it used a granularity of milliseconds. Therefore, it will allow one request every 10 milliseconds. (100 r/s, divided by 1000 ms/s, equals 1r/10ms.)
Global Limit - Burst for request per second per IP address
Sets the allowable additional burst rate per IP, per second.
Example: Let's say that the previous field (Global Limit - Requests per second per IP address) is set to 100. Without burst limits—i.e., if this field were set to zero—the system will reject every request that was received less than 10ms after the previous one. However, the burst limit is set to 20 instead. This means that Reblaze will accept 21 requests (1 original plus 20 additional) per 10 milliseconds. In other words, when a request is received, up to 20 more can be received and accepted within the following 10 ms. If instead 25 total requests are received during that time, the last four requests will be denied with a 503 error.
Session Key
Specified as header_YOURHEADERNAME, arg_YOURARGUMENTNAME, or cookie_YOURCOOKIENAME.
Setting
Description
Group Name
A name you choose for display in the Group listing.
Sites
The site(s) for which alerts will be sent.
Rules
The Dynamic Rules which, when violated, will trigger alerts. When more than one rule is included, a violation of one or more will trigger the notification.
Alerts
Information for the recipients of alerts: their email addresses, hooks, and mobile numbers for SMS messages.
Reports
Email addresses for the recipients of cumulative weekly reports.
Name | Explanation |
After | Log records registered after a given date and time. |
Before | Log records registered before a given date and time. |
arg_name | Search for an argument by name |
arg_value | Search for an argument value |
asn | Autonomous System Number for the IP |
city | Abbreviation for the country. Example: "US" for the United States. |
country | Name of the country |
cookie_rbzid | Reblaze ID cookie value (base64) |
cookie_name | Search by cookie name |
cookie_value | Search by cookie value |
domain_name | The main domain name in Reblaze (not necessarily the actual Host header). |
ext | File extension |
header_name | Name of header |
header_value | Value found in header_name |
host | HTTP Host header: usually, the domain name of the application. |
id | Reblaze unique request ID. |
ip | IP address of the web client. |
is | IS is a special operator that can be used for almost all attributes of a request. It can be used to filter a certain HTTP method, "flags" and protocol version. For instance, to get blocked POST requests made by a human, type: is:blocked, is:human, is:post. |
mime | Multipurpose Internet Mail Extensions |
origin | The IP address of the origin server. |
path | The path of the request (the URL without the query string part). |
proxy | The IP address of the particular Reblazer server. |
rbzid | Hash value of Reblaze ID cookie value (md5). |
reason | Reason the request was blocked or passed. |
ref | HTTP referer header. |
sslcipher | The chosen SSL cipher. |
sslprotocol | The chosen SSL protocol. |
status | Response status code (regex is acceptable, e.g. [45]\d\d). |
ua | HTTP User Agent header. |
upstream_status | Response status code from upstream servers (regex is acceptable, e.g. [45]\d\d). |
url | A substring to search for within the complete URL request line (including the query string). |
Reblaze integrates with a wide range of SIEM [Security Information and Events Management] and SOC [Security Operation Center] solutions. Nearly 80% of our enterprise clients stream Reblaze events to their SoC, such as ArcSight, RSA, IBM, and Splunk.
Reblaze sends logs over TLS using the Syslog protocol.
The variety of available integrations makes it impossible to describe the process for each of them here. Our team will assist you with the integration, to ensure your platforms get the relevant information as soon as it becomes available.
To make the connection, Reblaze requires the following:
Destination IP/FQDN
Destination port
Destination's public SSL certificate in PEM format. (To prevent a MITM vulnerability, Reblaze performs SSL pinning.)
Please have this information available when you contact us to begin the integration.
Raw logs are sent in the format described here.
Sometimes ACL Policies can make it difficult to find and block a specific attacker.
For example, let's say an ACL Policy (named "Allow US Traffic") for an ecommerce store allows all traffic originating from the United States. But then an attacker, using an IP within the US, begins to scrape prices and other data from the store.
If an ACL Policy were added to Deny that IP address, it wouldn't work. The hierarchy of ACL Policy enforcement means that the "Allow US Traffic" Policy will take precedence, and the 'Deny' Policy for that IP will never be invoked.
