Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Planet configuration and other parameters
The Settings section has an extensive number of configuration values for Reblaze. These tend to be parameters that once set up, usually will not change during your use of Reblaze.
There are five sections in this part of the interface.
Web Proxy contains parameters for the overall architecture of Reblaze and its interaction with the downstream clients and the upstream network. It includes settings for proxy behavior, load balancing, failover, and more. It is also where you assign Security Profiles to specific areas of your website.
SSL Management is where SSL Certificates are uploaded and managed.
DNS is where DNS records are configured.
Planet Overview shows you information relevant to your entire planet: the active domains and applications, what notifications are issued in response to events, and the ability to Publish changes that were made elsewhere in the interface.
Account is where your user account settings are managed.
This section defines the Services that Reblaze will protect. In other words, these are the destinations to which Reblaze will send the (legitimate) traffic it receives.
Each Service can receive traffic for multiple web applications, and for multiple resources/locations within each web application. These assignments are made on the Web Proxy page.
At the top of the window, the title on the left displays the Service currently being displayed for editing. The pulldown on the right allows the selection of a different Service.
To add a Service, click on the "Add" button (the plus sign).
When editing is complete, click on the Save button and then publish your changes.
For a single Service, you can define multiple endpoints. Within them you can:
Enable and configure load balancing, weighting and distributing traffic across your primary endpoints.
Define backups hosts, to which Reblaze will failover your traffic when your primary hosts aren’t available.
Take hosts offline for maintenance by ticking a single box in the interface.
Adding and deleting endpoints from this list is straightforward. To add an endpoint, click on the Add button (the plus sign) and fill out the new entry. To delete an existing entry, click on the delete link next to that entry.
The settings for each endpoint in the list are as follows.
The Name field defines the description for this Service within Reblaze.
Use HTTP/1.1: selecting this can speed up communication, via the use of connection pooling.
Transport Protocol: this configures the communication between Reblaze and the backend.
Sometimes an application requires a user to be connected to the same Reblaze instance and backend endpoint throughout the session. Reblaze can ensure that this occurs, and can do so using a variety of methods.
Administration of certificates
This section allows you to manage your SSL Certificates. You can create, edit, attach, and remove certificates. The certificates themselves can be uploaded and stored into Reblaze's cloud, or a cloud load balancer.
If you are reading this Manual as part of an initial evaluation of Reblaze, and if you have large numbers of certificates to manage, you should know that Reblaze treats certificates differently than most other security solutions.
It's not unusual for some companies (especially SaaS platforms) to have dozens or even hundreds of certificates to manage. Unfortunately, most security solutions treat each SSL Certificate as a separate "site," and they charge their customers on a per-site basis. Thus, these solutions can be extremely expensive.
Contrary to this, Reblaze does not treat certificates as sites. A certificate is merely a certificate. For customers with tens or hundreds of certificates to manage, Reblaze's monthly pricing can be one or two orders of magnitude less than its competitors'.
The SSL Management interface is split into 2 tabs: Load balancers and Certificate store.
The Load balancers list shows the load balancers for the current site, and the certificates that are attached to them. Certificate store is where certificates are managed.
For each load balancer shown in the list, the displayed parameters are:
Table 1: Max number of certificates depending on the load balancer type
Table 2: Cloud vendor regions
The Filter by name input control at the top accepts regular expressions, and quickly filters the list to show matching entries.
Selecting an entry in the list expands it to show that load balancer's details: a default certificate, and a list of any additional attached certificates.
The expanded list provides several buttons to perform administrative actions.dnnd
To change the default certificate for the load balancer, select the Set default button next to the name of the desired certificate.
To remove a certificate from the list, select the Detach button next to its name.
To attach a certificate from the certificate store, select Attach certificate. See discussion below.
Additional certificates can be attached to a load balancer until it reaches its full capacity, i.e. the maximum number of certificates shown in Table 1. (Full capacity is indicated when the "# Of Certs" column contains two similar numbers, e.g., "15 / 15". Also, the Attach certificate button will change to the message "You have reached the max certificates quota for the load balancer.")
To attach a certificate, select the Attach certificate button. This will open a modal window with a list of unattached certificates from the certificate store:
The Filter by name input control at the top accepts regular expressions, and quickly filters the list to show matching entries.
To attach a certificate, press the Attach button next to its name. The certificate will disappear from this list ail appear in the list of the certificates attached to the load balancer (see Figure 2).
This tab displays certificates according to the site to which they are attached.
The Filter by name input control at the top accepts regular expressions, and quickly filters the list to show matching entries.
For each entry, the displayed parameters are:
Certificates are loaded console. After that they can be loaded to a cloud provider. The AWS/GCP columns indicate which provider has the certificate. It can be none, one, or both.
Reblaze provides the capability to generate an SSL Certificate for free using the Let's Encrypt service. This can be done using the "Generate Certificate" button on the Planet Overview page.
SSL certificates can be added to Reblaze in two ways:
Uploading a PFX file.
Manually entering the certificate information.
In both cases, begin by clicking the "+" button. This dialog will appear:
To upload a PFX file, select "Extract pfx file." Otherwise, enter the Private Key, Certificate body and Intermediate chain values into their respective text boxes.
To remove an existing certificate, click on its trash icon to the right of its entry in the list. You can delete a certificate if it's not linked to a site. However, you cannot remove the last certificate on a load balancer.
To edit a certificate, click on its edit icon to the right of its entry in the list. This dialog will appear:
The following options are offered:
Attach to application - Select an application/site and attach it to this certificate.
Replace existing certificates - When this is chosen, a "Select Certificate" dropdown list will appear. Selecting one and then clicking "Save" will result in all sites/applications being transferred from the selected certificate over to the certificate you're currently editing.
Auto Replacement by Let's Encrypt: See discussion below.
Download PFX: Download the certificate information as a file in PFX format.
When managing certificates through one of these options (except for "Download PFX"), you must click the Save button to preserve your changes.
Let's Encrypt is a free certificate authority service. Reblaze integrates with it, and offers this service by default.
Once a day, Reblaze will check each application it protects. If that application's certificate is going to expire in the coming week, and itsAuto Let's Encrypt Replacement option for that certificate is enabled, Reblaze will generate a new certificate using Let's Encrypt, and will attach all of its sites to the new certificate.
Changing user settings
The Account Settings page allows you to manage your Reblaze user accounts.
From this tab, you can reset your password, name, and phone number.
Reblaze uses 2FA (two factor authentication). There are several options for sending an OTP when you login:
If only an email address is provided, the OTP will be sent via email.
If a phone number is provided, the OTP will be sent over SMS message.
This tab also offers a personal API key, to be used in all requests to the Reblaze API.
This tab allows you to manage users that are attached to your organization. It is only available to users with administrator permissions.
An admin can:
Create a new user
Edit an existing user
Reset a user's password
Delete a user
When a user account is being edited, this will appear:
The available Access Levels are:
Organization Admin: has all Editor permissions, and can also manage users via the Users Management page.
Reblaze Admin: has all Organization Admin permissions, and can also edit and view the Notes, Init and Run pages.
This tab allows SSO to be configured so that users have the ability to log into Reblaze with their Okta or Microsoft accounts.
Configuration options will vary depending on the type of account.
To remove a Service from Reblaze, click on the Delete Service button at the bottom of the window.
As an alternative, you can also get a QR code for use in apps such as Google Authenticator (available for both and ).
Viewer: can see the section, i.e. the Dashboard and View Log.
Editor: has all Viewer permissions, and can also configure security rulesets and policies in the and sections.
Attribute
Description
Host
The name or IP address for each endpoint that Reblaze protects. This can be a normal web server, or it can be a load-balancer. Note that Reblaze also provides load-balancing capabilities in its own right, as discussed below.
HTTP Port
The HTTP port for the server.
HTTPS Port
The HTTPS port for the server.
Weight
The relative weight of each server for load-balancing purposes. Reblaze distributes traffic with a round-robin sequence, according to these weights. For example, if two servers are both set to 'weight=1', they will receive equal amounts of traffic. If the first is set to 'weight=3' while the second is set to 'weight=1', the first server will receive three visitors for every single visitor that the second server receives.
Max Fails
The maximum number of failed communication attempts that are allowed for this server. Once this number of failures occurs, Reblaze will consider the server to be inactive. If other servers are available, Reblaze will failover the traffic to them. If this was the only server available, Reblaze will return an error to the client (either 504 Timeout, or 502 Bad Gateway).