One way to quickly solve this problem is to add an ACL Policy with a name ending in a suffix of "XDeny" (for example, "Block US Scraper XDeny"). As was discussed in the "Special ACLs" section, that suffix moves the ACL Policy to the top of the hierarchy.
Therefore, that ACL Policy will be invoked and enforced for that IP address, and the attacking IP will be blocked, before the "Allow US Traffic" Policy has a chance to grant it access.
Long-term use of this capability is not optimal; using it too frequently can tend to create a collection of ACL policies that is messy, confusing, and difficult to manage. The optimal approach is to use it as a tool for solving a specific problem temporarily, while a robust set of ACL Policies are constructed and tested that will solve the problem correctly.
Blocking requests that do not conform to content policies
There are several ways to filter requests based on their content.
Create one or more lists of content filters in Session Profiling, with appropriate tags.
Create ACL Policies for each tag with appropriate actions (Bypass, Deny, or Allow).
Include the ACL Policies in one or more ACL Profiles.
Include the ACL Profiles in one or more Security Profiles.
Custom Signatures can be used for specifying content restrictions. They are included within ACL Policies, which are used within Profiles, which are assigned to various locations of your site/application on the Web Proxy page.
Args Analysis examines the characters found in arguments. Depending on its mode, it can block requests if unexpected characters are found, or pass them on to the WAF for further inspection. It can also act as an inverse content filter; those requests with arguments which contain only whitelisted characters can bypass WAF filtering.
Custom Signatures and Args Analysis will be deprecated in a future release. For content filtering, it is recommended that you use the first method based on Session Profiling instead.
Often, a web application will use external pages. For example, within digital marketing campaigns, it’s common to use landing pages that are provided by a third-party service.
Since these pages are generally hosted by the service provider, they are not directly protected by Reblaze. However, a customer can still use Reblaze to scrub traffic coming from them, and block hostile visitors from affecting the parent site (i.e., the site/application that is using the third-party service).
For example, bots can stuff false information into landing-page forms and submit it to the parent site. Reblaze cannot prevent the bots from accessing the third-party landing page. However, it can interdict the form submissions, and prevent them from passing through to the parent site.
Most third-party services allow code to be embedded into their pages. The following process takes advantage of this.
Add the following code to the page (ideally and if possible, in the page header):
Explanation:
“www.example.com” is your site.
“pixel-path” is a non-existent path. In other words, the overall address won’t actually resolve to a page or resource within your site.
The purpose of this request is not to return a resource or page; it is merely to trigger a call into the parent site. The call will trigger an active challenge.
If the visitor is a bot, the challenge will fail. Subsequent access attempts to the parent site (e.g., form submission attempts by a bot) will be blocked.
If the visitor is a human, the web browser will receive Reblaze’s authenticating cookies. Subsequent actions by the visitor will include the cookies, and will be accepted by Reblaze.
Note that Reblaze needs to be configured so that active challenges occur on the pixel-path
URL given above.
Restricting consumption of resources and rate of requests
Different types of rate limits are defined in different parts of the Reblaze interface.
Static rate limits for each application: Timeouts and request limits per IP are set for each application on the Advanced Frontend Settings on the Web Proxy page.
By location: Rate limits for specific locations/URLs can be created in Rate Limiting Rules and then including them in Security Profiles.
By traffic source: Requestors who are submitting excessive requests across the planet can be banned for configured lengths of time. This can be done via Dynamic Rules.
In some situations, either Rate Limiting Rules or Dynamic Rules could be used. Rate Limiting Rules are the preferable option. They are more powerful, more flexible, and in a future release, they will fully replace Dynamic Rules.
Creating exemptions from rate limits is done differently, depending on the scope of the rate limits being addressed.
Global: Create an ACL Policy with an OC suffix.
By location: Create an ACL Policy with the name "Rate Limit Whitelist". This can exempt any combination of IP, Country, and ASN. The Policy should then be included in a Profile, and the Profile should be assigned to the appropriate location(s) or portions of your site/application. Example:
By traffic source: A traffic source can be exempted from Dynamic Rule filtering either by adding an Ignore parameter to the Rule itself, or by adding the traffic source to the Whitelist within the Quarantine section.
There are two APIs within Reblaze: the REST API to control the platform programmatically, and the one used internally by the Mobile SDK.
Below are listed the available operations under Reblaze's API. The listings include descriptions, and examples using curl over Bash under Ubuntu 18.
The parameter $HOST refers to the console FQDN, while $KEY refers to the API key.
Lists all sites that are currently set up on the management console.
Duplicates/creates new site based on an existing site. You can choose to overwrite the upstream, or use the one that is currently set on the source site. The duplicate site will also create a referring CNAME based on the source site DNS settings.
Removes the site from the sites list. This operation also removes the referring CNAME.
Sets the list of domains that a site supports, and replaces any that existed previously. You can add up to 100 domains per site. A domain can also contain wildcards (e.g, *.domain.name).
Adds to the list of domains that a site supports, without replacing any that existed previously. You can have up to 100 domains per site. A domain can also contain wildcards (e.g, *.domain.name).
Returns the list of domains that a site supports.
Lists the upstream settings of a site.
Modifies upstream settings. You can add an upstream, change its state, or modify the upstream address. The upstream is a one-line JSON encoded in base64, as shown below. Parameters are described below the code example.
Attaches a domain to a SSL certificate.
Removes an attached domain from SSL.
Adds a new certificate to the .
|
|
|
|
|
|
|
|
|
|
|
|
|
This page provides information that will be helpful when setting up a Reblaze deployment. A basic Reblaze deployment can be created without changing these parameters.
Upstream Servers: The list is where you define the servers that Reblaze will protect. In other words, these are the servers to which Reblaze will send the (scrubbed) web traffic it receives.
This list provides robust capabilities for managing your traffic. You can enable and configure load balancing, which will weight and distribute traffic across your primary servers. You can define backup servers, to which Reblaze will failover your traffic when your primary servers aren’t available. You can take servers offline for maintenance by ticking a single box in the interface. You can even tell Reblaze to keep individual users connected to the same server throughout their sessions.
Adding and deleting servers from this list is straightforward. To add a server, enter its IP in the “New Server” box and click Add, then fill out the rest of the information in the new entry. To delete an existing entry, click on the Delete link next to that entry.
Here are explanations for each field in this list.
Host is the IP/FQDN for each server that Reblaze protects. This can be a normal web server, or it can be a load-balancing server. Note that Reblaze also provides load-balancing capabilities in its own right, as seen in the next field.
Weight is the relative weight of each server for load balancing purposes. Reblaze distributes traffic with a round-robin sequence, according to these weights.
For example, let’s say there are two servers in the list, with the weight of each servers set to one. Therefore, these servers will receive equal amounts of traffic. Suppose instead that the first server was set to three, while the second was set to one. This would mean that the first server would receive three visitors for every visitor sent to the second server.
Max Fails is the maximum number of failed communication attempts that are allowed for this server. Once this number of failures occurs, Reblaze will consider the server to be inactive. If other servers are available, Reblaze will failover the traffic to them. If this was the only server available, Reblaze will return an error to the client (either 504 Timeout, or 502 Bad Gateway).
Fail Timeout: When a server fails, this is the length of time that Reblaze will wait before trying to send traffic to it again. In the example, the timeout is ten seconds.
Is Down: When this box is checked, Reblaze will not attempt to communicate with this server. This allows you to easily take a server offline for temporary maintenance or some other purpose.
Is Backup: when this box is checked, Reblaze will treat this server as a backup. In other words, Reblaze will not attempt to communicate with it unless all the primary servers (i.e., those for which this box is not checked) are unavailable.
When a new user session is initiated, RCSI detects and verifies the authenticity of the environment.
The user’s browser is subjected to several dozen tests, verifying the features known to be supported by that browser. This includes hidden canvases, video and audio in various formats, WebRTC and other advanced networking protocols, screen resolution, and more.
The browser is subjected to an invisible “attack”: subtle errors are injected into the environment, and the browser engine’s reactions are captured and analyzed. Reblaze verifies that the exceptions and error messages are those which should be generated, if the browser is what it claims to be. (It is very difficult for threat actors to spoof this behavior using headless browsers and emulators, since there is an infinite number of possible errors to which any browser can be subjected, and threat actors need to replicate the actual reactions for each possible input.)
The above process only takes milliseconds, and it is completely transparent to the end user.
Once a browser has passed these tests, Reblaze signs it cryptographically. This signature accompanies all subsequent activity.
This process applies to browser-based applications.