Fail Timeout
When a server fails, this is the length of time that Reblaze will wait before trying to send traffic to it again. Example: "10s" indicates a fail timeout of 10 seconds. This field uses TTL Expression Syntax.
Is Down
When this box is checked, Reblaze will not attempt to communicate with this server. This allows you to easily take a server offline for temporary maintenance or some other purpose.
Option
Value
Per Request
This is the default mode. Incoming HTTP requests will go over HTTP, and incoming HTTPS requests will go over HTTPS.
HTTP Always
All communication between Reblaze and the backend will be over HTTP. (This mode should not be used unless Reblaze runs within the same cloud as the backend.)
HTTPS Always
All communication between Reblaze and the backend will be over HTTPS.
Port Bridge Mode
Reblaze will use the same port as the incoming request. This is not limited to ports 80 and 443; Reblaze will use whatever port was specified. Note: this mode is not available when more than one host is defined.
Stickiness Model
Action
None
This is the default. Requests will be distributed across the endpoints in a round-robin fashion, according to the Weights assigned to them (described above in the Endpoint Definitions).
Auto Cookie
Reblaze will automatically generate a cookie to maintain the session on the same endpoint.
Custom Cookie
You can provide the name of the cookie that Reblaze will use to track the session, e.g. one generated by an AWS or GCP load balancer.
IP Hash
Routing will be determined from a hash of the client and destination IP addresses.
Least Connection
Requests will be sent to the endpoint with the fewest number of connections.
Parameter
Description
Name
A unique identifier for use elsewhere in the interface.
#Of Certs
Number of certificates attached to the load balancer / Max number of certificates can be attached to a load balancer of this type (as shown in Table 1 below)
Cloud Provider
AWS, Azure, GCP or a custom cloud provider.
DNS Name
The balancer's dns name.
Region
The cloud vendor region name (from Table 2 below)
Type
Load balancer type (from Table 1 below)
Load balancer type
Max number of certificates
gcp
15
application
25
classic
1
GCP
AWS
Azure
Digital Ocean
asia-east1 asia-east2 asia-northeast1 asia-northeast2 asia-northeast3 asia-south1 asia-southeast1 asia-southeast2 australia-southeast1 europe-north1 europe-west1 europe-west2 europe-west3 europe-west4 europe-west6 northamerica-northeast1 southamerica-east1 us-central1 us-east1 us-east4 us-west1 us-west2 us-west3 us-west4
us-east-2 us-east-1 us-west-1 us-west-2 af-south-1 ap-east-1 ap-south-1 ap-northeast-3 ap-northeast-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ca-central-1 eu-central-1 eu-west-1 eu-west-2 eu-south-1 eu-west-3 eu-north-1 me-south-1 sa-east-1
eastasia southeastasia centralus eastus eastus2 westus northcentralus southcentralus northeurope westeurope japanwest japaneast brazilsouth australiaeast australiasoutheast southindia centralindia westindia canadacentral canadaeast uksouth ukwest westcentralus westus2 koreacentral koreasouth francecentral francesouth australiacentral australiacentral2 uaecentral uaenorth southafricanorth southafricawest switzerlandnorth switzerlandwest germanynorth germanywestcentral norwaywest norwayeast
NYC1 NYC2 NYC3 AMS2 AMS3 SFO1 SFO2 SFO3 SGP1 LON1 FRA1 TOR1 BLR1
Parameter
Description
Name
A unique identifier for use elsewhere in the interface.
AWS
Whether the certificate is loaded to AWS (see explanation below).
GCP
Whether the certificate is loaded to GCP (see explanation below).
Expiration Date
When the certificate expires.
Linked To
This field is populated when this certificate is chosen for use in the Proxy Settings section.
When you deploy Reblaze to protect your web assets, it acts as a proxy; it receives requests from clients (web visitors, mobile/native app users, etc.), blocks hostile traffic, and passes legitimate requests to your servers.
The Web Proxy page defines how Reblaze behaves in this role. It contains these sections, from top to bottom:
After making edits to this section, Save Changes and Publish them to the cloud.
At the top of the page, the title shows the web application currently being displayed below for editing.
The pulldown on the right selects the web applications to edit. The save button on the far right saves the edits that have been made to the current application.