It does not apply to mobile/native applications, because there is no browser to detect. For these applications, the environment is verified via the Client authentication process instead.
Argument | Description |
http_port | Upstream HTTP listening port |
https_port | Upstream HTTPS listening port |
weight | The relative weight of the upstream for load-balancing purposes within a farm. Reblaze distributes traffic with a round-robin sequence, according to these weights. For example, if two servers are both set to 'weight=1', they will receive equal amounts of traffic. If the first is set to 'weight=3' while the second is set to 'weight=1', the first server will receive three requests for every single request that the second server receives. |
fail_timeout |
max_fails | The maximum number of failed communication attempts that are allowed for this server. Once this number of failures occurs, Reblaze will consider the server to be inactive. If other servers are available, Reblaze will failover the traffic to them. If this was the only server available, Reblaze will return an error to the client (either 504 Timeout, or 502 Bad Gateway). |
monitor_state | This sets the state for Health Monitoring purposes. (This does not specify if the server is up or down; it merely sets the current state as if Health Monitoring had just checked the server and returned that state.) If backup is true, then this value should be either "backup_active" or "backup_down". If backup is false, then this should be 0, or "active_down." ("active_down" means the server is supposed to be active, but is down instead.) |
down | The state of the server. |
backup | If true, Reblaze will treat this server as a backup. In other words, Reblaze will not attempt to communicate with it unless all the primary servers (i.e., those for which the Backup setting is not set) are unavailable. |
host | The server host, as IP/FQDN. |
Most hostile bot activity involves headless browsers and mobile phone emulators. To detect these bots, most web security solutions rely on Javascript injection to detect the browser environment.
Unfortunately, these detection methods have become increasingly ineffective. The latest generations of bots use sophisticated software stacks, and they are able to masquerade as humans using normal browser environments.
To identify hostile bots, the Reblaze platform uses a variety of methods, collectively known as Reblaze Client Side Inspection (RCSI). Although Javascript plays a role within it, RCSI as a whole is unlike any other Javascript challenge in use today. RCSI is effective for protecting web applications, services/APIs, and mobile/native applications. (Some of the implementation details differ, depending on the context.)
RCSI detects bots via a multi-layered approach, described on the following pages:
Used in this Product Manual
Log line structure is as follows, note that some fields are quoted and some are not.if we will add more fields in the future, they'll be added on the right side.
Headers are base64 encoded JSON string contains headers names and values.
if we decided to block a request, either by ACL, or WAF/IPS it will be marked as "1" in the blocked field,
as well there will be a description at "block_reason" field.
Note that within the headers, we add an entry for the post_request_body.
When a server fails, this is the length of time that Reblaze will wait before trying to send traffic to it again. Example: "10s" indicates a fail timeout of 10 seconds. This field uses .
Acronym
Meaning
ACL
Access Control List
API
Application Programming Interface
ASN
Autonomous System Number
AWS
Amazon Web Services
BL
Blacklist
BQ
BigQuery
BQML
BigQuery Machine Learning
CA
Cloud Armor
CDN
Content Delivery Network
FP
False Positive
GCP
Google Cloud Platform
IPS
Intrusion Prevention System
LB
Load Balancer
ML
Machine Learning
RFC
Request for Comments
SIEM
Security Information and Events Management
SOC
Security Operation Center
TTL
Time to Live
VPC
Virtual Private Cloud
WAF
Web Application Firewall
WL
Whitelist
Field
Description
remote_addr
Client IP
timestamp
Timestamp
status
Response Status code sent to client
bytes_sent
Number of bytes sent in the response
method
HTTP Request method
request
The complete URL (including the query string)
proto_version
Protocol Version (1.0/1.1)
blocked
Was it blocked by Reblaze?
is_human
Was it marked as human?
block_reason
If blocked / Exceptionally passed - for what reason
geoip_country_name
Country Name
geoip_country_code
Country Code
request_id
Unique ID of this request within Reblaze
captured_vector
The vector attack we captured
request_time
The time it took our system to process the request
upstream_addr
The address of the upstream server(s) reblaze approached
upstream_response_time
The time Reblaze was waiting to the upstream server(s) to return the response
domain_name
The domain name of the server group in reblaze
host
The Host header of this request (same as domain name, or one of its aliases)
referer
The HTTP Referer header
http_user_agent
HTTP User Agent
http_cookie
The Cookie header string
request_headers
Request headers encoded in base6
organization
The complete organisation name owning the IP address
upstream_status
The status code returned by the upstream server
uri
The request URI without query part
hostname
The Proxy (Reblaze) server that process the request.
is_cloud
is_tor
is_vpn
is_anonymizer
is_proxy
rbzsessionid
Reblaze Session ID
request_length
The upload request size in bytes
sent_http_cache_control
The Cache-Control header we sent as part of the response
sent_http_expires
The Expires header we sent as part of the response
cookie_rbzid
Hash of the RBZID Cookie
sent_http_content_type
The MIME - Type (Content-Type response header)
browsersig
A unique signature of the visiting browser (future use)
ssl_protocol
SSL Protocol Version
ssl_cipher
Selected SSL Cipher
cache_status
Upstream Cache Status
anything_else
Future use place holder
Reblaze does not limit its traffic analysis to the user environment and client session. It also performs extensive, continual analysis of the user’s behavior.
Every HTTP request that Reblaze receives is anonymized and then analyzed according to numerous factors, including (partial list):
Device and software data (the user’s hardware, its screen resolution and orientation, the software used, battery level, stack trace, fronts and extensions, emulator detection, window size, hidden iframes, etc.)
User interface and events (mouse/pointer movements, clicks, taps, zooms, scrolls, keystrokes, speed of entry, etc.)
Session data (requests sent, IPs used, timing, frequency, etc.)
Consumption analytics (pages viewed, time spent, resources requested, etc.)
Application-specific events (and other results of user actions.)
Reblaze understands the patterns, typical values, and common relationships of these metrics for legitimate users of each protected application and API. The amount of data that Reblaze processes (over four billion requests per day) is far beyond the capability of human analysts. Therefore, cloud-based compute resources are used, applying Machine Learning in order to recognize patterns that analysts could not have identified on their own, or for which they might not have thought to look.
Reblaze performs this analysis to an extremely granular level: not only per app, but even down to individual pages, screens, and so on. This reveals patterns of behavior unique to that particular context.
Reblaze continually analyzes the activities and behaviors of every requestor in every session. By definition, every hostile user (whether human or bot), must, at some point, deviate from the behavior of a legitimate user. As soon as this occurs, Reblaze blocks that requestor.
Using this approach, Reblaze’s bot detection accuracy is not only high, it is also robust and resistant to reverse-engineering by threat actors. Behavioral profiles are constructed based on private analytics data, and threat actors have no realistic way of obtaining this information.
Biometric behavioral verification is part of the passive challenge process. To enable behavioral analysis, passive challenges must be enabled.
The Reblaze system blocks traffic if it matches configured WAF signatures, exceeds triggering thresholds, matches ACL rules, or violates RFC specifications. When a blocking event occurs, Reblaze reports it according to reference IDs.
The reference IDs are listed below, categorized into groups according to their description. In some cases, external links are included with more details on the specific type of attack being described.
OSCI attacks are aimed at the operating system. The attacker seeks to manipulate the operation of the system, or to take control completely. For example, an attacker might attempt to get the content of OS files such as /etc/shadow. An OCSI attack can be included in the request headers, arguments, or cookies. More details on this type of attack can be found on the OWASP website.
Reblaze reference ID 400000-499999
RFI attacks target applications that allow scripts to be included in files. These attacks are typically used for planting backdoors. Here's an example of an RFI attack using PHP.
Reblaze reference ID 300000-399999
An LFI attack is similar to RFI, but it includes one or more local files instead of remote links. The attacker seeks to upload a file to the server. Read more about LFI.
Reblaze reference ID 300000-399999
Threat actors use SQL injection to attack databases by executing SQL commands. SQLi is a common attack, with many possible ways for attackers to exploit vulnerabilities. Read more about SQLi.
Reblaze reference ID 1000000-1999999
XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted sites and applications. Read more about XSS.
Reblaze reference ID 2000000-2999999
Many attacks take advantage of vulnerabilities in the OS or in the targeted application, without falling into one of the more prominent categories. Reblaze classifies them into this “generic” category.
Reblaze reference ID 3000000-3999999
This signature refers to a violation of HTTP protocol RFC-2616. For example, the RFC requires requests to contain a content-length header; a request that does not include one violates the RFC.
Reblaze reference ID 3000000-3999999
This signature refers to the recognition of user-agent headers of known attack tools and applications: for example, the “Grabber” vulnerability scanner.
Reblaze reference ID 3000000-3999999
This attack is sometimes referred to as Direct Dynamic Code Evaluation. It exploits an application that does not properly validate user inputs. More information can be found at OWASP here.
Reblaze blocks requests when a capacity threshold is exceeded: for example, the number of requests per second from a single IP. Usually, these thresholds reflect Reblaze’s DDoS protection. However, in some cases, some of this may be coming from the upstream server rather than Reblaze; in this situation, a “by origin” is added to the event description in the logs.
Reblaze reference ID: None. This block results in HTTP error 503.
Reblaze blocks headers for any site not found in its list of configured sites: for example, a proxy request. (This includes IP addresses as well.) Only FQDN (fully qualified domain names) are allowed.
Reblaze reference ID: None
A common penetration technique is to encode a hostile request multiple times (for example, URL encode and base64), in an attempt to evade detection and filtering by the WAF or other security measures. Read more about multiple encoding attacks here.
Reblaze reference ID: 8888001
This refers to requests that are blocked because they fail Reblaze’s bot/human detection challenges.
This refers to traffic that is blocked by the application. It does not include categories such as HTTP errors 400, 408 or 500.
A blocking event that resulted from an ACL containing an IP or subnet.
A blocking event that resulted from an ACL containing an IP or subnet that matched geographical criteria.
A blocking event that resulted from an ACL containing an IP or subnet that is part of an anonymous proxy provider.
A blocking event that resulted from an ACL containing an IP or subnet found on a list of TOR gateways.
A blocking event that resulted from an ACL containing an IP or subnet known to be used by a VPN provider.
A blocking event that resulted from an ACL containing an IP or subnet from a specified AS number.
A blocking event that resulted from an ACL containing an IP or subnet known to be used by a cloud provider.
A request was rejected because it contained an HTTP method that the WAF was configured to reject. For example, a common configuration is to accept HEAD, GET, and POST requests, while rejecting all others.
A violator blocked by the ban list (via a Dynamic Rule).
When a request’s payload exceeds the configured threshold, the WAF signatures are bypassed. This mechanism ensures that the WAF will not loop forever and consume 100% of the CPU.
This blocking event occurs when rate limits are triggered. The text is taken from the name of the rule that triggered the event.
This message notes that the IP is in the rate limit whitelist ACL.
This message notes that this organization’s AS number is in the rate limit whitelist ACL.
How to contact Reblaze
Reblaze is not a stand-alone platform; it is integrated with a dedicated support team which is available to you 24/7/365. Please contact us at any time if you need assistance.
Our support is not limited to daily operational use of our platform. We're happy to help with initial setup and configuration, ongoing administration, introductory or in-depth training, discussion of feature requests, and more.
You can contact support at any time via email: support@reblaze.com
Or by phone: our international number is +972 (73) 2005230.
Our US toll-free number is: +1 (888) 6155996.
Reblaze support will manage all tickets, and will be responsible for escalation as needed.
Please feel free to contact us. We're eager to help you achieve success, and to harness the full power of the platform!
When an incoming request is received, Reblaze generates internal tags and assigns them to it.
Some tags are assigned early, and are used to make decisions about how the request is handled. For example, if a request's IP is found on the Spamhaus DROP list, it might be assigned a tag of "spamhaus". Then an ACL Profile might block the request because it contains that tag.
Some tags can be generated during processing; they reflect the decisions that were made. For example, a request that was blocked because it violated a Rate Limit will be assigned a tag containing that Rate Limit's name. The tag will be shown in the View Log.
Some tags are defined by the user, while others are generated automatically by Reblaze.
Session Profiling Lists are user-defined lists of criteria with one or more associated tags. Requests which match the criteria will be assigned those tags.
A Profiling List can be based on an external list (e.g., the Spamhaus DROP list), or a user-defined custom list (e.g., a list of IP addresses used by the internal QA team).
Many tags are generated automatically by Reblaze. Examples:
Every request receives a tag of "all".
Every request receives several tags according to its source (the IP address, geolocation, etc.)
Every request receives two tags for the Security Profile that it matched (both at the domain level and at the Path Map level).
Requests which violate a security policy or have other problems, receive tags with descriptive names (e.g., the name of the policy that was violated).
When tag names are generated from underlying values (IP addresses, security rule names, etc.), hyphens will replace spaces and special characters.
Sometimes a request will get two separate tags that seem to be redundant. For example:
urlmap-default-entry
urlmap-entry-default
When a Security Profile is matched with a request, a tag is generated for the Profile itself, and for the Profile that was used. If the names are similar (which is true for default values, as in the example), then the tags can appear to be redundant.
used for specifying matching conditions
Within the Reblaze interface, there are several features that require matching conditions to be specified.
The text boxes accept strings or PCRE (Perl Compatible Regular Expressions). If you are unsure of PCRE syntax, you can test your expression at sites such as https://regex101.com, which will show you how it will be parsed.
Below are some examples of syntax for specifying matching patterns.
A common pattern is for matching all static content. This pattern in full is:
HTTP defines forty standard status codes that can be used to convey the results of a client’s request. The status codes are divided into the five categories presented below.
Below are examples of the most common HTTP codes you will encounter in the logs:
Specifying Time-To-Live values.
The following table includes a list of TTL expressions:
Functionality
Syntax
Remarks
Match /Images/ or /images/ or /IMAGES/
~* /images/
Case insensitive, regular expression matching.
Match URLs that ends with .DOC or .PDF
~ \.(DOC|PDF)$
Case sensitive, regular expression matching.
Match URLs that ends with .gif or .jpg
~* \.(gif|jpg)$
Case insensitive, regular expression matching.
Match exact URL, e.g. Root / or /admin
= /
or = /admin
Searching stops immediately (this match is top priority).
Match all URLs starting with /documents/
/documents/
System will continue search for a regular expression match. This will be matched only if none will be found.
Prioritize URLs starting with /documents/
^~ /documents/
^~ means - match and halt searching, i.e. regular expressions will not be checked.
Match 'entire site' (anything else)
/
Matches any URL since all begins with "/". However, regular expressions and longer entries will take priority.
CATEGORY
DESCRIPTION
1xx: Informational
Indicates that the client's request is being processed.
2xx: Success
Indicates that the client’s request was accepted successfully.
3xx: Redirection
Indicates that the client must take some additional action in order to complete their request.
4xx: Client Error
Indicates an error for which the client is responsible.
5xx: Server Error
Indicates an error for which the server is responsible.
HTTP Code
Description
200
OK: the standard response for successful HTTP requests.
301
Used for URL redirection
400
Bad Request
401
Unauthorized—authentication has failed
403
Forbidden—request refused by Reblaze or origin server
404
Destination not found
405
Method not allowed
408
Request timeout
413
Payload too large
414
Request-URI too long
444
No Response (nginx)
499
Client Closed Request (nginx)
500
Internal Server Error
503
Service Unavailable—Server is unable to handle the request
505
HTTP version not supported
Value or Situation
Example tag
(Every request)
all
IP address
ip-192-168-0-2
ASN
asn-1680
Country
geo-canada
URL Map that the request matched
urlmap-default-entry
WAF signature #100039 was violated.
waf-sig-100039
A Rate Limit (named "Rate limit rule 5/60") is being evaluated.
rate-limit-rule-5-60
Custom expiration syntax examples | Description |
| Expires after 30 minutes. |
| Expires after 24 hours. |
| Expires after 5 days. |
| Expires after 1 week. |
| Expires after 3 months (3*30 days). |
| Expires after 1 year (365 days). |
| Calculate 24 hours since modification time, and set expiration accordingly. |
For mobile/native applications, Reblaze authenticates the client itself and all communication with it.
At Reblaze, we provide an SDK (for both Android and iOS) to our customers, who rebuild and publish their applications with the SDK embedded. In use, it signs the application, authenticates the device, and verifies user identity.
All communications occur over TLS and include an HMAC signature (a cryptographic identity mechanism on the client side) to harden communications between the mobile/native application and the microservice/API endpoint. The signatures are non-reproducible, non-guessable, non-repeating (they are unique per session and per request), and are based on dozens of parameters (time-based, location-based, environment-based, and more). They provide a reliable, secure mechanism to verify that the packets are originating from a legitimate user, and not from an emulator or other bot.
Instructions and code samples for the Reblaze Mobile SDK are available here: