Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Easy-to-use checklists for starting and testing Reblaze
An update is pending for this section. You can use the description below to gather information you'll need for the setup, but please contact Reblaze support for the current instructions.
Please go through these checklists, and verify that their actions have been completed, both before and after your traffic is routed through Reblaze.
There are three checklists below: two for setup, and one for testing.
Before going through the checklists below, you should already have performed the actions listed in Getting Started.
Item
Action
More Information
Web Server Firewall
& Hosting Firewall
Verify that Reblaze IPs are whitelisted in the firewall.
Also, please ensure that only Reblaze IPs are able to access your web server, i.e. block access for all non-Reblaze IPs. This can be done via a set of rules for your firewall, or via .htaccess files.
Rate Limits
Verify that you're not using any Rate Limit/QOS rules that apply to Reblaze IPs.
This avoids potential blacklisting of Reblaze, and other availability issues. (If Rate Limits are applied, Reblaze can be misidentified as a DDoS source.)
Website Cache Settings
Ensure that each site/application returns the correct caching instructions.
Item
Action
More Information
Upstream Server
Verify that the settings for each domain/site are correct.
SSL
Non- Browser Applications
If your application serves bots or other non-browser clients (e.g., monitoring services, mobile/native applications using an API, etc.), you will need to exempt them from Reblaze's browser challenges.
Web Application Firewall (WAF)
Block Known Sources
Reject traffic from sources known to be hostile (e.g., IPs, countries, etc.)
Whitelist Known Sources
Exempt specific traffic sources from inspection and filtering.
DDoS Settings (Rate Limits)
Review the rate limits to ensure they match your site's capacity. For most use cases, the default settings should work well.
Alerts
Review and customize alerts and notifications according to your needs.
Account
Sometimes new customers enter placeholder values at first. Ideally, correct values would be in place by the time Reblaze is active.
When the following checklist has been completed, you'll be ready to go.
Note: by default, Reblaze is deployed in Report mode for all applications. In this mode, it will not block traffic; it merely reports on the traffic it would have blocked, if that application had been set to Active mode.
Item
What to verify
More Information
Check DNS
Run a DNS query for the website, and validate that the DNS records of the HTTP/S services are pointing to Reblaze CNAME /IPs only.
Test Traffic
Test Non-Browser Clients
If applicable, generate and test traffic from non-browser clients, and verify via the Dashboard that the requests are not blocked/reported.
This is to validate the (optional) settings configured for non-browser clients, as described in the checklist above.
Monitor and Optimize Settings
A quick-start guide
In this section you'll find a quick setup guide to get your planet (i.e., your entire Reblaze deployment, containing all its domains and web applications) up and running. After completing this section, it's advised to read through the rest of this Manual in order to understand the full capabilities of Reblaze.
Reblaze's support team is always available to assist you. At any step of this process, please feel free to contact us.
The flowchart below describes the process we are about to begin:
The initial login process is as follows:
Go to the link provided by Reblaze.
https://example-console.reblaze.com/
Enter the initial login credentials (in lowercase), which are:
Username = email
Password: Click on "Reset password" in order to set one.
A link will be sent to the provided email address. Click on that link, and on the page that follows, choose and enter a password for your user account.
You will be redirected to your console’s Login page. Please enter the email address specified above, and the password you just created. Then, next to the field which says “Multi-factor Authentication PIN,” select "Text me my code". During your initial setup request, you had provided a mobile phone number; that number will now receive an SMS message with an OTP (One Time Password), which you will enter here.
Click on the Login button.
After you login into the system, the first screen you will see is the Dashboard. This is the main screen for the Reblaze UI; once traffic statistics are available, they will be displayed here. (The Dashboard screen is described in-depth here.)
Before the Dashboard can show anything, your Reblaze planet must be set up. This is done in the Settings -> Planet Overview section.
To add a new web application to Reblaze, you will duplicate the pre-defined default application.
The Reblaze interface does not offer the ability to create a new site or application from scratch, because this process is complicated and error-prone. Instead, you will duplicate the default application and then edit it as needed.
Once you choose the right domain for your new application, you should be redirected automatically to the Settings -> Web Proxy page. If not, go there directly.
If your new application is not already selected for editing, select it now.
In the Frontend section:
Define the Domain Names (the aliases) for your application.
Add the Trusted source IPs.
For many or all of the remaining fields on this page, the default values might be acceptable. You should take a few minutes to go through them to verify this.
When you are finished, save your changes. Then go to the Settings -> Backend Services page.
In the Host field, enter the IP address of the backend server(s).
Then verify that the default values on the rest of the page are acceptable.
When you are finished, save your changes. Then return to the Settings -> Planet Overview page, and publish your changes.
Note: the deployment will not occur until you click "Publish Changes." In general, whenever you work within the Reblaze interface, saving and publishing is always necessary. More information is here: Saving and Publishing Changes.
Don't refresh the page until you get a confirmation that the changes were uploaded to the cloud.
Now it's time to set up your SSL Certificates.
All connections between your server and clients must be encrypted. This requires an SSL Certificate to be installed on the web server. Once a certificate is installed, client browsers can connect via HTTPS instead of HTTP.
With Reblaze, you can either upload an existing certificate into Reblaze, or you can generate a new one for free through the Let's Encrypt service.
Add your certificate to Reblaze, as explained under SSL Management.
Copy the relevant details from the DNS section, and redirect your traffic through Reblaze. (DNS setup varies widely depending on your current configuration, and this Manual cannot discuss every permutation. Contact support if you need assistance with this.)
Go back to "Planet Overview" and publish your changes as explained previously.
Your initial configuration is complete. Welcome to Reblaze!
Copy the relevant details from the DNS section, and redirect your traffic through Reblaze. (DNS setup varies widely depending on your current configuration, and this Manual cannot discuss every permutation. Contact support if you need assistance with this.)
Return to the Planet Overview page. Create a certificate using the "Generate Certificate" button in your application's listing there.
Publish your changes as explained previously.
Your initial configuration is complete. Welcome to Reblaze!
The DNS section doesn't exist for marketplace deployments.
Product overview, architecture, and how it works
Reblaze Technologies offers an all-in-one web security platform. It includes a next-gen Web Application Firewall (WAF), full-scope autoscaling Denial of Service (DoS)/Distributed Denial of Service (DDoS) protection, advanced bot management, real-time traffic monitoring & control, full historical logs & analytics, and more.
Reblaze is fully integrated with the top-tier public cloud providers (AWS, Azure, and GCP), and runs on the customer’s clouds of choice. The platform protects web applications, services and microservices, and API endpoints.
The platform is designed around a no-compromise approach to web security. All customers enjoy comprehensive protection, without having to purchase premium tiers or subscribe to additional services. Each customer receives a dedicated Virtual Private Cloud (VPC), eliminating multi-tenancy vulnerabilities. For maximum privacy, all traffic data is processed exclusively inside the customers’ clouds. Fine-grained ACLs enable precise traffic regulation. An intuitive web-based management console provides real-time traffic control. Multivariate threat detection, behavioral analysis, and machine learning ensure accurate, adaptive protection.
Reblaze deploys as a reverse proxy, geolocated immediately in front of the protected network for minimal latency. As incoming traffic passes through Reblaze, attack traffic is blocked and denied access. The platform's overall architecture is as follows:
Reblaze deploys a dedicated VPC for each customer: an entire full-stack environment for each protected web platform, deployed immediately and automatically, and running across one or more cloud vendors (usually AWS, GCP and Microsoft Azure, although private clouds are supported as well).
All incoming traffic is routed through the VPC and scrubbed as it passes through. Latency is negligible (generally 1.5 milliseconds or less).
Hostile traffic is blocked before it reaches the protected network. Legitimate traffic has normal access to the requested resources.
Attackers cannot reach, or even find, the targeted web platform.
Bandwidth, compute, and other resources scale automatically as needed, limited only by the capacity of the global cloud.
Remote management ensures minimal obligations (of time or expertise) from onsite staff.
Reblaze supports various methods of authentication such as Basic, Digest, and Kerberos. (Note that NTLM cannot work with reverse proxies, and thus Reblaze does not support NTLM sites/applications.)
With Reblaze, you can process and scrub your traffic exclusively within your clouds—the clouds you already trust for your other business processes.
Reblaze is integrated with, and runs natively on, multiple cloud platforms, including the top-tiers (AWS, GCP, and Azure). It can run on any combination of clouds, on your choice of accounts (Reblaze’s, yours, or a combination of the two), and it deploys in minutes.
Reblaze deploys slightly differently on each platform, to take full advantage of its inherent capabilities.
Here is an example deployment of Reblaze on Google Cloud Platform.
Static content is served by the CDN. Incoming dynamic requests are directed through Cloud Load Balancing (capable of handling millions of requests per second) to ensure that the request processing time is minimal and availability will be fully utilized.
Requests are routed through the Auto Scaled instance group of "Reblazers" (security logic units) that will inspect the traffic, and according to their security policies, will bypass, deny, or allow the requests. Rule updates are sent to Cloud Armor, which blocks hostile traffic at the edges.
All incoming requests and their disposition are displayed in the console admin, and also streamed into Cloud Security Command Center (not shown above for lack of space).
All events and requests are recorded in BigQuery, accessible to users at all times via full historical logs. Cloud Machine Learning is used to analyze the data. Reblaze identifies new traffic and behavioral patterns (both legitimate and hostile), and updates all deployments appropriately. Thus, even as new web threats arise, Reblaze hardens itself against them.
All Security policies are stored in secure Cloud Storage and constantly synchronized.
Here is an example deployment on AWS. The overall traffic flow and processing is similar to that described above for GCP, although it leverages AWS's native capabilities.
Here is an example deployment on Azure.
You can also control caching behavior through Reblaze using .
Servers are defined in . Security policies are assigned to domain/site URIs on the page.
Verify that your SSL setup (which should have been performed already, as described in ) is complete before routing traffic to Reblaze. (Note that if you want Reblaze to generate Let's Encrypt certificates for you, the traffic must be routed to Reblaze before the certificate can be generated.)
You can use pre-existing certificates, or generate new ones via Reblaze. .
Mobile/native applications are exempted by using the .
For other non-browser clients, you should . It is highly recommended that you to replace them. More info on the overall challenge process is .
Review the default and , to ensure they meet your needs. If more customized rulesets are needed, define new Policies.
The Policies are assigned to URIs within the sites/domains in the section of the page.
Lists of sources are selected/defined in . Their associated tags are included within with an operation of "Deny".
Lists of sources are selected/defined in . Their associated tags are included within with an operation of "Allow" or "Bypass".
Some settings are in ; others are in . .
Done within the .
Review your to ensure they are correct.
You can use tools such as .
Generate traffic to your site, and verify that it is being displayed in the . For more in-depth traffic inspection, you can use the . If SSL traffic is used, use your web browser to validate that the right certificate is being used.
Both the Dashboard and View Log include a Query box to filter their displays. Here's .
As traffic is processed by Reblaze, review the Dashboard (and ideally, the View Log) to see the decisions that are being made. Optimize Reblaze until it is performing as expected. Once you are satisfied with Reblaze's traffic scrubbing, .
Reblaze's logs are a rich source of insights into incoming traffic. Highly recommended reading:
Product Manual and documentation
Marketplace overview
Reblaze can be deployed via two main marketplaces: GCP, AWS and soon, Azure. In the future, with growing demand, the Reblaze solution will be added to other cloud computing platforms. Of course, Reblaze managed services is offered to you as well.
These guides will walk you through the process from the first "Launch" click on the marketplace until Reblaze is successfully deployed and protecting your website. We offer our help at any step of the process at support@reblaze.com.
Coming soon: Azure
Deploying Reblaze via AWS is done by selecting the deployment, subscribing to Reblaze, configuring the deployment version and region, and then launching the application.
Go to the AWS Marketplace at https://aws.amazon.com/marketplace.
If you already have an AWS account, sign in to your account. Otherwise, you will have to create an account at https://aws.amazon.com/.
Search for Reblaze.
There are two Reblaze deployments available:
Select the result for a SAAS contract (in above screen, the second result)
Review the pricing information, if you wish
Go to the top of the page and select Continue to Subscribe
Now, select the Reblaze contract and time period which best fits your needs. Then click on Create contract at the top of the page.
4. AWS will ask you to confirm your contract. To continue, click Pay now.
AWS will inform you that you have subscribed. Now click Setup your account.
Following your account setup, the Reblaze License Manager window appears. Click Sign Up and then enter the details requested, ensuring your email and phone number are valid. They will be needed later on.
Note that your phone number must be entered using the international format: the "+" sign followed by the country code, area code and number (no spaces or hyphens; for example, a US number: +17891234567). The phone number must be able to receive text messages.
When you have finished, select Sign up.
In the next window of the Reblaze License Manager, specify a password and select Set password.
Now, sign into the Reblaze License Manager with the credentials you just created. This is where you will create your licenses for Reblaze.
Note that a separate license is needed for each Reblaze console. If you have multiple environments but wish to use only one Reblaze console, you will need just one license. But if you wish to have multiple consoles you will require multiple licenses.
For each license needed, select the Generate new license button (see below).
After you generate a license, you will receive a Welcome email containing your License ID and an AWS Marketplace link which leads to the Product Overview page in the Marketplace.
If you do not wish to wait for the email and link from AWS, you may reach the same page directly from the AWS Marketplace.
If you do this by returning to the previous tab used, be sure to close the pop-up, shown below, without clicking the orange Setup button since you have already setup your account.
Now, go to the search field at the top of the page and once again, enter: Reblaze.
Select the link that has a version number (which does not say SAAS contract). This will take you to the Product Overview page. On the upper right hand of the page, click the Continue to Subscribe button.
Next, click Continue to Configuration in the upper right part of the page.
After selecting "Continue to Configuration," the Configure this software screen will appear. Confirm that the AWS region is correct. Then click the Continue to Launch button on the upper right.
The Launch this software screen will appear.
In the Choose Action section, select Launch CloudFormation from the dropdown box. Click Launch and begin the Launch process.
Accept the default template and then enter the Stack details: define a name for the Stack and specify the Vpcid.
Choose the Subnets in your AWS environment.
In the RBZAllowAccess field, enter the IP from your VPC, as appears in the Vpcid field.
In the Notification Email field, enter an email address.
In the Reblaze License ID field, enter the ID you generated in the Reblaze License Manager.
Click Next.
Clicking "Next" (above) brings you to the Advanced options screen where stack options are configured. Many users will not need to enter any information on this screen, so you can click Next.
At this point, AWS will display a summary of the stack you are about to create. Review it and then click Create stack. AWS now creates the stack. Once created, you will be able to see the stack in the awstraining box in the Stacks section on the left, as shown in the screen in the next section (immediately below).
Now, go to the Outputs tab and click the link circled below.
The link will take you to the Reblaze Management Console. You can now deploy Reblaze.
Enter the Login credentials you defined earlier.
The Welcome to Reblaze screen will be displayed with the account details automatically completed. At the bottom of the screen, click Complete Deployment. The remaining deployment steps and console creation now take place automatically in Reblaze.
Once you have received notification on your screen that the process is complete, you will be brought to the Reset My Password page.
Enter your email address and click Reset My Password.
This will bring you to the Log In screen.
Do not fill in the fields on the Log In screen.
Wait for the email Reblaze will have sent you containing a link to the Reset Your Password screen.
Create a new password and click Reset My Password.
You will be returned to the Log In screen. From here you may begin setting up your sites and web applications within Reblaze.
Continue to Configure the Reblaze Platform
During initial deployment, an autoscale group for Reblaze was created. In this section, you will attach this group to an AWS Application Load Balancer.
Related video: Reblaze from AWS Marketplace: Routing Traffic
Go to the AWS Management console at https://console.aws.amazon.com/.
In AWS Services, go to EC2 > Load Balancers and click Create Load Balancer.
3. Click Create for Application Load Balancer.
4. Set the Load Balancer parameters:
1. Enter a name for the Load Balancer.
2. Under Load Balancer Protocol, select HTTP and HTTPS.
3. Under Availability Zones, select at least 2 zones.
These should be the same zones as you selected when specifying CloudFormation parameters in Specify Stack Details.
5. Click Next: Configure Security Settings.
On the HTTPS listener, attach the correct certificate and select the Security policy.
Select a certificate name.
Select a security policy.
Click Next: Configure Security Groups.
Allow access to the Load Balancer. Typically you will add a new security group for this, or you can select an existing one.
Select Create a new security group.
Enter a name for the security group.
For TYPE, click and select HTTP for the first row and HTTPS for the second row.
Click Next: Configure Routing.
For Target Group, select Existing target group.
For Target type, select Reblaze-80. This is already available from the Marketplace deployment.
Click Next: Register Targets.
Click Next: Review.
Click Create.
Once the load balancer is created, click Close.
The Load Balancer has been created and will appear on the Load Balancer page. Since you created an HTTPS listener earlier, the target group will require an update.
Select the Listeners tab for the load balancer.
You can see that both Listeners are being forwarded to Reblaze-80. Click View/edit rules for HTTPS 443. The Rules page for HTTPS:443 appears.
Click the edit icon (the pencil icon) on the Rules toolbar to edit the rules, then click the edit icon for HTTP:443. The Edit Rule box appears.
Click the edit icon under THEN.
For Target group, select Reblaze-443.
Click Update on the Rules toolbar. A message that "Default rule was successfully updated" appears.
Click the back arrow on the Rules toolbar to return to the Load Balancer page.
To confirm that the load balancer is configured correctly:
Select the Description tab for the load balancer.
Highlight the DNS name and click the copy icon next to it.
Paste the DNS into a browser window. The browser should return a "403 Forbidden" page from "rhino-core-shield".
Now, return to AWS for the final steps needed to get Reblaze running on your website.
This section describes how to onboard and deploy Reblaze via the Google Cloud Platform (GCP) Marketplace.
This guide will walk you through the process from the first access of the marketplace until Reblaze is successfully deployed and protecting your website. We offer our help at any step of the process at support@reblaze.com.
Before carrying out your first deployment, we suggest that you watch these videos to better understand the onboarding and deployment process.
The process for onboarding Reblaze in GCP includes the following steps:
At this point, your deployment and setup are complete. To see the IP address of the new load balancer: from your Google Cloud Platform Console, select Navigation menu > Network services > Load Balancing and then click the name of the load balancer to see its details.
Now test to check whether your website works correctly when routing traffic to the Reblaze deployment. Perform offline testing by modifying your hosts file to point your website to the load balancer. If you see that you are returned to your website, routing via Reblaze is working correctly.
The last remaining step is to route your traffic to the load balancer, which will send it to your Reblaze instance(s). Reblaze will scrub the traffic and forward it on to your servers. To setup this routing, set your DNS record to the IP address that is resolved from the load balancer DNS Name.
Initially, Reblaze is setup for report-only mode. Assuming that this option was not changed, then Reblaze is not yet filtering your traffic; it is merely reporting on what it would have filtered had it been set up in active mode. This gives you an opportunity to fine-tune Reblaze’s configuration before any of your traffic is actually affected. When you are comfortable with the reporting results, move the application to Active mode and publish the change, as described in Configure the Reblaze Platform.
As you might notice from looking through the interface, the Reblaze web security platform is both powerful and highly customizable, with the ability to be fine-tuned for your specific needs. However, it is beyond the scope of this document to describe this customization process. Furthermore, a full and correct customization is often rather daunting for new users.
For more information on using Reblaze, see the user manual at https://gb.docs.reblaze.com/.
We at Reblaze Technologies want you to have the best experience possible with the platform, so that you will enjoy the full benefits of comprehensive, intelligent, and effortless web security. Therefore, please feel free to contact support at support@reblaze.com, for further one- on-one assistance in setting up your deployment. We’re available 24 hours per day to assist you.
Viewing current and historical traffic data
The Traffic section allows you to monitor your network activity on a monthly, weekly, daily, hourly, or even minute-by-minute basis. It contains two primary sections: the Dashboard and View Log.
Dashboard: Provides an overview and a breakdown of your traffic to the VPC, during specified time frames. In addition, the Dashboard also provides information about Top Activities (a sorted summary of your top events).
View Log: Provides the ability to view and query network traffic data. You can analyze and monitor traffic data in real time, or over custom time frames.
Before diving into the interface, it's helpful to first read Traffic Concepts: How Reblaze reports on the requests it receives.
This section describes how to onboard and deploy Reblaze via the Amazon AWS Marketplace.
This guide will walk you through the process from the first access of the marketplace until Reblaze is successfully deployed and protecting your website. We offer our help at any step of the process at support@reblaze.com.
Before doing your first deployment, we suggest that you watch these videos to better understand the onboarding and deployment process.
You must have an AWS account in order to use Amazon Web Services. If you do not have an Amazon account, sign up for one at: https://aws.amazon.com/
The process for onboarding Reblaze in AWS includes the following steps:
At this point, your deployment and setup are complete. Now you should test if your website works correctly when routing traffic to the Reblaze deployment. Perform offline testing by modifying your hosts file to point your website to the new load balancer. If you see that you are returned to your website, routing via Reblaze is working correctly.
The last remaining step is to route your traffic to the load balancer, which will send it to your Reblaze instance(s). Reblaze will scrub the traffic and forward it on to your servers. To setup this routing, set your DNS record to the IP address that is resolved from the load balancer DNS Name.
Initially, Reblaze is setup for report-only mode. Assuming that this option was not changed, then Reblaze is not yet filtering your traffic; it is merely reporting on what it would have filtered had it been set up in active mode. This gives you an opportunity to fine-tune Reblaze’s configuration before any of your traffic is actually affected. When you are comfortable with the reporting results, move the application to Active mode and publish the change, as described in Configure the Reblaze Platform.
As you might notice from looking through the interface, the Reblaze web security platform is both powerful and highly customizable, with the ability to be fine-tuned for your specific needs. However, it is beyond the scope of this document to describe this customization process. Furthermore, a full and correct customization is often rather daunting for new users.
For more information on using Reblaze, see the user manual at https://gb.docs.reblaze.com/.
We at Reblaze Technologies want you to have the best experience possible with the platform, so that you will enjoy the full benefits of comprehensive, intelligent, and effortless web security. Therefore, please feel free to contact support at support@reblaze.com, for further one- on-one assistance in setting up your deployment. We’re available 24 hours per day to assist you.
Log into Reblaze to configure the Reblaze platform for your environment.
Once you have completed the deployment process, this section will guide you through the process to complete the site setup and link your web applications to Reblaze.
Log into Reblaze. Enter your email address and password, and click the envelope icon to receive a one-time password (OTP). The OTP will go to the telephone number you gave when you created your login account.
Enter the OTP and click Log In. Your Reblaze dashboard appears.
From the navigation panel, go to Settings > Planet Overview. This shows all the sites and web applications defined within Reblaze. Note: Since the initial setup of a site or application is prone to error, Reblaze lets you create a new application only by copying an existing application and then editing the results. A new Reblaze deployment includes a default application for this purpose.
Click Duplicate on the row of the default application.
5. Enter the name of the new site or application.
6. Click Duplicate. The new site/application is created and opened for editing.
We will use the default Reblaze settings when appropriate.
A note on load balancing: Please note that the load balancing parameters shown here are separate from the load balancer that you will set up in . The load balancing within Reblaze (which is defined here) is done to distribute scrubbed traffic across the servers within your network. The load balancing outside of Reblaze will dynamically create new instances of Reblaze as needed, in response to spikes of incoming traffic which has not yet been scrubbed. For more details about Reblaze settings, see Reblaze Deployment Terminology in the Reblaze user manual at
7. Under Host, enter the IP address for the upstream server. This is the server that Reblaze will sent the traffic after the traffic is scrubbed.
8. To add additional servers, click Add and enter the IP address for each one.
9. In the Domain Names box, enter the domain aliases for this site or application. Wild cards can be used.
10. (optional) To redirect all HTTP traffic to HTTPS, copy the return 301 https... command as described on the page into the HTTP Redirect Line box.
11. Click Save Changes.
12. You will be prompted to publish your changes to the cloud. Close the popup box and click Publish Changes. Important: After publishing, there will be a message at the bottom that the changes are being published to the cloud. Do not refresh or leave this page until the publishing process is finished.
13. By default, a new application is set to report only mode. In this mode, Reblaze does not filter any traffic. It only reports on traffic that would have been filtered if it were in active mode. This is useful if you want to test or fine-tune an application or new deployment. To move an application to active mode, click the REPORT button to toggle it to ACTIVE mode, and then publish the change.
The initial configuration of Reblaze is now complete. For the full set of configuration parameters, see the Reblaze user manual at .
Continue to
How Reblaze reports on the requests it receives
The Reblaze Dashboard and View Log provide intuitive yet very powerful ways of viewing your traffic.
Within those sections, your traffic data is reported in terms of several statistics:
Statistic
Comment
Hits
Total incoming requests
Humans
Requests originating from humans.
Bots
Requests originating from traffic sources not (yet) verified to be human. Most of the requestors will be bots, but some will not be. More on this below.
Passed
Requests accepted by Reblaze and passed upstream to the origin (i.e., the web server, API endpoint, etc.).
Blocks
Requests deemed to be hostile, and blocked.
Challenges
The Dashboard provides a variety of ways to view your traffic. Most of them do not include all of the above metrics in the same view (as in the first screenshot below), but some do (as in the second screenshot below).
Reblaze processes "web" requests (http/s traffic for a web site or application) differently than API requests from a mobile/native application. Mobile applications have different methods of client authentication, as discussed here: Mobile SDK.
The discussion below is for sites and web applications.
Most of the Reblaze interface focuses on configuration for:
The detection and mitigation of hostile requests.
The detection and mitigation of hostile behavior of requestors.
The challenge process is different. It is built into Reblaze, and provides a third approach to security. It mitigates threats based on the requestor's identity and environment.
When Reblaze receives the first request from a previously unknown traffic source (below described as the "user"), this is the typical process that is followed.
Reblaze challenges the user's browsing environment. Reblaze uses a variety of proprietary, multi-faceted techniques to verify that this requestor is a human using a browser, instead of a bot using a headless browser or emulator. (For more detailed information, see Environmental detection and browser verification.)
If the challenge is not passed, the request is suspected to be a bot, and another challenge is issued. This process continues until a challenge is passed, or a threshold is reached (e.g., via a Dynamic Rule) to ban the requestor.
If the challenge is passed, the browser's session is authenticated, and the browser receives cookies from Reblaze.
The browser then automatically resubmits the original request, but this time, the cookies are included. The user is granted access to the requested URL, resources, etc.
Subsequent requests will also include the cookies, and thus, they are not challenged.
This process happens quickly (in a few milliseconds), and is invisible to the user.
As noted above, this is the "typical" process that occurs in normal use. There are a variety of situations in which it might not be followed. For example, sometimes Reblaze is configured to whitelist certain IP addresses, and not to challenge them.
The discussion below will be based on the typical process described above.
The process described above will result in the following statistics being incremented.
For each challenge that was not passed:
Hits
Challenge
Bots
If the challenge was passed:
Hits
Challenge
Bots (see explanation below)
Hits (incremented a second time for the post-challenge resubmission of the request)
Passed
Humans
Within Reblaze, a request that does not have authenticating cookies is counted as a bot.
As a result, the Bot count can sometimes be incremented even when the visitors are humans. Examples:
When a human user visits a Reblaze-protected site for the first time, the first request does not yet have the authenticating cookies.
Static files (images, etc.) are often exempted from challenges for performance reasons. Direct requests for those URLs from a new visitor will not have cookies.
Sometimes, trusted IPs are whitelisted and exempted from challenges. They never receive authenticating cookies.
Therefore, although most of the Bot count represents non-human requests to your web application, the Bot metric is not an exact count of this.
When working with Reblaze's traffic statistics, the following relationships can be helpful.
The process described on this page is the active challenge process. Out of the box, this is the challenge process that Reblaze uses.
We recommend that whenever possible, customers also enable passive challenges.
Passive challenges still include Environmental detection and browser verification, while adding three additional benefits:
They enable biometric behavioral verification: a much more powerful means of identifying automated traffic, and an important part of Reblaze's behavioral analysis.
In some situations, active challenges can interfere with certain metrics such as those provided by Google Analytics. (The initial referrer information is lost.) If this is a problem, active challenges can be disabled. In this situation, passive challenges can provide effective bot protection instead.
When caching is being done by a CDN, active challenges will not occur for pages being served from the cache. Passive challenges are necessary for Reblaze to perform bot detection in this situation.
If possible, we recommend that customers use both active and passive challenges.
To learn more about passive challenges, go here: Enabling passive challenges.
Requests that were challenged. The is an important part of Reblaze's traffic processing, as seen below.
How to upgrade Reblaze BYOL
#
Step
Executed by
Comments
Estimated duration
1.
Console creation
Reblaze
Configuration migration
1 Day
2.
Create new deployment
Customer
Creating a new instance group
30 minutes
3.
Setup canary instance
Reblaze & Customer
Adding a new template
15 minutes
4.
Verify traffic monitoring
Reblaze & Customer
Verifying that there are no issues with site performance, and making changes to security profiles, if necessary.
1 Hour
5.
Rеmove old template
Customer
Replace all instances
15 minutes
The Reblaze team will set up a new 2.x console for you. Once this is done, proceed to Step 2.
Redis settings: If you already have a Redis server installed (which is usually true for Reblaze installations of v2.14 and later), you do not need to create a new one. If you do not have a Redis server setup, you will need to create one.
Step 2: Create New Deployment
Go to EC2 > Auto Scaling groups, see Launch template configuration ( zone , capacity, type, etc.)
Now go to EC2 > Launch Template Select your template. To create a new launch template version with a new image, click Actions > Modify template
On the screen that appears (below), provide a description of the image (version 2.18.0 was used as an example below):
Scroll further down the page and see the AMI details listed in the AMI from catalog tab:
Next, Reblaze deployment in the AWS marketplace must be set up.
Search for Reblaze and click on the first option.
Scroll down the page and click View CloudFormation Template.
Now click View Template in CloudFormation Designer.
In this template (below) you can see each region and its AMI.
Copy the AMI compatible with your region. (In our example we used the “us-east-1” AMI.)
Now, return to the Modify template window. Under AMI from catalog, select Browse more AMIs.
Paste the AMI in the search box. Choose the Reblaze image from among the search results.
Find and select the Reblaze image. Click Select.
In the Modify template window, add the new version to your catalog.
Click Create template version on the bottom right of the screen.
Your new version now appears under Launch template details.
Go to EC2 > Launch template and change the Default to the new version (2) Click Update.
Go to your AutoScaling group. In the Details tab, find Group details and click Edit.
Desired capacity must be increased by 100% . For example, if you have 2 servers, Desired capacity must be set to 4. Ensure that this amount does not exceed the Maximum capacity or it too will need to be increased.
Click Update (below).
On the EC2 > Auto Scaling groups screen, check the Instance management tab for the number of servers. Alternatively, you can check the number of servers on your console.
You should be able to see new servers being added with the new version.
Go to your Reblaze dashboard and confirm that you see the new instances and that traffic is routing through them and your sites are working as expected.
Once we verify the new servers are receiving traffic, the old version and its servers must be terminated.
Under the Auto Scaling group, Details tab, there is an Advanced configurations window.
Make sure Termination policies is set to Oldest Launch Template; if not, click Edit and change the policy.
Under the Details tab on the EC2 > Auto Scaling groups screen, locate the Group size options. Reduce the number of desired servers in group to the original amount.
Click Update. The servers attached to the older version will terminate.
This is a description of some general UI components used throughout the system.
Pages such as Tag Rules, Rate Limiting, Cloud Functions, and Backend Services are based on a common grid component that displays all the entries of the specified type in the system. For example, here is the grid in use on the Cloud Functions page.
The grid provides several administrative actions.
To add an entry, select the "+" button at the top of the display.
To edit an entry, select the pencil button at the right side of the corresponding grid row.
Above the grid, an input control accepts regular expressions for finding matching entries in the grid.
By default, all the grid columns are sortable. Just select the corresponding column header (the cursor view changes to a pointer when hovering).
This component appears after selecting a pencil button within the grid component. It consists of different fields depending on the displayed data type (cloud function, tag rule, etc.), but the common element is a fixed header. Consider the example of a tag rule details page.
The component header includes the following 3 blocks:
The entry's main info (on the left: the entry's name and id)
Entry selector (the dropdown on the right)
Actions block (a set of buttons on the right)
Each entry has a user-defined name, and an auto-generated id for internal use.
The entry selector dropdown allows you to change the entry currently being displayed and go directly to another without going back to the grid page. Also, since this selector is based on the autocomplete dropdown component (see below), it's possible to fast-search for a desired entry in the dropdown list using regular expressions.
The actions block usually consists of at least 3 buttons:
Close the details page and go back to the grid page
Delete the entry usually after confirming the deletion via a modal confirmation window. Sometimes this button is unavailable, depending on the specific entry type.
Save the entry, which means it's possible to change the entry details and save those changes. Sometimes this button is unavailable due to validation issues, depending on the specific entry type.
As shown on fig. 2 above, the actions block may include additional buttons depending on the entry type.
Some pages (such as Web Proxy and individual grid details pages) as well as some general UI components are using an autocomplete dropdown component. It's a dropdown list with a capability of quickly searching for a desired entry using regular expressions. Consider the example of a tag rules details page:
Initially the component looks like an ordinary dropdown, but after it is selected, it splits into 2 parts: a text input and, below it, an entries list. By typing in the text input, it's possible to filter the entries list, leaving only those entries which names contain the typed letters; regular-expressions notation also works here.
When there are a large number of entries, the dropdown list becomes scrollable. If the selected entry is hidden at the bottom of the list, it automatically scrolls down to make this entry visible when the list is opened. When an entry in the list is selected, it gets highlighted in blue and the parent component catches this change; in the example move, the details page will change to display the selected entry.
This component is used on the Rate Limiting and Tag Rules details pages. Initially, it's an ordinary dropdown labeled as "Action" with several options available:
503 Service Unavailable
Challenge
Tag Only
Redirect
Request Header
Response
Ban (not available in Tag Rules)
The request will be blocked with a 503 error. This is the default action for Rate Limits, and is also available for Tag Rules.
For a browser-based web application, a bot challenge will be issued to verify that the requestor is a human using a browser, and not a bot using a headless browser or emulator. If the challenge is failed, the request is blocked.
One or more tags are attached to the request, and processing continues (i.e., it is not blocked).
For a Tag Rule, the tags are those specified in the Tag Rule.
For a Rate Limit, the tag is the name of the Rate Limit.
This is the default action for Tag Rules.
This action blocks the request with the specified error code, and redirects the requestor to a specified URL. For example, the URL might be a page that says, "Your activity appears suspicious, and your access has been restricted. Contact support if you think this decision was made in error."
When this action is selected, the component changes as follows:
The component now has a Redirect Status dropdown, with five options for error codes: 301, 302, 303, 307, and 308.
The focus is automatically placed on the Location input, which is a mandatory entry with a regular expression format ^https?://.+$
. Until this contains a valid entry, the Save entry button at the top of the page will be disabled, and the control will be highlighted in red.
This action does not block the request; it merely adds a header to it for receipt and evaluation by the customer's backend.
When this action is selected, the component changes as follows:
Both input controls use regular expressions (^[0-9a-zA-Z-_]+$)
, and are mandatory. Until they contain valid entries, the Save entry button at the top of the page will be disabled, and the invalid control(s) will be highlighted in red.
This action blocks the request, and responds with a custom error code (0-999) and response.
When this action is selected, the component changes as follows:
The Status field (which should be a regular expression ^[1-5][0-9][0-9]$
) and both Header fields (as regular expressions ^[0-9a-zA-Z-_]+$
) are mandatory. Until they contain valid entries, the Save entry button at the top of the page will be disabled, and the invalid control(s) will be highlighted in red.
This action is only available for Rate Limits. When selected, the component changes as follows:
The Time Frame field is mandatory. Until it contains a valid value (an integer less than 86,400), the Save entry button at the top of the page will be disabled, and the control will be highlighted in red.
The Ban action dropdown is an instance of the Ban Action component, except that it does not contain a "Ban" option.
Common uses for Ban are described in the documentation for the Rate Limiting page.
This component is used on Rate Limiting, Cloud Functions, and Backend Services details pages. It consists of 2 sections: Add New Link and a list of linked sites. (In Backend Services, Add New Link is unavailable.)
Defining how Reblaze processes your traffic
This section defines the parameters with which Reblaze scrubs traffic.
The user interface is divided into these sections:
Dynamic Rules: Thresholds for banning sources of hostile traffic.
Quarantined: The "warehouse" of traffic sources that are currently banned. This contains blacklists and whitelists, allowing you to manually control quarantines when necessary.
Profiles: Creation of security rule sets for assignment to specific resources, locations, and applications.
Args Analysis: Settings for allowing requests based on their arguments, in a procedure that occurs before normal WAF inspection and filtering.
Session Profiling: Settings for assigning tags to incoming requests.
Rate Limiting: Settings for rate limits and the actions that will be performed when a rate limit is violated.
Cloud Functions: Custom code that can be executed at specified times during traffic processing.
The Security section is where you define the "under the hood" settings for Reblaze. When defining or editing the information in this section, careful consideration is necessary.
Before investigating each section of the interface, it's recommended to read the "Security Concepts" discussion on the next page of this Manual.
Some security entities (Profiles, Rate Limits, etc.) are marked with icons. That means it is a Reblaze-managed default entity, and it cannot be edited or deleted. If you do not wish to see these in the interface, you can hide them with the checkbox at the top of a page.
How Reblaze scrubs incoming traffic
Reblaze evaluates incoming traffic in a multi-stage filtering process. An HTTP/S request which passes all security tests will be forwarded to the backend.
This decision-making is done in several stages.
Stage
Comments
Pre-Processing Cloud Functions
Quarantines & Dynamic Rules
Static Rules & Rate Limits
Session Profiling
ACL Policies
Rate Limits
Challenges
Argument Analysis
WAF/IPS
Post-Processing Cloud Functions
During initial deployment, an instance group for Reblaze was created. In this step, you will attach this group to HTTP and HTTPS load balancing services as a backend of the service.
. This video includes explanations for (previous topic) and for Set Up GCP Load Balancers (this topic).
It is beyond the scope of this document to describe all the possible load balancer settings. More information about Google’s load balancing can be found at . If you have any questions, feel free to contact us at .
Once you set up the load balancers (LB), traffic will be routed through them to Reblaze. Using these load balancers allows GCP to create more instances as needed to handle the traffic.
For most most use cases, you will need to set up two load balancers, one for HTTP and one for HTTPS. The following steps assume that you will be setting up two load balancers. Therefore, the processes described here will be done twice, with some addition steps for HTTPS. The differences between the setup for the HTTP LB and the setup for the HTTPs LB will be noted.
First, set up a load balancer and choose the HTTP protocol for the backend service as follows:
When an HTTPS ( port 443 ) is required, create an additional load balancer and choose the HTTPS protocol. The steps for this are the same as creating an HTTP LB, with additional steps within the frontend configuration process.
After you have created the required load balancers, return to the main section for the final steps needed to get Reblaze running on your website.
In your , select Navigation menu > Network services > Load Balancing.
2. Click Create load balancer.
3. Click Start configuration for the appropriate type:
The HTTP(S) load balancer supports ports 80, 8080, and 443, (including HTTP and HTTPS) and is the appropriate type for most Reblaze customers.
If you need non-standard ports, then use the TCP load balancer instead.
4. You will now be asked whether this load balancer is for Internet facing or internal only. Select From Internet to my VMs and click Continue. The load balancer creation page appears.
5. Enter a name for the load balancer. We recommend that you include the protocol of this load balancer as part of the name (HTTP or HTTPS), for example, LB1-http or LB2-https.
Continue to the section below: Create the Backend Service.
Enter a name for the backend service. We recommend that you include the protocol of this load balancer as part of the name (HTTP or HTTPS), for example, BE1-http or BE2-https.
In the New backend fields:.
Select the Instance group that was created when you deployed Reblaze in GCP. The same instance group can be used for both HTTP and HTTPS.
In the Instance group has named ports popup, make sure to select the correct port for each protocol (80 or 443). 80 is the default value.
Click Use selected port name
Select the Port numbers. Make sure that the port number selected matched the protocol that this LB is for.
For Balancing mode, select Rate, and enter 1000000 for Maximum RPS. This ensures that all servers stay available during a traffic spike unless a health check indicates otherwise.
Click Done for New backend.
(optional) Enable Google Cloud CDN.
Review the remaining values on the page to see that they are appropriate for your application environment.
Click Create for the backend service.
A default host and path rule has already been created. Additional rules are optional.
Enter a name for the frontend. We recommend that you include the protocol of this load balancer as part of the name (HTTP or HTTPS), for example, FE1-http or FE2-https.
For Protocol, select the protocol that was created for the load balancer you are now creating (HTTP or HTTPS). HTTP is the default value.
For most use cases, you will want to reserve a static IP address.
If this is the first load balancer you are creating (usually HTTP), for IP address do the following:
Select Create IP address.
In the Reserve a new static IP address dialog, enter a name. The name for this IP address should not have the protocol embedded within it, since it will be the same for all load balancers that you create.
Click Reserve. GCP will reserve an IP address and it will now appear in the IP address field in the frontend configuration panel. Tip: Make a note of the IP address provided by GCP. You will need it later at the end of the configuration process.
If this is an additional LB (usually HTTPS):
For IP address, select the IP address previously created for the first LB.
HTTPS only: If this load balancer is for HTTPS, you need to add or create a SSL certificate.
For Certificate, select Create a new certificate.
Enter a name for the certificate.
You can either use a certificate you already have, or create a new one:
To use an existing certificate:
Enter the certificate information.
Click Create for the certificate..
To create a Google-managed certificate:
Select Create Google-managed certificate.
Enter the domains to which this certificate will apply. Multiple domains can be entered.
Click Create for the certificate.
Click Done in the Frontend configuration panel.
Once you have completed all the required components for the load balancer, click Create in the Load balancer panel. The load balancer is then created. The IP address provided is the destination for your website traffic.
The marked "Request Pre Reblaze" are executed.
Traffic from requestors that are currently on the or is blocked. Other requestors are evaluated for potential addition to the Banlist using .
Requests that do not conform to specified size, time, and per-IP rate limits are blocked, according to the for the application.
Reblaze assigns , and (configured in ) to the requests.
are enforced.
are enforced.
Verifies that requests are coming from humans. More information: .
Examination of characters in arguments. Possible results are to exempt a request from WAF filtering, to send the request to the WAF for inspection, or to block the request. More info: .
The active is enforced, assuming that the request was not previously Bypassed in the ACL Policy.
The marked "Request Post Reblaze" are executed.
From the New load balancer panel on the current page, select Backend configuration > Create or select backend services & backend buckets > Backend services > Create a backend service.
Select either HTTP or HTTPS for Protocol and Named port, depending on which protocol you are creating the LB for.
Select the Health check that you for this protocol. Make sure to use the matching health check that was created for the load balancer you are now creating (HTTP or HTTPS).
From the Edit load balancer panel on the current page, select Host and path rules.
From the Edit load balancer panel on the current page, select Frontend configuration.
Adding health checks to your GCP configuration ensures that GCP will maintain the appropriate number of instances for your application.
Related video: Reblaze via Google Cloud Marketplace: Routing Traffic. This video includes explanations for both Set Up GCP Health Checks (this topic) and Set Up GCP Load Balancer (the next topic).
Now that you have configured the Reblaze platform, you should set up GCP health checks and then load balancers.
For most use cases, you will need to set up two health checks and two load balancers, one for port 80 HTTP and one for port 443 HTTPS. The following steps assume that you will be setting up two health checks.
In your Google Cloud Platform Console, select Navigation menu > Compute Engine > Health checks.
Set up the port 443 HTTPS health check:
Click Create health check in the toolbar on the top of the page.
Enter a name for the health check. For example, use healthcheck-443 for port 443 (HTTPS).
For protocol, select HTTPS.
For Request path, you can use the same one that was used for the HTTP health check.
The remaining default values are usually reasonable and you can leave them as is, or you can change these values according to your requirements.
Click Create.
Continue to Set Up GCP Load Balancer.
Upgrading BYOL - GCP
#
Step
Executed by
Comments
Estimated duration
1.
Console creation
Reblaze
Configuration will be migrated
1 day
2.
Create new deployment
Customer
Creating a new instance group
30 minutes
3.
Setup canary instance
Reblaze & Customer
Adding a new template
15 minutes
4.
Verify traffic monitoring
Reblaze & Customer
Verifying that there are no issues with site performance, and making changes to security profiles if necessary.
1 hour
5.
Rеmove old template
Customer
Replace all instances
15 minutes
The Reblaze team will set up a new 2.x console for you. Once this is done, proceed to Step 2.
Go to the Marketplace and create a new Reblaze Deployment in version 2.x.
For the Deployment type, make sure to select “New region”.
For the Template resource zone, select the same region as the one in the previous installation. (Otherwise, the upgrade will not work.)
Scroll further down the page to the following:
For the Networking region, select the same region as the one in the previous installation. (Otherwise, the upgrade will not work.)
Auto-scaling settings - Minimum number of instances: At least as many instances as in the previous installation. In any case, it should never be less than 2 instances.
Redis settings: If you already have a Redis server installed (which is usually true for Reblaze installations of v2.14 and later), you do not need to create a new one, so you can uncheck the Redis deployment checkbox.
After choosing these settings, click the Deploy button at the bottom of the page.
Once your setup is complete, notify Reblaze support. Reblaze personnel will ensure the console is seeing the new instance group, and will connect the Redis server to it.
Within your GCP console, go to Instance groups and select your current (i.e., the older version) instance group.
Here’s an example where the current group is 6887:
Select it by clicking on its name. The following screen will appear:
Now click on Update VMs. to see the You’ll see this:
Click on Add a Second Template. Add the new template you created. (In this example, the new template is 2354.) Now click on Update VMs.
Click on Add a Second Template. Add the new template you created. (In this example, the new template is 2354.) Now click on Update VMs.
Go to your Reblaze dashboard, and make sure that you see traffic in the new instances, and that your sites are working as expected.
In your GCP console, delete the template for the old version.
Security rules with time-based thresholds
The Dynamic Rules section defines security rulesets that evaluate various criteria over time. When requestors commit activities that exceed defined thresholds, they can be banned, or merely reported on within the interface.
Note that Dynamic Rules do not block requests; they ban the sources of requests. Individual incoming requests are blocked for reasons defined elsewhere, e.g., in ACL Policies.
When requests are blocked, or display other hostile characteristics, Dynamic Rules are used to monitor their sources. If the sources continue their hostile activities, they can be banned. A ban means that all subsequent requests from that source will be blocked for a configured length of time.
In some situations, either Rate Limiting Rules or Dynamic Rules could be used. Rate Limiting Rules are the preferable option. They are more powerful, more flexible, and in a future release, they will fully replace Dynamic Rules.
The interface displays the Dynamic Rules that are currently defined. At the top are the default rules supplied by Reblaze, marked with the Reblaze icon.
The default rules from Reblaze are useful for most customer deployments. If you wish to edit them, one approach is to preserve the originals by duplicating them, deactivating them, and then editing and using the copies.
To edit a rule, click on its name, and its parameters will appear below.
It provides these abilities:
Name
Description
Add new rule
Creates a new Dynamic Rule.
Activate global simulation mode
Test All Rules
Set new TTL globally
Help
Refresh and discard changes
Discards all changes that you have made, and refreshes the display to show the current settings within the system.
Save Changes
Saves all changes that have been made. Note that this makes your changes go live immediately. Unlike other administrative activities within Reblaze, when editing Dynamic Rules it is not necessary to Publish Changes after saving them.
The interface also provides a search box, which can be used to find a rule according to a string within its name.
To create a Dynamic Rule, click on "Add new rule" in the Dynamic Rules section menu and provide the Rule Name.
Newly-created Rules are always disabled, and must be enabled before they will be active.
Each Dynamic Rule contains the following parameters:
Field Name
Description
Description
Your description of the rule. This is useful for internal purposes, e.g., noting why a particular rule is necessary.
Target
Defines the source of aggregated requests which will be evaluated, and the recipient of the specified action if a violation occurs. The most commonly-used target is IP. Other options are Cookies, Country, ASN, Planet, Request Body, Request Header, or User Agent. ("Planet" means "all requests." This is used in the Global Request Count default rule.)
Alert
If a notification should be sent when a violation of this rule occurs.
Mode
Defines the action that will happen when a requestor exceeds the specified Threshold during the Period.
Threshold
The maximum allowable number of http/s requests by the Target in the specified Period.
Period
The time period within which requests will be counted, and if the Threshold is exceeded, will trigger the defined action. Note that each Period should be 3 minutes or longer. (A few example screenshots in this Manual have shorter periods. These were taken from a demo site, and are for illustration only. Periods in a production deployment should be 3 minutes or more.)
TTL
Time To Live: If the violator is banned, this is the length of the ban. If the violation is merely reported (as in Report Only mode), this is the amount of time before a new report can be issued on this violation.
Monitor
A list of matching conditions. If a request matches all the conditions in this list, it will be included in the aggregated count toward a potential violation. Multiple conditions are ANDed together. See further discussion below.
Ignore
A list of matching conditions. If a request matches any of the conditions on this list, it will be ignored, and will not be included in the count toward a potential violation. Multiple conditions are ORed together. See further discussion below.
Note that it is theoretically possible to construct a Dynamic Rule so that a specific request can match both the Monitor and Ignored conditions simultaneously. (This usually indicates a mistake in constructing the rule.) If a request ever matches both condition sets at the same time, nothing happens.
The monitor list includes many useful arguments for identifying relevant traffic.
Some of the matches rely on the results of ACL Policies. For example, an Anonymizer value of "true" will match a request that was denied by the "Deny Anonymous Proxies" ACL Policy.
Field Name
Description
Block Reason
The reason for the traffic being blocked. See Defining Block Reasons below for a full explanation.
Blocked
True if the request was blocked, otherwise False.
Cookie
An exact match of the cookie name and value.
Domain Name
Which domain names should be monitored.
File Extension
Which file extensions should be monitored. Example: (exe|jpg|tar)
City
The abbreviation of the country. Example: "US" for "United States."
Country
Country name.
Host Name
Any name that was configured as Host.
Reblazer ID
ID of the Reblaze proxy
Anonymizer
Boolean value (True/False)
Cloud
Boolean value (True/False)
Human
Boolean value (True/False)
Proxy
Boolean value (True/False). [This is different than the Anonymizer field above. It uses an internal value of Reblaze that is not otherwise exposed in the interface.]
TOR
Boolean value (True/False)
VPN
Boolean Value (True/False)
Method
HTTP method type (e.g., GET, POST, etc.).
ASN
The ASN Value.
Referer
The Referer value.
IP
The IP Address.
Complete URL
URL with the query string.
URI
URI
Request Body
Text boxes will appear for "Name" and "Value" parameters. Both can be regex.
Request Headers
Text boxes will appear for "Name" and "Value" parameters. Both can be regex.
Response Status
HTTP response code (200, 404 etc.).
User Agent
The request's user agent name.
Scrolling down the list will reveal additional fields. These tend to be used by more advanced users.
The video below sums it all up:
The Block Reason field allows you to construct a Dynamic Rule that will be triggered when requests are blocked for specific reasons. When this is included in a Rule, Reblaze will compare its value to the reasons that a request was blocked.
The comparison is based on a "contains" substring search, and is case-insensitive. Therefore, when a request is blocked for Over-capacity
, Block Reason values of capacity
, over-capacity
, and Over-capacity
will all match.
There can be multiple Block Reasons OR'd together, e.g.: autoban|over-capacity
.
There are several ways to obtain values for constructing Block Reasons. The first is the list of standard Reblaze WAF signatures (example: Autoban/etc.
). Other possible values are custom, created dynamically by Reblaze as the result of user configuration. Example: Rate limit 2/1s
.
In both cases, recent values can be obtained from individual events in the View Log, or from the Signatures tab on the Dashboard page.
After creating or modifying Dynamic Rules, it is recommended that you test them to ensure that they are behaving as expected.
You can safely test Dynamic Rules against actual traffic data, without actually banning any traffic sources. This is done by running the rules in Simulated Ban mode.
There are two ways to do this: testing all rules globally (most useful when setting up a new planet), or testing individual rules (useful in daily operation).
Select Activate global simulation mode from the section menu, which will change all Dynamic Rules that were set to Ban to Simulated Ban.
This means that requestors who violate Dynamic Rules will not be banned; instead, they will appear within the Simulation Ban List in the Quarantined section. You can observe the requestors who appear there, and evaluate if the Dynamic Rules are identifying the requestors you expected.
Note that during this process, all Dynamic Rule traffic scrubbing will be disabled. Therefore, it is most useful during the initial setup of a new planet.
To test individual rules, set each one to Simulated Ban mode. Save and Publish your changes. Then from the section menu, choose Test All Rules.
This will evaluate the current set of Dynamic Rules against the most recent traffic data. Example: a rule with a Period of five minutes will be evaluated against the requests that were received in the last five minutes.
You can compare each rule's performance with what you expected. Once you are satisfied with a rule's performance, you can make it active by changing its mode to Ban.
Note that you can accomplish a similar result by observing the Simulated Ban list in the Quarantined section. However, testing is faster using Test All Rules: you get the results immediately, instead of having to wait for a full Period to see how a Rule performed.
In the example below, this Dynamic Rule limits the number of requests that are sent to /login
from a specific IP.
Limiting could also be done globally for all IPs by changing the Target to "Planet."
By using a cookie threshold, it is possible to eliminate Denial Of Service attacks originating from the same session, even if the attacker is changing IP addresses. In the screenshot below, requests are counted toward the threshold if they have the same value for the "rbzid" cookie. Requests are not counted toward the threshold if they were Bypassed by an ACL, or if the requestor has already been banned.
This rule blocks HTTP GET requests from a specific IP for 10 hours, under these conditions:
The IP has submitted more than 3600 GET requests in the previous three minutes.
The requests were not for a static file (.png , .jpg, .ico, .gif).
The requests were not already blocked
The requests were not from IP 1.2.3.4.
To disable or enable a rule, click on the Activation trigger:
To delete a rule, click on the small button at the end of its listing: That button will display options to Delete this rule, or to Duplicate it. (Sometimes, it is faster to Duplicate a rule and edit the copy than to create a new one from scratch.)
At the top right screen, this larger button is shown : . Clicking on it will cause the section menu to appear:
The rules currently set to "Ban" will be changed to “Simulated Ban”. This is useful for testing. See also , below.
Explained in , below.
Sets TTL (described below in ) for all Dynamic Rules.
Brings up a help screen describing the settings for a rule. See also , below.
Ban will block the violator (available for IP, Cookie, Request Body, Request Header, Country, and ASN), and will add the violator to the .
Simulated Ban does not actively ban the violator; it only adds the violator to the .
Report Only does not actively ban the violator. If this rule has been included within a , then the defined notifications will be sent.
Log into Reblaze to configure the Reblaze platform for your environment.
Once you have completed the deployment process, this section will guide you through the process to complete the site setup and link your web applications to Reblaze.
Log into Reblaze. Enter your email address and password, and click the envelope icon to receive a one-time password (OTP). The OTP will go to the telephone number you gave when you created your login account.
Enter the OTP and click Log In. Your Reblaze dashboard appears.
From the navigation panel, go to Settings > Planet Overview. This shows all the sites and web applications defined within Reblaze. Note: Since the initial setup of a site or application is prone to error, Reblaze lets you create a new application only by copying an existing application and then editing the results. A new Reblaze deployment includes a default application for this purpose.
4. Click Duplicate on the row of the default application.
5. Enter the name of the new site or application.
6. Click Duplicate. The new site/application is created and opened for editing.
We will use the default Reblaze settings when appropriate.
A note on load balancing: Please note that the load balancing parameters shown here are separate from the load balancer that you will set up in Set Up a Load Balancer. The load balancing within Reblaze (which is defined here) is done to distribute scrubbed traffic across the servers within your network. The load balancing outside of Reblaze will dynamically create new instances of Reblaze as needed, in response to spikes of incoming traffic which has not yet been scrubbed. For more details about Reblaze settings, see Reblaze Deployment Terminology in the Reblaze user manual at https://gb.docs.reblaze.com/.
Under Host, enter the IP address for the upstream server. This is the server that Reblaze will sent the traffic after the traffic is scrubbed.
To add additional servers, click Add and enter the IP address for each one.
In the Domain Names box, enter the domain aliases for this site or application. Wild cards can be used.
(optional) To redirect all HTTP traffic to HTTPS, copy the return 301 https... command as described on the page into the HTTP Redirect Line box.
Click Save Changes.
You will be prompted to publish your changes to the cloud. Close the popup box and click Publish Changes. Important: After publishing, there will be a message at the bottom that the changes are being published to the cloud. Do not refresh or leave this page until the publishing process is finished.
By default, a new application is set to report only mode. In this mode, Reblaze does not filter any traffic. It only reports on traffic that would have been filtered if it were in active mode. This is useful if you want to test or fine-tune an application or new deployment. To move an application to active mode, click the REPORT button to toggle it to ACTIVE mode, and then publish the change.
The initial configuration of Reblaze is now complete. For the full set of configuration parameters, see the Reblaze user manual at https://gb.docs.reblaze.com/.
Continue to Set Up GCP Health Checks
Below are the steps for deploying Reblaze on the Google Cloud Platform. Begin by signing up to GCP. Viewing the video below is recommended.
Related video: Reblaze via Google Marketplace: Initial Deployment
To sign up to Google Cloud Platform marketplace you will need a GCP account and a project already set up within your account.
Start by searching for "Redis" and then select Memorystore.
Enable this option when the screen below appears. The process takes several minutes to complete.
When Memorystore has been enabled, the following window appears. Select Marketplace.
This will bring you to the Marketplace where you will search for "Reblaze." There will be multiple results to your search. Select the option shown below.
Selecting the Reblaze option shown above will bring you to a window where you select Launch.
On the next window that appears, specify a deployment option. Select License ID and click the Get License link which appears.
2. This will open a new tab showing the Reblaze License Manager. Here, choose Sign Up and then enter the requested information.
Ensure your email and phone number are valid. They will be needed later on.
Note that your phone number must be entered using the international format: the "+" sign followed by the country code, area code and number (no spaces or hyphens; for example, a US number: +17891234567). The phone number must be able to receive text messages.
When you have finished, select Sign up.
3. In the next window of the Reblaze License Manager, specify a password and select Set password.
Now, sign into the Reblaze License Manager with the credentials you just created. This is where you will create your licenses for Reblaze.
Note that a separate license is needed for each Reblaze console. If you have multiple environments but wish to use only one Reblaze console, you will need just one license. But if you wish to have multiple consoles you will require multiple licenses.
For each license needed, select the Generate new license button (see below).
4. Now, select the License ID you want to use and copy it to the clipboard.
5. Return to the GCP console and enter that License ID.
6. Scroll further down in order to review the default values for the new deployment, then select Deploy. This will transfer you to a page displaying the progress of the deployment.
7. When deployment is complete, select LOG INTO THE ADMIN PANEL. You will be redirected to the Reblaze Login page.
8. Enter the Login credentials you defined earlier. The account details will be filled in automatically.
9. Select Complete Deployment.
Now, the remaining deployment steps and console creation will occur, which take a few minutes. When the steps have been completed, you will see a notification on the screen informing you that Reblaze is setting up more things in the background.
Once you have received notification on your screen that this process is complete, you will be brought to the Reset My Password page.
Enter your email address and click Reset My Password.
This will bring you to the Log In screen.
Do not fill in the fields on the Log In screen.
Wait for the email Reblaze will have sent you containing a link to the Reset Your Password screen.
Create a new password and click Reset My Password.
You will be redirected to the Reblaze console Log In screen. From here you may begin setting up your sites and web applications within Reblaze.
Continue to Configure the Reblaze Platform
Profile: A re-usable collection of security policies
In a typical deployment, Reblaze performs much of its traffic evaluation according to security Profiles. There are four tabs within the interface:
The Custom Signature feature is being deprecated, and will be phased out in a future release of Reblaze. It is recommended that instead of constructing new Custom Signatures, use Tag Rules instead.
Before discussing each tab, it will be useful to discuss Profile Concepts.
Administer the lists of which requestors are banned and/or permitted access
The quarantined section will show requestors that have been banned for violation of the Dynamic Rules and Rate Limiting rules, requestors that have been blacklisted, and requestors that have been whitelisted. You can add and remove requestors, and transfer them among the various lists.
There are four lists of requestors in this section:
Banlist
Simulation Banlist
Blacklist
Whitelist
Each is described in more detail below.
For each entry, it's possible to see the following: IP address, origin country, AS number, the violation that was triggered, "CNT/Limit" (the number of violations compared to the allowable limit), when the ban began, and when the ban will expire.
All requests from these requestors are currently being rejected. These requestors violated a rule that was set to “Ban” mode.
These requestors are NOT having all their requests rejected. These requestors violated a rule that was set to “Simulated Ban” mode. Simulated Bans are used mainly for testing new rules and seeing how they function, before converting those rules to Ban mode.
All requests from these requestors are currently being rejected. These requestors were placed here by a Reblaze admin.
These requestors are exempted from the Dynamic Rules. Even if they violate a Dynamic Rule, they will not be banned.
Requestors are added to the Banlist and Simulation Banlist automatically when they violate a Dynamic Rule or Rate Limiting Rule.
You can add a requestor manually to the Whitelist or Blacklist using the "Add New Entry" option in the section menu. This is demonstrated in the following video:
The fields are:
Field Name
Description
Type
Cookie, Country, ASN, IP, Request Body, Request Header.
Name
Will appear for specific types: Cookie (Name), Headers, etc.
Value
The value which will activate the blacklisting. For example, when Type is "IP", the blacklistable IP address would be entered here.
Reason
User description of the reason for adding this entry.
Expiration
The expiration of the entry, in Hours or Minutes (only relevant for blacklists).
Requestors can be transferred among the various lists with this procedure:
Select the requestor(s) by checking the box at the left of each entry.
Open the section menu.
Choose the desired "Move to" command (e.g., "Move to Whitelist").
Moving an item to the Banlist can only be done from the Simulation Banlist.
Requestors on the Banlist, Simulation Banlist, or Blacklist will be automatically removed when their expiration time is reached. (The Whitelist has no expiration time.)
Requestors can be manually removed from the list they are currently on:
Select the requestor(s) by checking the box at the left of each entry.
Choose "Delete".
Access Control List Policies
The ACL Policies section allows you to define Policies and Rules by which Reblaze will process your incoming traffic. Once an ACL Policy has been defined, it is available to be part of a Security Profile. Once a Security Profile has been defined, it is available to be assigned to specific resources (e.g., a section of your website) in the Web Proxy page.
In the discussion below, "ACL" and "ACL Policy" refer to the same thing: the Policies that can be administered in this section.
Existing ACLs are listed on the left. Selecting one will display it in the middle of the screen for editing.
Admins can create new ACL Policies, as discussed below. Admins can also edit many of the ACLs that are included out of the box in a new deployment.
Out of the box, many of the included ACLs are named with a prefix of ACL. This naming convention is recommended when creating/editing new ACLs, but it is not mandatory.
Several of the Reblaze-maintained ACL Policies are templates (designated by the prefix ACLT). If you do not wish to see them on this page, they can be hidden by selecting the Hide Templates checkbox on the upper right. These templates are used by the Create New Site wizard, and can also be assigned to other sites/applications by admins in the Security Profiles section of the Web Proxy page.
To create a new ACL, select the Create New button toward the top of the screen, then choose "ACL Policy." Or, duplicate an existing ACL and then edit the newly-created copy.
Each ACL contains one or more Rules. These are listed in the middle of the screen. To create a new Rule and add it to the current ACL, use the settings on the right part of the screen. (See below for more on this.) When you are finished with the Rule setup, click on the Add button. The Rule will be added to the Policy that you are currently defining or editing.
To remove a Rule from a Policy, click on the "X" to the right of its name.
Fields
Description
Operation
The action that will result when the Rule’s Match condition occurs.
Match
The type of parameter that will be tested to see if a Match occurs.
(unlabeled)
The value for the Match condition.
Each of these fields is explained further below.
The Operation field has three possible values:
Bypass: the requestor will be granted access to the requested resource, without further evaluation or filtering of the request. However, although a Bypassed request will not be subject to further filtering, it will still show up in the logs (as “reason:bypassed”).
Allow: the requestor will not be presented with a challenge, but will still be evaluated by the WAF.
Deny: the requestor will not be allowed to access to the requested resource
When constructing an ACL Policy from multiple Rules, the Rules are arranged in the hierarchy shown above (Bypass, then Allow, then Deny). Rules are evaluated in order from top to bottom. When a Rule resolves to an action, that action is implemented, and further evaluation ceases.
There are five available options for Match:
Tag
Company
Country
IP Address
Custom Signature
The first four of these are common matching conditions that are always available. The fifth choice allows you to select custom matching conditions that you constructed by using the Custom Signature feature (however, note that Custom Signatures are being deprecated. Tag Rules should be used instead).
This is the third, unlabeled field in the New Rule dialog. The correct entry will depend on the option that was selected for Match.
If you selected Tag, enter one or more tags as the Match Argument.
If you selected either of these, enter the first few characters of the company name or country, and then choose the full name from the list that appears. (If the text box does not populate itself appropriately as you type the first few characters, check your spelling.)
Enter the specific IP or range of IPs (e.g., 178.184.0.0/16).
Enter the first few characters of a Signature that you created previously in the Custom Signature tab, and then choose the one you want from the list that appears. (If the text box does not populate itself with matching Signatures, check your spelling.)
By adding the following characters as a suffix to the ACL's name, the ACL will behave as follows:
Suffix
Description
Examples
OC
Over-capacity override: ignore rate limits.
Loadtest OC
XDeny
"God Mode": bypass the Rule Operation hierarchy.
Global DR XDeny
For an example of using the OC suffix, see Bypassing Rate Limits for Loadtesting.
For an example of using XDeny, see Quickly Blocking an Attacker.
Revealing the composition and details of your traffic
This page provides the ability to review and analyze the most recent traffic, up to and including real time. At first glance, you'll see the origin country, IP address, HTTP message type, the targeted location, time stamp, and status code.
If a security event occurs, this page will allow you to quickly find its root cause.
On the top right of the page, you can select the range of requests displayed: from the most recent 200 events up to the most recent 2500. Choose the desired range (200, 500, 1000, 1500, 2000, or 2500) and then click on the checkmark to set the display.
In the screenshots below, IP addresses are censored for privacy reasons.
The main tool in this section is the Query box for filtering the display; this is quite similar to the one on the Dashboard. It allows you to filter the display and see only the data you wish to analyze. For a full explanation of how to use it, click here.
The Query box allows you to filter and display specific requests and their details. To show the results graphically instead, you can copy the filter string and paste it into the Query box on the Dashboard.
At the top right of the screen, you can choose the application you want to analyze. The drop-down menu allows you to search for and choose your desired application.
Next to the Query box, you'll see several buttons.
The search icon is for applying the requested filters on the log. (Or, just hit "Enter" on the keyboard after typing your query.)
The calendar button allows you to specify a certain date or period of time.
The Search History button displays your recent searches, so you can re-run them without having to enter them completely from scratch.
Export to CSV creates a text-based spreadsheet file.
The Help button opens a display with a quick-reference guide to Query box operator syntax.
The Clear button removes your current Query box entries.
Log entries are color-coded depending on their type.
Passed requests: Black text on a white background.
Blocked by Reblaze: Red text on a red background.
Blocked by origin (i.e., the upstream server): Red text on a white background.
Challenge: Brown text on a yellow background.
Clicking on any log entry will display its details:
This will reveal:
The URL that was requested
The user agent
Optional additional information (not shown in the example above), depending on the request. Example: the referrer.
A row of colored labels:
Green: Passed request
Red: Blocked request
Yellow: Explanatory
Blue: Informational
HTTP Request Method (GET / POST / PUT...)
HTTP Version
HTTP Response code, and which server sent the code: either the upstream server (noted as "Origin," as in the example above), or the Reblaze proxy.
Resource that was requested (JPG / PNG / HTML / JS, etc.)
Origin Country and Country Initials
Block reason: The reason, if any, that the request was denied. Standard reasons are listed in the Reblaze WAF Signatures list, while others are constructed dynamically (e.g., from a rate limit). A hyphen ("-", as in the example above) means that the request was not denied.
IP Classification: Whether the requestor is using an IP from a cloud provider, VPN, TOR, etc. In the example above, the requestor is using a cloud provider. Note that this does not indicate that the request was blocked for this reason. If the current Profile had included an ACL to block cloud users, then the Block reason would say "acl:cloud", and then this "Cloud" notification would appear after it for the IP Classification.
Origin IP address (censored in the example above)
Autonomous System Number (organization/ISP/etc.)
The example above shows a request that was answered with a challenge. It came from a known cloud provider, by curl, to www.example.com.
The above screenshot shows a log entry for a request that was blocked. Note that the Block reason is "Generic Attack [ref 22400000]". The "ref" number is a Reblaze Signature reference ID.
How to search for one IP (censored in the screenshot below), only showing requests with a GET method during a specific time frame.
Using this regex syntax:
status:[4]\d\d
Provides all status codes for 4xx.
How to display all requests from a certain country, for "EXE" files, which produced error code 403.
A full explanation of filter syntax, a listing of operators, and tips for quickly building queries is found here: Using the Reblaze Query Box.
The View Log page has many uses, and it will allow you to learn a lot about your traffic.
This page is a powerful tool for traffic control, and is especially useful when you are first starting to use Reblaze. By revealing the composition of your traffic, it can help you decide which requests you should begin blocking.
Early in the traffic evaluation process (immediately after evaluation of Quarantines and Dynamic Rules), Reblaze can assign one or more Tags to an incoming request. Subsequently, the Tags can be used to make decisions about how the request is processed. After processing, a request's Tags remain associated with it, and they are available for display in the View Log.
This page allows you to administer Tag Rules, which are combinations of Tags and the criteria for assigning them to requests.
Each Tag Rule consists of:
Match conditions: A description of possible characteristics that a request can match (e.g., a list of IP addresses that it might originate from).
One or more Tags to assign when a match occurs.
An Active toggle to enable the Rule.
An Action to take immediately when a match occurs. Other Actions might be taken later as well; more on this below.
For each request, Reblaze will evaluate all active Tag Rules. A single request will receive Tags from all Rules which match it.
Tag Rules can be either Reblaze-managed or self-managed.
Reblaze-managed Rules are maintained by Reblaze. Most of these are based upon online data feeds (e.g., Spamhaus DROP lists), and are updated frequently and automatically. The match conditions for these rules are not editable in the interface, although the remaining parameters (Active, Tags, Action, etc.) still are.
Self-managed Rules are created and managed by admins. These Rules are fully editable within the interface.
The main window (shown above) lists all current Tag Rules.
To edit an existing Rule, select the Edit icon at the end of its entry in the list. To delete a Rule, select the Edit icon, and then within the window that appears, select the Trash icon.
To add a new Rule, select the + button in the main window, or edit an existing one and choose the Duplicate button at the top right.
The discussion below will focus on self-managed Rules. For Reblaze-managed Rules, the parameters that are editable will work the same as discussed below.
Name. A description that will be displayed within the Reblaze interface.
Active. By default, this Rule will be evaluated for all incoming requests. To prevent this, unselect the checkbox.
Tags. One or more Tags (separated by spaces) that will be assigned to all requests that fulfill the match conditions. Example: internal team-devops
Notes: An optional field for including information about this Tag Rule.
The choices for this parameter are described in Action Response.
The Action that is selected here will be applied globally to all requests that match the Match Conditions.
To apply an Action to only some of the matching requests instead:
Choose the Tag Only Action and an appropriate Tag
Create an ACL Policy for that Tag
Assign the ACL Policy to a Security Profile
Assign the Security Profile to the relevant section(s) within application(s) in the Web Proxy page.
Match conditions consist of two parts:
A list of one or more criteria to match.
If the criteria are organized into multiple sections, the Entries Relation specifies the logical condition to apply (either OR or AND) among the sections.
Some Tag Rules are based on external data feeds. (Many of the Reblaze-managed Tag Rules fall into this category.)
Enter the URL of the data feed into the Source field, then select the update now button that appears. Reblaze will then populate the criteria list automatically.
As an example, to create a list based on the Spamhaus ASN DROP list, you would enter https://www.spamhaus.org/drop/asndrop.txt, and then select the "update now" button.
(Note that this example is for illustration only. An out-of-the-box deployment should contain the ASN DROP list already as a Reblaze-managed list.)
A self-managed Tag Rule based on an external data feed should be refreshed frequently, to re-query the data source. This can be done by opening the Rule for editing, then selecting the update now button next to the Source field. For convenience, you can also do this directly from the list of Rules in the main window; in the entry for the self-managed Rule, an Update now button will appear before the Edit icon.
If the criteria are organized into multiple sections--which is unlikely for a feed-based Tag Rule, but not impossible--also choose the appropriate value for Entries Relation, as discussed below.
Many Tag Rules will be based on specific criteria for a use case--criteria that are not found in an external feed.
To add match criteria, select the Create new section button. (If this button is not available, verify that the Source field is set to self-managed
.)
A new section of criteria will be available, and the following dialog will appear.
For most of the criteria categories, the dialog will appear as it is above. Multiple entries can be made at once, with each entry on a separate line. Each line contains the value, plus a pound sign (#) followed by an annotation (a label for display within the Reblaze interface). Example:
For some categories, one entry can be made at a time, with each entry requiring multiple fields. Annotations are not preceded by a pound sign.
Match criteria are case-sensitive. The exception is Header keys, where match criteria are case-insensitive.
Here are some sample entries for the various categories. Notice that the logical operators are available.
Once created, these entries cannot be edited. If one needs to be modified, remove it and re-create it.
The first criterion added to a Tag Rule will be in one section. If additional criteria are added, they are all evaluated with an OR. (For a request x
and list of criteria a, b, c
, the evaluation will be (x==a) OR (x==b) OR (x==c)
).
You can add additional sections by selecting the Create new section button. Each section will similarly use OR internally.
However, when there is more than one section, an additional evaluation must occur among the results of the individual sections. The Entries Relation selector specifies the logical operation used here.
Example: there are two sections. The first section has criteria a, b, c
and the second has i, j, k
. The Entries Relation is set to AND. For a request x
, the evaluation will be ((x==a) OR (x==b) OR (x==c)) AND ((x==i) OR (x==j) OR (x==k))
.
An overview of traffic activity
After logging into Reblaze, the Dashboard screen is the first screen you'll see. It displays all incoming traffic and what happens to it. By default, this screen shows current activity; by using the archives, you can also 'go back in time' to see previous activity.
The user interface has three main sections:
Allows you to easily filter the display to show exactly what you want. The structure of a filter is operator:value.
For example, to show all traffic from France that was blocked:
country:France, is:blocked
For a full explanation of Reblaze's Query box, including operators and syntax, go here.
Queries run in the Dashboard will display the results graphically. To see the results as a full list of the requests and their details, you can copy the filter string and paste it into the Query box in the View Log.
Enables the user to select a pre-defined time frame, or a custom time period. See the video below:
This section shows the traffic that was processed by Reblaze: requests which passed through to the upstream servers, and requests that were blocked. Hits are distributed by time and sorted into three different categories: Humans, Challenges, and Blocked. As you can see in the example below, the data is shown in different colors to easily distinguish among the categories.
Counts the number of status codes in a certain time period.
HTTP Status response codes are divided into five categories:
1xx - Informational Response
2xx - Request Successful
3xx - Request For Redirection
4xx - Client Error
5xx - Server Error
For a detailed list of response codes, go here.
As in the Passed vs. Blocked display, the data is shown in different colors.
The number of network requests during a certain period of time.
The downstream bandwidth limitation per response. Left-axis units are "k" for kilobytes, and "M" for megabytes.
This displays the time (in milliseconds) consumed by Reblaze's processing.
You can zoom in upon the various graphs, in order to examine a smaller window of time. The video below demonstrates this process.
This section displays traffic statistics according to a variety of "top" metrics: the Top Applications, Top Countries, Top Signatures, etc.
In many of these displays, entries contain links. Clicking on them will open the traffic log, filtered to show the item you selected. For example, in the "Top Countries" view, clicking on a country name will open the traffic log to display the most recent requests originating from that country.
Name
Description
Hits
Total amount of requests
Passed
Requests that reached the upstream server
Blocked
Requests that were blocked by one of Reblaze’s correlation engines.
Humans
Requests that passed Reblaze's human vs. bot challenge process.
Bots
Challenges
Requests that were served with bot detection challenges.
Latency
How much time it takes for a packet of data to get from one designated point to another. Displayed in milliseconds.
Dn
Amount of traffic in MB that originated from the upstream server towards the clients.
Up
Amount of traffic in MB that originated from the client towards the upstream server.
Shows all protected sites for the current Reblaze deployment. Applications marked in red have a blockage rate above 30%. The blockage rate is the ratio of requests blocked by the system to the number of total network requests.
Note that in this section, "Passed" and "Latency" entries aren't shown, and "Cloud", "Anon" and "Blockage" are added. Their meanings are:
Name
Description
Cloud
Cloud Providers (GCP, AWS, etc.)
Anon
Anonymous Proxy Browsers
Blockage
Blockage rate
Shows your traffic sorted by country. Each country's flag is shown by its name.
On the screenshots below, IP addresses are censored for privacy reasons.
Shows traffic data according to IP address. The ASN (autonomous system number) for each IP is also shown.
Shows the nature of user sessions. Sessions that pass Reblaze's bot mitigation challenge are identified as originating from humans, and are listed here according to the user's RBZ (Reblaze) cookie ID. In the screenshot below, note that the first line shows "-" for the ID. These are sessions that did not pass the challenge.
Shows the URLs in your site(s) that were accessed the most frequently.
Shows the reasons that traffic was blocked. Unlike other displays, this section does not include hits, passed, blocked, etc.—the counter only shows the number of blocks per signature. Here you can see which types of attacks are most common in your environment. In the example screenshot below, the first entry is "-": this shows requests that were blocked, but not by Reblaze (i.e., they were blocked "by origin"—by the upstream server).
In the example screenshot below, the third and fourth entries include a "ref" value. These are Reblaze reference IDs, explained here.
Shows the referers that were extracted from the request headers.
Allows you to view the various file types that are being used by the application. ("None" shows the network requests that weren't counted as file extensions.)
Shows all the user agents that initiated requests for the application(s).
Shows all of the ASNs (Autonomous System Numbers) from which requests were sent. The ASN can identify individual entities, or larger networks: for example, a telecom provider or a cloud provider.
Shows a list of all applications, with the corresponding latency for each.
Analyzing the values of arguments within incoming requests
This feature is still available within the UI. However, in the future it will be deprecated. It is recommended that customers switch to using Session Profiling instead, which is more powerful and more intuitive.
The Arguments Analysis feature has two primary functions:
Examining incoming requests for specific whitelisted characters in specific arguments (i.e., parameters in the URL query string or within the request body). Alphanumeric characters are allowed by default; all others must be allowed via a whitelist. When all characters in all arguments are found in the respective whitelists, the request is allowed, and no further inspection or filtering by the WAF is performed. If one or more characters are encountered that are not whitelisted, the request is either forwarded to the WAF for further inspection (when Inspect Unknown mode is enabled), or the request is denied (when Strict Whitelist mode is enabled).
Automatically updating the whitelists: As non-whitelisted characters are encountered, they can be added to the argument whitelists, depending on the Adaptive Mode selected.
The first function is often used in complicated sites; it offers a positive-security approach for analyzing traffic. Arg Analysis makes it easy to whitelist values that should be allowed in various request parameters. Another possible use is to bypass specific parameters that are too long for the WAF to efficiently process, or where WAF inspection is not relevant.
The second function (i.e., automatically updating whitelists) is less applicable for most deployments, and in most situations, is not encouraged. If Args Analysis is used incorrectly, large whitelists can be inadvertently built that will match most or all incoming requests. Thus, most or all incoming requests will bypass the WAF's traffic inspection and be sent directly upstream. In effect, this will disable Reblaze's traffic scrubbing. Therefore, we discourage the use of this function unless you are sure you need it, and you fully understand how it works.
For both functions, an argument list must be built.
Initially, this section will look like this:
Note the pulldown list on the right, which specifies the domain that you are currently administering.
Each time the system performs an analysis, arguments that were not previously known will be learned and added to the argument list, automatically (even in Supervised mode). The new character whitelists will consist of those characters that were encountered with each argument.
This can have some important and potentially nonintuitive consequences. See the warning below in the discussion of conflicted arguments.
Upload arguments file: The system allows you to upload a HAR file (that can be recorded using the browser’s dev tool). From the HAR file, the system will learn all the arguments and their values.
Creating an argument manually: You can also create individual arguments by selecting "New Argument," after which this dialog will appear:
Field Name
Description
Argument Name
The parameter in the query string or request body
Argument Characters
A regex pattern to match against the values specified for the Argument Name. This is a whitelist of allowable characters.
Max Length
Maximum allowed length of the argument, in characters
When an argument is encountered in a query string or request body, its Argument Name is sought within the Args list for the relevant domain. If not found, it is added to the list, as noted previously.
If found, its value is analyzed. If each character within it is found in its corresponding Argument Characters, then this argument is passed.
If every argument in a query string or request body is passed, then the entire request is passed. It is sent to the origin (the upstream server), without being subjected to further inspection or filtering by Reblaze.
if the request is not passed, further processing occurs. See Handling Requests with Unmatched Characters, below.
In addition to the "New Argument" and "Upload Arguments File" options, the pulldown menu also offers additional capabilities.
Download as JSON - When this option is selected, the system will start a browser download of a JSON file that contains all the arguments and their values.
Delete App Args - Removes all the arguments in the current domain.
Analyze Now - Manually triggers the analysis process (described below), starting from the previous day.
Learning Resources - Displays the list of all ACL Policies defined in your planet, except for the default ones supplied by Reblaze. Example:
By default, Args Analysis learns from every request. The Learning Resources feature allows you to filter this, so that it only learns from specific requests.
When you select an ACL Policy from this list, Args Analysis will be limited to the requests which match that Policy. (If the ACL Policy happens to be empty, then the most recent 100,000 requests will be analyzed, or the most recent 24 hours' worth of data, whichever limit is reached first.)
If the selected ACL Policy has an Operation of Allow, then Args Analysis will analyze all the requests that were not blocked by the WAF or other ACL Policies. If the Policy is instead set to Bypass, then Args Analysis will also learn from blocked requests. (This can be useful when in Report-Only mode).
Show Regex/Characters - Toggle the display of all values on this page in regex, and then back into characters. Note when showing regex, alphanumeric characters are also explicitly included in the whitelist. In character mode, the Reblaze interface does not display these; the user should understand that all alphanumerics are whitelisted by default.
Refresh and Discard Changes - This allows you to discard all the changes you made to the arguments table.
Save Changes - When making any changes to the arguments table, you must save them afterward. This includes any modified or accepted conflicts in the system (more on these below).
In daily operation, Reblaze analyzes arguments in incoming requests. When they match the character whitelists, the requests are allowed, as described above.
Additionally, Reblaze goes through the traffic logs, analyzing and mapping all arguments received since the last analysis. This occurs every night around 3am UTC.
The system creates a list of argument characters that were encountered in requests, but were not in the whitelists.
Then in this Args Analysis section of the interface, Reblaze displays the current whitelists as follows:
Unchanged Arguments: This is at the bottom of the screen. It shows all the arguments for which Reblaze did not encounter any new (i.e., non-whitelisted) characters.
Conflicted Arguments: This shows the results of the most recent analysis: all the arguments for which Reblaze encountered characters that were not in the whitelists.
Here you have the opportunity to update the whitelists, accepting some or all of the proposed updates listed in the Conflicted Arguments section.
The manner in which these updates are accepted or rejected will depend on the New Args Adaptive Mode.
There are four possible modes: Automatic, Supervised, Locked, and Preview.
The system will discover and deploy new args without any human intervention. Everything occurs automatically.
The system will discover new args, but it will not deploy them. Instead, it will present them as Conflicted Arguments, and await approval or rejection by a human admin.
The system will not discover any new args. All configuration changes must be done manually.
The system will discover new args, but this is for informative purposes only. Traffic processing is not affected.
In the interface, there is a help section that lists the first mode as Automatic (Recommended). This is deprecated; we no longer recommend Automatic mode for most customers. As mentioned previously, this introduces the risk that erroneously large whitelists will be built. For most customer deployments, we now recommend Supervised or Locked mode.
For each of the first 3 operation modes (Automatic, Supervised, and Locked), another setting is available:
This defines Reblaze's behavior when non-whitelisted characters are encountered for known args.
A request that contains an argument that contains one or more non-whitelisted characters will be forwarded to the WAF for inspection and potential filtering.
A request that contains an argument that contains one or more non-whitelisted characters will be blocked.
After the request is processed, this argument is added to the list of Conflicted Arguments.
When new (non-whitelisted) characters are encountered, the arguments in which they were found are listed in the interface as Conflicted Arguments. Reblaze suggests updates (the New Values) for each argument's whitelist, and awaits the user's decisions.
Every time an analysis is performed, the previous list of Conflicted Arguments is discarded, and a new one generated. Thus, the interface displays only the Conflicted Arguments that were found in the most recent analysis.
Sometimes, argument names contain a designation for an ampersand ("amp;"), while others do not. This results from differences in decoding URLs versus arguments found in the body. It doesn't affect anything within the interface or its usage.
Each Conflicted Argument contains a set of New Values. These are updates that Reblaze is proposing to make. There are three available actions:
Deleting
Modifying
Accepting
Deleting - selecting the Trash icon will remove the Conflicted Argument from the list. This can produce unintended consequences: see warning below.
Modifying - You can edit the New Values. For the character field, only valid regex will be accepted.
Accepting - Clicking on the green Accept Conflicts button will accept all the Conflicted Arguments, updating the args list to the New Values.
It might appear that the "Delete" command (the trash can button) is merely a method of resolving the Conflict by rejecting the New Values and retaining the Current Values. This is incorrect.
When an argument is deleted from the list of Conflicted Arguments, this does not remove the conflict, it removes the argument. This has two consequences, both of which might not be intended by the user:
Until the next analysis is run, this argument will be unknown to Reblaze. Therefore, every incoming request that contains it will either be sent to the WAF for further inspection (when Inspect Unknown mode is enabled), or it will be denied (when Strict Whitelist mode is enabled).
When the next analysis is performed, Reblaze will learn the "new" argument, and create a new whitelist containing whatever characters were encountered within it. It's possible that this whitelist will contain some or all of the characters that previously caused that argument to appear as Conflicted.
The second point is especially important. If the user thinks that "Delete" will reject the New Values, the opposite can actually occur. When the argument is deleted and subsequently re-added, its character whitelist might automatically contain the same characters that the user was trying to reject previously.
The correct way of resolving a Conflict while retaining the same whitelist is to edit the New Values to match the Current Values, before selecting Accept Conflicts.
Or, the user can do nothing, and merely leave the Conflict unresolved in the interface. This will leave the argument's whitelist unchanged.
At the bottom of the screen is a list of Unchanged Arguments.
This shows the arguments for which Reblaze has not encountered any non-whitelisted characters.
You can edit these arguments if desired, or even delete them (by clicking on the trash icon to the right—but see the warning above about the potential consequences of deleting arguments).
Controlling the rates of incoming requests
Rate limiting restricts the rates at which traffic sources can send requests. When a limit is exceeded, the defined action is enforced.
Admins can create new Rate Limit rules, as discussed below. Admins can also edit the rules that are included out of the box in a new deployment.
Out of the box, Reblaze's Rate Limit rules are named with a prefix of RL (for Rate Limit) or RLP (a Rate Limit using the "Pair with" attribute, discussed below). This naming convention is recommended when creating/editing new rules, but it is not mandatory.
It is also recommended that Rule names are descriptive of their contents. For example, a Rule that limits 50 requests per username, per 60 seconds, could be named "RL 50/60s username". This makes administration straightforward, and also clarifies events in the traffic logs.
Existing rules are listed on the page shown above. To edit or delete a rule, select the "edit" button at the end of its listing.
To add a new rule, select the + button. The following window will appear.
After defining a new Rate Limit, select the Save button at the top of the window. An additional section (Links to URLs) will then appear at the bottom of the window. This will be discussed later.
Each Rate Limit Rule consists of the following types of parameters:
Each is discussed further below.
The Limit can be zero. If so, the specified Action will occur immediately when an incoming request matches the Event Criteria.
Event criteria have two components:
Key(s). These define the events that are being counted. See "Composing Keys," below.
Include/exclude filters constrain the requests whose Keys are being counted. In other words, they define the segment of the incoming traffic stream that is being evaluated for possible events. See "Including/Excluding Requests," below.
A Key consists of a field and a value. Within a Rate Limit Rule, they play a role like this:
"More than <LIMIT> requests with the same <KEY-VALUE> <KEY-FIELD> sent to <ASSIGNED-LOCATION> within <TIME-PERIOD> will cause <ACTION>."
Example: "More than three requests with the same username argument sent to the login form within one hour will cause the requestor to be banned for six hours."
A Key can be built upon any one of these four fields:
Multiple Keys can be defined within the same Rule. To create a new Key and open it for editing, select the "+" button next to the Key label.
If multiple Keys are defined, they are evaluated by combining them together with a logical AND. In other words, the cumulative count toward the Limit will be incremented whenever a request is seen that matches all of the Keys simultaneously. Different combinations of Keys will have separate Limit counts maintained for them.
Example. A Rule contains two Keys: "Attribute / Remote Address" and "Argument / Username". When the first request is received, an internal counter is created (set to a value of one) for this unique combination of Remote Address and Username. A second request is then received, originating from the same Remote Address and for the same Username; this causes the internal counter to be incremented up to two. A third request is then received from the same Remote Address but with a different Username; this causes a new internal counter to be created (and set to a value of one) for this combination.
Below the list of Key(s), there is a checkbox labeled "Pair with." If this is checked, then a different type of Key can be added below it.
In the following discussion, "Key" will refer to the Key (or combination of Keys) defined above the "Pair with" checkbox.
"Paired Key" will refer to an optional, additional Key that is defined below the checkbox.
Adding a Paired Key changes the evaluation process. A Paired Key is not logically combined with the preceding Key; it is always evaluated separately.
Also, adding a Paired Key changes the meaning of the Rate Limit.
If a Paired Key is not defined, an internal counter is maintained for each Key value, and incremented each time that value is encountered in a request.
If a Paired Key is defined, an internal counter is maintained for each Key Value, and incremented each time a new, previously unobserved Paired Key value is encountered in a request.
Therefore, if a Paired Key is defined, the Rate Limit constrains the number of allowable Paired Key values for any given Key value.
So, the evaluation becomes something like this:
"More than <LIMIT> <PAIRED-KEY-VALUE> <PAIRED-KEY-FIELD>s per any one <KEY-VALUE><KEY-FIELD> sent to <ASSIGNED-LOCATION> within <TIME-PERIOD> will cause <ACTION>."
Note that the number of Key values is not being limited here. The limit is on the number of Paired Key values that each Key value is allowed.
Example: Let's say we want to allow an individual user to login from a maximum of two ASNs within one hour. (Perhaps the user is accessing our web application from a coffee shop's WiFi, and then a few minutes later, leaves the coffee shop and begins using the cell network instead.) We want to allow this possibility; however, if we receive requests from the same user originating from three or more ASNs within an hour, we want to treat this traffic more suspiciously. This is not possible merely by specifying two Keys, as described earlier in the "Multiple Keys" section. If we set up two Keys ("Argument / Username" and "Attribute / Organization") with a limit of 2, and assign it to our login form, then this will merely limit the number of times that the user can login from each ASN within an hour. Instead, we can set up one Key ("Argument / Username"), check the "Pair with" checkbox, and then set up the Paired Key ("Attribute / Organization"). Now the Limit will apply to the number of combinations of Username and Organization that are received for each specific Username.
The Include and Exclude filters allow you to constrain the requests against which this Rate Limit Rule will be evaluated.
By default, an active Rate Limit Rule will be enforced upon all incoming requests. Specifying an Include and/or an Exclude filter will set limits to this enforcement.
The Include filter will limit enforcement to requests matching its parameters. All other requests in the traffic stream will not have this Rate Limit Rule enforced upon them.
The Exclude filter will exempt requests from enforcement that otherwise would have been evaluated. These requests, which otherwise match the Include filter's parameters, will not have the Rate Limit Rule applied to them.
When a Rate Limit is triggered, the specified Action will occur.
The Ban action is a unique option for Rate Limiting, and is described in detail below.
Most of the available Actions will not fully exclude an attacker that continues pressing the attack.
Example: Access to a login form is rate-limited to three requests per minute. An attacker tries to brute-force the login, and sends 60 requests per minute. The Rate Limit allows the first three requests, but then blocks the next 57 requests with a 503 error. However, after the minute has passed, the Rate Limit resets. The attacker is allowed another three attempts before being temporarily blocked again. This cycle can continue for as long as the attacker wishes. In effect, the Rate Limit is not preventing the attack; it is merely slowing it from 60 attempts per minute down to three attempts per minute.
The Ban action can be used to block (or take some other Action in response to) a Rate Limit violator for an extended period of time.
Example: As described above, a Rate Limit is created to allow three requests per minute, with an Action of 503 Service Unavailable. However, an additional Rate Limit rule is also defined: nine requests per three minutes, with an Action of Ban. The Ban has an Action of 503 Service Unavailable, and a duration of one hour. Reblaze allows multiple Rate Limits to be assigned to a single URL. Thus, both of the above rules can be assigned to the login form. Now an attacker tries to brute-force the login form, sending 60 requests per minute. The first three requests are allowed. The next six requests are blocked by the first Rate Limit. The tenth request triggers the second Rate Limit, and the Ban occurs. For the next hour, the attacker's requests will be blocked with a 503 error.
Note that when setting up a Ban, the most common choices for its Action are to deny the violator's requests (via 503 Service Unavailable, Response, or Redirect). However, you can also choose Tag Only (to observe the violator's actions during the ban period), Challenge (to verify that the violating activity is not being done by bots), or Request Header (to mark the requests for further scrutiny by the backend).
In the main window, each Rule listing has a number for Linked URLs.
The number represents the number of URLs to which this Rule is currently assigned. URLs are linked after a new Rule is created, or they can be added later when editing an existing Rule.
URL linking is done at the bottom of the rule editing window:
When creating a new Rate Limit rule, the Links to URLs section does not appear until after the new rule is saved.
Select a location from the pulldown
Select the "+" button to add it to the list of assignments.
Select the Save button at the upper right of the window.
More than one assignment can be performed at once. After adding the first assignment to the list, simply add additional ones as needed. When the list is complete, select the Save button.
For creating custom matching conditions
This feature is being replaced with , which are more flexible and have more capabilities. For now, Custom Signatures are still being supported. However, it is recommended that you do not create any new Custom Signatures, as they will be deprecated in the future.
Custom signatures are custom matching conditions that you can use in ACL Policies to evaluate client requests.
These allow the administrator to "catch" traffic based on any parameter in the request or the response. They can be used in a number of situations. Some examples:
"Virtual patching": Identifying an incoming exploit attempt for a newly-discovered vulnerability in the upstream network.
Identifying logged-in admin users, so that their requests can be Bypassed.
Identifying specific patterns of traffic that are suspected to be malicious, so they can be blocked.
Identifying specific types of requests (e.g., XMLHttpRequest), so they can be blocked from specific sections of a website.
Admins can create new Custom Signatures, as discussed below. Admins can also edit the Signatures that are included out of the box in a new deployment.
Out of the box, Reblaze's Custom Signatures are named with a prefix of CS. This naming convention is recommended when creating/editing new Signatures, but it is not mandatory.
To create a Custom Signature, click the Create New button toward the top of the screen, and then choose Custom Signature. Or select an existing one and choose Duplicate, then edit the newly-created copy.
Custom Signatures give you tremendous power and flexibility for evaluating your traffic. They are composed of one or more matching conditions, which can be combined using Boolean AND/OR operators.
When you first create a Signature, one condition appears for editing. If you wish to create more than one, click on the Append Condition button at the bottom. This will add another condition for editing.
You can continue for as many conditions as you want. The conditions will be evaluated according to the Boolean operator specified by the Condition Type selector.
Each matching condition combines the entries in Either one of the following fields and Is matching with.
This text box accepts strings or PCRE (Perl Compatible Regular Expressions).
A page for administration of security Profiles
Within the Security section, this tab provides an interface for administering Security Profiles.
Existing Profiles are shown on the left.
Admins can create new Security Profiles, as discussed below. Admins can also edit the Profiles that are included out of the box (e.g., SP Default
) in a new deployment.
Out of the box, Reblaze's Security Profiles are named with a prefix of SP. This naming convention is recommended when creating/editing new Profiles, but it is not mandatory.
To create a profile, click the Create New button toward the top of the screen, and then choose Profile. Or select an existing one and choose Duplicate, then edit the newly-created copy.
To edit a profile, select it from the list on the left. Its contents will appear in the middle part of the screen.
To add a new Policy to the Profile, select the desired Policy from the Link More Policies list on the right, and click the Add button. To remove an existing Policy from the Profile, click on the X to the right of its name.
Within a Profile, the order of Policies does not matter. When evaluating an incoming request, Reblaze combines the Bypass, Allow, and Deny Rules from all the ACL Policies in the Profile. It evaluates all the Bypass Rules first, then all the Allow Rules, then the Deny Rules.
Most Profile administration will not be possible until the appropriate Policies have been created. Similarly, complete Policy administration will not be possible until there are Rules to add to them.
A fundamental part of traffic evaluation
As mentioned earlier in , Reblaze's decision-making can vary depending on the context. In a typical Reblaze deployment, much of the traffic evaluation is done using Profiles. When Reblaze receives a request for web resources, it first determines the Profile that is in effect for the resource that was requested.
Reblaze's Profiles are hierarchical structures, so that you can set up your security framework in a modular fashion. Rules and collections of rules can be set up once, and re-used throughout your planet as needed.
The hierarchy has several levels:
Profile
Policy
Rule
Condition and Operation
A Profile contains one or more Policies. A Policy contains one or more Rules. A Rule is a combination of a condition and an operation. Let's illustrate these with examples, from the bottom of the hierarchy upward.
Example conditions:
Is the request coming from a specific country? Or ASN?
Is the request coming from a specific IP address?
Is the request coming from a proxy? Or a VPN? Or a Tor network?
Is the request for a specific URI?
Is the request originating from an allowed (or a disallowed) HTTP referer?
Does the request contain (or not contain) specific arguments?
Is the request using (or not using) a specific method or protocol?
Does the request contain (or not contain) a query string in a specific format?
Does the requesting client have (or not have) specific cookies, or a specific cookie structure?
Possible operations:
Deny
Allow
Bypass (similar to "Allow", but the request will not be subject to further evaluation or filtering by other rules)
Example Rules:
If the requestor IP is within 131.253.24.0/22 [a known range of Bing crawlers], Allow.
If the requestor IP is within 157.55.39.0/24 [a known range of Bing crawlers], Allow.
If the requestor IP is within 1.10.16.0/20 [a range within the Spamhaus DROP list], Deny.
If the requestor IP is within 1.32.128.0/18 [a range within the Spamhaus DROP list], Deny.
If the requestor is a bot, Deny.
If the requestor is using a proxy anonymizer, Deny.
If the requestor's Company is [our company], Bypass.
If the requestor submitted an HTTP/S request, Deny.
Example Policies:
Allow Bing Crawlers [contains example Rules 1-2 above]
Deny requestors on Spamhaus DROP list [contains example Rules 3-4]
Deny bots [contains example Rule 5]
Deny proxy users [contains example Rule 6]
Allow users from our company [contains example rule 7]
Deny all requests [contains example rule 8]
Example Profiles:
Default:
Allow Bing Crawlers
Deny requestors on Spamhaus DROP list
Deny bots
Deny proxy users
Private area of our website, for internal use only:
Allow users from our company
Deny all requests**
** "Allow" Policies are evaluated before "Deny" Policies. When a match is found, no further evaluation is performed. In this example, company users will be Allowed, which exempts them from the Policy which Denies all requests.
A Cloud Function (CF) allow you to extend Reblaze's tools and functionality. Each CF consists of Lua code that can be run at different points in Reblaze's traffic processing.
Cloud Functions are defined here. They are assigned to URLs within the web application in the .
When creating a Cloud Function, do not rely on Reblaze to validate the code. Please ensure that the code is valid and, ideally, tested before adding it. If the code has errors, undefined behavior can occur when Reblaze attempts to execute it.
The top right of the screen provides a pulldown for selecting a CF for editing, an Add button to create a new CF, and a Save button for saving edits that were made on the currently-displayed CF.
The CF itself consists of a name (for display within the Reblaze interface), an automatically-generated ID, the Code itself, and a specified Phase. The Phases pulldown allows you to specify when the CF will execute:
Request Pre Reblaze: Execute immediately when Reblaze receives an incoming request, before any other processing occurs.
Request Post Reblaze: Execute after Reblaze has finished processing the request, and before it accesses the backend server.
Response Pre Reblaze: Execute when Reblaze receives the response from the backend.
Response Post Reblaze: Execute as the last action before Reblaze sends the response to the client.
Administration of built-in modules
This section allows you to administer WAF/IPS Policies, which define the sets of defined behaviors for the WAF. The Policies are assigned to paths/URLs in the .
Existing WAF/IPS Policies are listed on the left side; selecting one will display its contents on the right for editing. A default Policy must always exist. Additional Policies for specific situations can be defined if needed.
Admins can create new WAF/IPS Policies, as discussed below. Admins can also edit many of the Policies that are included out of the box in a new deployment.
Out of the box, many of the included Policies are named with a prefix of WAF. This naming convention is recommended when creating/editing new Policies, but it is not mandatory.
To create a WAF/IPS Policy, select an existing one and choose Duplicate, then edit the newly-created copy.
When viewing or editing a WAF/IPS Policy, the Active Modules section allows you to enable/disable some of the modules. The four on the left are always active and cannot be turned off. (However, an ACL Policy that resolves to an action of Bypass will exempt a requestor from them.) These four modules are:
The next three modules are optional, but are recommended in most situations:
On the right part of the screen is the section menu, invoked via the button with three vertical dots:. Depending on context, the section menu will offer the management abilities described below.
Open the section menu by clicking on its button ().
Some ACLs are provided and maintained by Reblaze, and are read-only. These are designated by the Reblaze icon. They are updated as necessary with no action required on your part. (Typically these include dynamic elements that need frequent updating—for example, a list of IP addresses with a recent history of malicious activity.)
To see full log details for an entry, click on the small magnifier on the right side of the log. This will show all the headers, cookies, and session details.
When working in this window, when all edits are completed be sure to select the Save buttonon the upper right part of the page, to save the new Rule.
Requests with originators that were not (yet) verified as humans. For a full explanation, see .
In the top right menu you will see this button: . Clicking on it will open the main menu:
Some rules are provided and maintained by Reblaze, and are read-only. These are designated by the Reblaze icon.
Some of the Reblaze-maintained Rate Limit rules are templates (designated by the prefix RLT or RLPT). If you do not wish to see them on this page, they can be hidden by selecting the Hide Templates checkbox on the upper right. These templates are used by the , and can also be assigned to Linked URLs by admins.
There are various Actions available for selection here: 503 Service Unavailable, Challenge, Tag Only, and more. They are described in the documentation for the dropdown.
Second example: A hostile bot receives a , which it fails. Reblaze will block the request. If the bot keeps re-submitting its request, it will continue to fail the challenges. However, each time the bot tries again, Reblaze has to issue a new challenge . To solve this problem, a second Rate Limit is created with a Ban action. Now a persistent bot will simply be Banned, saving the overhead of issuing continuous challenges.
The Site dropdown contains a list of web applications that are currently defined in the .
After selecting a web application, a pulldown list will appear. It will contain the locations defined for this web application within the . To assign the current Rule to this location:
Signatures that have already been defined are listed in the left column, while you can edit and create new ones on the right. Once a Signature has been created, it will be available in the section within the tab.
Some Custom Signatures are provided and maintained by Reblaze, and are read-only. These are designated by the Reblaze icon.
There are several Reblaze-maintained Custom Signatures which are templates (designated by the prefix CST). If you do not wish to see them on this page, they can be hidden by selecting the Hide Templates checkbox on the upper right. These templates are used by the , and can also be assigned to ACL Policies.
An explanation and some examples are here: .
Some Security Profiles are provided and maintained by Reblaze, and are read-only. These are designated by the Reblaze icon.
Several of the Reblaze-maintained Security Profiles are templates (designated by the prefix SPT). If you do not wish to see them on this page, they can be hidden by selecting the Hide Templates checkbox on the upper right. These templates are used by the , and can also be assigned to other sites/applications by admins in the .
In previous versions of Reblaze, a Profile would include one . Now, a WAF Policy is assigned directly to each resource/location in the .
Note that while Profiles are defined in this section of the Reblaze UI, they are assigned to specific resources/locations in the .
Cloud Functions are a very powerful tool. If you need assistance with this feature, please feel free to .
There will be at least one Policy that is designated by the Reblaze icon. It is provided and maintained by Reblaze, and is read-only.
A prefix of WAFT indicates a Reblaze-maintained WAF/IPS Policy template. If you do not wish to see any templates on this page, select the Hide Templates checkbox on the upper right. Templates are used by the , and can also be assigned to other sites/applications by admins in the .
At the bottom of the page are the Request Arguments Limitations, Whitelist Argument Names, and Whitelist Rule IDs. These allow you to permit or deny requests based on the arguments contained in the request. For assistance with these entries, please .
Type
Values
Meta
A name and description for the Rule.
Rate Limit
Defines the maximum allowable number of events within a certain time period.
Event Criteria
Specifies which events will be counted toward the Rate Limit.
Action
Specifies what will happen when the Rate Limit is exceeded.
Assignments
The resources/locations/URLs within the web application where the Rate Limit Rule will be enforced.
Field
Value
Name
A name for this Rule. It will be used within the Reblaze interface, and will also be used to create a Tag that will be assigned to requests which trigger the Rate Limit.
Description
A description of this Rule which will be used within the Reblaze interface.
Field
Value
Limit
The maximum number of allowable events within the specified Time Frame. Subsequent events within the Time Frame will trigger the Action.
Time Frame
The time period within which the Limit is enforced, specified in seconds.
Field
Result
Header
All requests with the same value for the specified header will be counted together toward the Limit.
Cookie
All requests with the same value for the specified cookie will be counted together toward the Limit.
Argument
All requests with the same value for the specified argument will be counted together toward the Limit.
Attribute
All requests with the same value for the specified attribute will be counted together toward the Limit.
Field Name
Description
Args
Arguments in the request’s header
Arg Names
Argument names in the request’s header
Autonomous System Number (ASN)
The ASN for a specific entity
Country Name / City
Geolocation
Host Name
Destination Hostname
Query String
Regex value inside the query string
Referer
Referer / Via values
Remote Address
Client Address in the request
Request Cookies
Cookie in the request’s header
Request Cookies Names
Cookie names in the request’s header
Request Filename
The GET request resource
Request Headers
Specific headers inside the requests
Request Headers Names
Scan the request for specific header values
Request Method
An HTTP method: PUT, POST, GET, etc.
Request Protocol
HTTP / HTTPS
Request URI
The URI of the resource being requested
User Agent
The User-Agent of the requestor
Parameter
Functionality
Essential Headers Checkup
A request without a header is illegitimate (and generally is an indication of a bot). This module blocks these requests.
HTTP Methods
This module defines the HTTP Methods that are allowed in requests.
Argument Limitations
This module enforces the Request Arguments Limitations that are specified below the list of Allowed HTTP Methods.
RFC Compliance
This module ensures that every request is RFC compliant. Most penetration tools are non-compliant (often deliberately so)—thus, this module alone defeats and excludes a high amount of hostile traffic.
Parameter
Functionality
Bad Robots
Identifies and blocks malevolent bots, based on their user agents. This works differently than the Active Challenge process to identify bots. Therefore, when active challenges are disabled, this WAF capability can still be used.
Dual Encoding
A common penetration technique is to encode a hostile request multiple times, in an attempt to evade detection and filtering. For example, an injection attack might be encoded in binary, and then sent as if it were plain text. Or, different types of encoding might be mixed together in the same request. This module detects and defeats these attempted attacks.
* Injection Proof
This module detects and defeats different kinds of injection attacks: SQL, XSS, and OSC. (The "*" is a wildcard.)
Planet configuration and other parameters
The Settings section has an extensive number of configuration values for Reblaze. Many of these are parameters that once set up, usually will not change during your use of Reblaze.
There are several sections in this part of the interface.
Web Proxy contains parameters for the overall architecture of Reblaze and its interaction with the downstream clients and the upstream network. It includes settings for proxy behavior, load balancing, failover, and more. It is also where you assign Security Profiles to specific areas of your website.
Backend Services is for managing the services that Reblaze is protecting.
Error Pages is for defining the error pages served to traffic sources.
SSL Management is where SSL Certificates are uploaded and managed.
DNS is where DNS records are configured.
CDN allows you to purge CDN caches.
Planet Overview provides the abilities to add/manage sites to your planet, generate SSL certificates, and publish changes that were made elsewhere in the interface.
Global is for managing planet-wide settings.
Account is where your user account settings are managed.
Administration of certificates
This section allows you to manage your SSL Certificates. You can create, edit, attach, and remove certificates. The certificates themselves can be uploaded and stored into Reblaze's cloud, or a cloud load balancer.
If you are reading this Manual as part of an initial evaluation of Reblaze, and if you have large numbers of certificates to manage, you should know that Reblaze treats certificates differently than most other security solutions.
It's not unusual for some companies (especially SaaS platforms) to have dozens or even hundreds of certificates to manage. Unfortunately, most security solutions treat each SSL Certificate as a separate "site," and they charge their customers on a per-site basis. Thus, these solutions can be extremely expensive.
Contrary to this, Reblaze does not treat certificates as sites. A certificate is merely a certificate. For customers with tens or hundreds of certificates to manage, Reblaze's monthly pricing can be one or two orders of magnitude less than its competitors'.
The SSL Management interface is split into 2 tabs: Load balancers and Certificate store.
The Load balancers list shows the load balancers for the current site, and the certificates that are attached to them. Certificate store is where certificates are managed.
For each load balancer shown in the list, the displayed parameters are:
Parameter
Description
Name
A unique identifier for use elsewhere in the interface.
#Of Certs
Number of certificates attached to the load balancer / Max number of certificates can be attached to a load balancer of this type (as shown in Table 1 below)
Cloud Provider
AWS, Azure, GCP or a custom cloud provider.
DNS Name
The balancer's dns name.
Region
The cloud vendor region name (from Table 2 below)
Type
Load balancer type (from Table 1 below)
Load balancer type
Max number of certificates
gcp
15
application
25
classic
1
Table 1: Max number of certificates depending on the load balancer type
GCP
AWS
Azure
Digital Ocean
asia-east1 asia-east2 asia-northeast1 asia-northeast2 asia-northeast3 asia-south1 asia-southeast1 asia-southeast2 australia-southeast1 europe-north1 europe-west1 europe-west2 europe-west3 europe-west4 europe-west6 northamerica-northeast1 southamerica-east1 us-central1 us-east1 us-east4 us-west1 us-west2 us-west3 us-west4
us-east-2 us-east-1 us-west-1 us-west-2 af-south-1 ap-east-1 ap-south-1 ap-northeast-3 ap-northeast-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ca-central-1 eu-central-1 eu-west-1 eu-west-2 eu-south-1 eu-west-3 eu-north-1 me-south-1 sa-east-1
eastasia southeastasia centralus eastus eastus2 westus northcentralus southcentralus northeurope westeurope japanwest japaneast brazilsouth australiaeast australiasoutheast southindia centralindia westindia canadacentral canadaeast uksouth ukwest westcentralus westus2 koreacentral koreasouth francecentral francesouth australiacentral australiacentral2 uaecentral uaenorth southafricanorth southafricawest switzerlandnorth switzerlandwest germanynorth germanywestcentral norwaywest norwayeast
NYC1 NYC2 NYC3 AMS2 AMS3 SFO1 SFO2 SFO3 SGP1 LON1 FRA1 TOR1 BLR1
Table 2: Cloud vendor regions
The Filter by name input control at the top accepts regular expressions, and quickly filters the list to show matching entries.
Selecting an entry in the list expands it to show that load balancer's details: a default certificate, and a list of any additional attached certificates.
The expanded list provides several buttons to perform administrative actions.dnnd
To change the default certificate for the load balancer, select the Set default button next to the name of the desired certificate.
To remove a certificate from the list, select the Detach button next to its name.
To attach a certificate from the certificate store, select Attach certificate. See discussion below.
Additional certificates can be attached to a load balancer until it reaches its full capacity, i.e. the maximum number of certificates shown in Table 1. (Full capacity is indicated when the "# Of Certs" column contains two similar numbers, e.g., "15 / 15". Also, the Attach certificate button will change to the message "You have reached the max certificates quota for the load balancer.")
To attach a certificate, select the Attach certificate button. This will open a modal window with a list of unattached certificates from the certificate store:
The Filter by name input control at the top accepts regular expressions, and quickly filters the list to show matching entries.
To attach a certificate, press the Attach button next to its name. The certificate will disappear from this list ail appear in the list of the certificates attached to the load balancer (see Figure 2).
This tab displays certificates according to the site to which they are attached.
The Filter by name input control at the top accepts regular expressions, and quickly filters the list to show matching entries.
For each entry, the displayed parameters are:
Parameter
Description
Name
A unique identifier for use elsewhere in the interface.
AWS
Whether the certificate is loaded to AWS (see explanation below).
GCP
Whether the certificate is loaded to GCP (see explanation below).
Expiration Date
When the certificate expires.
Linked To
Certificates are loaded console. After that they can be loaded to a cloud provider. The AWS/GCP columns indicate which provider has the certificate. It can be none, one, or both.
Reblaze provides the capability to generate an SSL Certificate for free using the Let's Encrypt service. This can be done using the "Generate Certificate" button on the Planet Overview page.
SSL certificates can be added to Reblaze in two ways:
Uploading a PFX file.
Manually entering the certificate information.
In both cases, begin by clicking the "+" button. This dialog will appear:
To upload a PFX file, select "Extract pfx file." Otherwise, enter the Private Key, Certificate body and Intermediate chain values into their respective text boxes.
To remove an existing certificate, click on its trash icon to the right of its entry in the list. You can delete a certificate if it's not linked to a site. However, you cannot remove the last certificate on a load balancer.
To edit a certificate, click on its edit icon to the right of its entry in the list. This dialog will appear:
The following options are offered:
Attach to application - Select an application/site and attach it to this certificate.
Replace existing certificates - When this is chosen, a "Select Certificate" dropdown list will appear. Selecting one and then clicking "Save" will result in all sites/applications being transferred from the selected certificate over to the certificate you're currently editing.
Auto Replacement by Let's Encrypt: See discussion below.
Download PFX: Download the certificate information as a file in PFX format.
When managing certificates through one of these options (except for "Download PFX"), you must click the Save button to preserve your changes.
Let's Encrypt is a free certificate authority service. Reblaze integrates with it, and offers this service by default.
Once a day, Reblaze will check each application it protects. If that application's certificate is going to expire in the coming week, and itsAuto Let's Encrypt Replacement option for that certificate is enabled, Reblaze will generate a new certificate using Let's Encrypt, and will attach all of its sites to the new certificate.
This section allows you to customize the error messages that are displayed to users. There are separate tabs for the most common types of errors, with the HTTP status code for each one. The defaults can be used, or you can customize the content and/or contact details as needed.
A straightforward use of this feature is to enter text into the fields. More advanced usage (for example, iframes) is also possible.
Select the web application to edit by using the pulldown on the upper right. When you have completed your edits, select the Save Changes button on the upper right, and then publish your changes.
This section defines the Services that Reblaze will protect. In other words, these are the destinations to which Reblaze will send the (legitimate) traffic it receives.
Each Service can receive traffic for multiple web applications, and for multiple resources/locations within each web application. These assignments are made on the Web Proxy page.
At the top of the window, the title on the left displays the Service currently being displayed for editing. The pulldown on the right allows the selection of a different Service.
To add a Service, click on the "Add" button (the plus sign).
When editing is complete, click on the Save button and then publish your changes.
For a single Service, you can define multiple endpoints. Within them you can:
Enable and configure load balancing, weighting and distributing traffic across your primary endpoints.
Define backups hosts, to which Reblaze will failover your traffic when your primary hosts aren’t available.
Take hosts offline for maintenance by ticking a single box in the interface.
Adding and deleting endpoints from this list is straightforward. To add an endpoint, click on the Add button (the plus sign) and fill out the new entry. To delete an existing entry, click on the delete link next to that entry.
The settings for each endpoint in the list are as follows.
Attribute
Description
Host
The name or IP address for each endpoint that Reblaze protects. This can be a normal web server, or it can be a load-balancer. Note that Reblaze also provides load-balancing capabilities in its own right, as discussed below.
HTTP Port
The HTTP port for the server.
HTTPS Port
The HTTPS port for the server.
Weight
The relative weight of each server for load-balancing purposes. Reblaze distributes traffic with a round-robin sequence, according to these weights. For example, if two servers are both set to 'weight=1', they will receive equal amounts of traffic. If the first is set to 'weight=3' while the second is set to 'weight=1', the first server will receive three visitors for every single visitor that the second server receives.
Max Fails
The maximum number of failed communication attempts that are allowed for this server. Once this number of failures occurs, Reblaze will consider the server to be inactive. If other servers are available, Reblaze will failover the traffic to them. If this was the only server available, Reblaze will return an error to the client (either 504 Timeout, or 502 Bad Gateway).
Fail Timeout
Is Down
When this box is checked, Reblaze will not attempt to communicate with this server. This allows you to easily take a server offline for temporary maintenance or some other purpose.
The Name field defines the description for this Service within Reblaze.
Use HTTP/1.1: selecting this can speed up communication, via the use of connection pooling.
Transport Protocol: this configures the communication between Reblaze and the backend.
Option
Value
Per Request
This is the default mode. Incoming HTTP requests will go over HTTP, and incoming HTTPS requests will go over HTTPS.
HTTP Always
All communication between Reblaze and the backend will be over HTTP. (This mode should not be used unless Reblaze runs within the same cloud as the backend.)
HTTPS Always
All communication between Reblaze and the backend will be over HTTPS.
Port Bridge Mode
Reblaze will use the same port as the incoming request. This is not limited to ports 80 and 443; Reblaze will use whatever port was specified. Note: this mode is not available when more than one host is defined.
Sometimes an application requires a user to be connected to the same Reblaze instance and backend endpoint throughout the session. Reblaze can ensure that this occurs, and can do so using a variety of methods.
Stickiness Model
Action
None
Auto Cookie
Reblaze will automatically generate a cookie to maintain the session on the same endpoint.
Custom Cookie
You can provide the name of the cookie that Reblaze will use to track the session, e.g. one generated by an AWS or GCP load balancer.
IP Hash
Routing will be determined from a hash of the client and destination IP addresses.
Least Connection
Requests will be sent to the endpoint with the fewest number of connections.
An optional but recommended capability
DNS Management is an optional capability. Your DNS management does not need to be done within Reblaze, but it can be.
Reblaze provide a full DNS service, based on AWS Route 53. Reblaze also supports DNS on other cloud platforms, but they are not yet supported natively within the Reblaze interface. If you need this capability within your deployment, contact support for assistance.
Many site administrators use their domain registrars as their DNS providers, but this is often a poor choice. In general, domain registrars do not place a high priority on DNS security (since DNS management is not a primary part of their business model), and attackers frequently target their DNS servers. A successful DNS poisoning attack can result in your site getting hijacked.
Managing your DNS through a secure platform like Reblaze is a better choice. This ensures your full stack is protected—even the DNS layer.
A full explanation of DNS setup is beyond the scope of this Manual. The discussion below is an overview of Reblaze's capabilities and interface. Please contact support if you need assistance for your particular situation.
Related video: DNS Training
You can manage millions of DNS zones and records using the Reblaze interface.
The DNS Management feature of Reblaze is for both external and internal DNS administration. Internally, Reblaze maintains a special name for every planet (planetname.d1.rbzdns.com), and every domain protected by Reblaze is mapped to an entry in this domain. This system can also be used for domains accessible externally.
To display existing records, a "search" feature is provided at the upper left.
This will control the DNS entries being displayed, by filtering them according to the search value and selected record type.
To add a new DNS entry, click on the "New" button. The following dialog is displayed:
Once a record has been created, it can be deleted (via the trash icon shown to the right of its entry in the list) or edited (via the blue edit icon shown to the right of its entry in the list).
Reblaze supports the following types of DNS records:
Record Type
Description
A
Address record
AAAA
IPv6 address record
CNAME
Canonical name record
MX
Mail exchange record
NS
Name server record
PTR
PTR resource record
SOA
Start of [a zone of] authority record
SPF
Sender policy framework (now discontinued, as of RFC 7208)
SRV
Service locator
TXT
Text record
ALIAS CNAME
Alternative to CNAME that can coexist with other records on that name.
ALIAS A
Alternative for an A record
Expected formats for the respective values are given below.
The value for an A record is an IPv4 address in dotted decimal notation.
Example:
example: 192.150.2.1
The value represents an IPv6 (128bit) address in a colon separated notation.
Example:
20541:0da8:85a3:0:0:8a2e:0370:7334
A CNAME value is a domain name.
Example:
www.sample.com
Each record includes a priority (integer) and an email server domain name. It is possible to add multiple records.
Example:
10 mail1.sample.com
20 mail2.sample.com
Delegates a DNS zone to use the given authoritative name servers. (It is possible to include multiple name servers.)
Example:
ns1.amazon.com
ns2.amazon.org
ns3.amazon.net
ns4.amazon.co.uk
Includes a text record. (Enclose the text in quotation marks. Multiple entries are allowed.)
Example:
"test1"
"test2"
SPF records were formerly used to verify the identity of the sender of email messages. It's now deprecated, and a TXT record should be used instead.
Example:
"v=spf1 ip4:192.168.0.1/16-all"
A generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX.
The syntax is based on the following: [Priority][Weight][Port][Domain Name]
Example:
2 12 5050 sip-server.example.com
3 15 5060 network.example.com
Pointer to a canonical name. Unlike a CNAME, DNS processing stops and the name is returned.
Example:
www.example.com
When you deploy Reblaze to protect your web assets, it acts as a proxy; it receives requests from clients (web visitors, mobile/native app users, etc.), blocks hostile traffic, and passes legitimate requests to your servers.
The Web Proxy page defines how Reblaze behaves in this role. It contains these sections, from top to bottom:
For a cleaner interface, the lower sections are collapsed by default. They can be expanded using the ⌵
control to the right of each section heading.
After making edits to this section, Save Changes and Publish them to the cloud.
At the top of the page, the title shows the web application currently being displayed below for editing.
The pulldown on the right selects the web applications to edit. The save button on the far right saves the edits that have been made to the current application.
The Web Proxy page allows you to edit an existing web application. To define a new web application within Reblaze, navigate to the Planet Overview page.
This section shows a list of URLs/resources within the application, and defines Reblaze's behavior for them.
Every incoming HTTP/S request targets a specific URL. Reblaze finds the best match for that resource in this list, and applies the security configuration defined for it.
The "best match" is determined by regex evaluation. (The order in which the Match strings are listed in the interface does not matter.) If no matching resource definition is found, Reblaze applies the rulesets from the default resource definition (shown in the screenshot above as the fourth entry).
An HTTP/S request which passes all security tests will be forwarded to the Backend Service defined for the requested resource.
Reblaze evaluates incoming traffic in a multi-stage process. The stages include the tests defined here for each resource (WAF Policy, ACL Profile, Rate Limits, and Cloud Functions), and other tests as well (Dynamic Rules, Static Rules, etc.) The complete list of tests and their order of evaluation are described in Security Section Concepts.
This section is where security rulesets are assigned to resources within your site, application, API, etc.
Some rulesets are defined within the Security section of the interface: the ACL Profiles, WAF Policies, Rate Limiting, and Cloud Functions. Others are defined farther down on this page, such as the Request Rate Limits discussed below.
Field
Value
Name
A descriptive label that you choose, for use within the Reblaze interface.
Match
Backend Service
An HTTP/S request which passes all tests (as defined in the assigned rulesets, plus other applicable tests such as dynamic rules) will be forwarded to this service.
WAF
ACL
RL
Fn
expand
A button to expand this definition and display it for editing.
To edit a definition, click on the "expand" button at the end of its listing. The following window will appear.
The entries in this window correspond directly to the various fields discussed earlier in the definition listing.
This section configures Reblaze's behavior as the frontend for traffic.
Field
Value
Domain Names
The list of domains that Reblaze will protect.
Client IP Header Name
Defines one or more header fields within which Reblaze can find the client's IP address. When Reblaze receives an incoming request from a client, the request will have passed through a load balancer on its way to Reblaze. This means that the header will contain the client's IP and the load-balancer IP. These two IPs are usually found within the X-Forwarded-For field (which is the default entry here). In this situation, Reblaze knows how to extract the client IP from this field. In other situations, a different field name might be necessary. For example, if the Reblaze customer is using Akamai CDN, the incoming request will have the client IP in a field named True-Client-IP instead.
Challenge Content-type
The Content-Type entity header of the response when a challenge is executed.
Challenge's cookie domain
Defines the domain you want Reblaze to use when setting a challenge cookie. The default value (“$host”) tells Reblaze to use the domain being accessed by the user.
Mask Post Args
Defines the argument names which contain sensitive data, and therefore will not be saved in log files. Common examples of this are payment details and credit card numbers.
This section (shown above in the previous screenshot) configures Reblaze's communication with the backend.
Field
Value
Proxy Connect Timeout
The time (in seconds) for Reblaze to wait, before treating a connection with the backend as having failed.
Proxy Send Timeout
The time (in seconds) for Reblaze to wait, before treating a data transfer attempt to the backend as having failed.
Proxy Read Timeout
The time (in seconds) for Reblaze to wait, before treating a downstream (toward Reblaze) data transfer attempt as having failed.
Backend Service Host Header
Defines the value of the Host header passed to the backend. The default value (“$host”) sets it equal to the Host header in the incoming request.
Real IP Header Name
Defines the field name that contains the client's IP address. Reblaze is a proxy, and it passes incoming client requests to the upstream server. This means that the server will receive request headers which contain Reblaze's cloud IP address as the "client" IP. This is not useful; almost always, the server will need the IP of the actual client instead. To facilitate server logging, analytics, and so on, Reblaze adds the IP address of the originating client to the headers that it sends to the server. The Real IP Header Name defines the name of the field within which this information is passed.
This section lists the signatures of recognized applications and available remote profiles.
App Signatures lists the SHA-256 digests of recognized certificates.
To find the signature for an iOS app, you can open the Apple Development Certificate in the Keychain app, and copy the SHA-256 fingerprint. Alternatively, you can extract this fingerprint from the ipa bundle.
For Android app, you can get the SHA-256 fingerprint from the keystore or extract it from a signed APK with the apksigner tool (part of the Android SDK). See detailed instructions here.
When uploading the fingerprint to the Reblaze Console, the spaces and colons will be removed for you, and the hexadecimal characters will be converted to lowercase. Other symbols are not allowed.
Any number of signatures may be 'Active' at given time. During testing, you may allow running the app on Simulator (iOS) or Android Emulator. These generate a special signature: "abadbabe"
. Make sure that this is disabled on Production.
Profiles is a list of remote configurations, which contain settings that can override the parameters of the SDK on all mobile clients. The Default profile is always empty, and when it is active, the SDK parameters are fully determined by the app local configuration. Only one remote profile may be active at given time. The profile is stored as a JSON string. Correct JSON syntax is enforced, all strings must be "quoted". For further discussion of remote configurations, please consult your Mobile SDK Developer's Guide.
Grace period defines the allowable time between the timestamp of a request and the time that Reblaze receives the request from the application. Requests with a longer delay will be rejected.
Token Header Name determines the name of the header that contains session or user authentication token. With the new versions of Mobile SDK, it can be empty. This name should match the tokenHeaderName configuration parameter.
Support for old versions of Mobile SDK is disabled by default, but if your app has not fully migrated to Mobile SDK v2.0, you can enable backwards compatibility:
Field
Value
Secret
When a mobile application sends requests into Reblaze, it includes a secret value in each call that will be used as part of the client authentication process, to verify that the requestor is a legitimate human user. This field allows you to specify that value.
Variable Name
Hashing mechanism
To be edited only with the help of support.
Grace Period
Defines the allowable time between the timestamp of a request (provided in the Grace variable name, below), and the time that Reblaze receives the request from the application. Requests with a longer delay will be rejected. This will prevent replay attacks.
Grace variable name
The name of the header, cookie, or argument used to transmit the request's timestamp.
Documentation for the old versions of Mobile SDK is available here. Note that the Grace Period field is read-only; it only reflects the global setting above.
This section defines several types of limits: Timeouts, Size Limits, and Request Rate Limits.
The Timeout settings allow the system to monitor the time required to serve resources to each client. Any connection that exceeds the specific limits will be dropped.
Why timeouts are important
Some DDoS tools (e.g., R-U-Dead-Yet, or RUDY) send a relatively small quantity of traffic requests, but do so as slowly as possible (often with each byte sent separately). While a legitimate request can be resolved in milliseconds, a single RUDY machine can tie up server resources for several minutes. Even a few hundred of these machines attacking your server can be very destructive.
The Timeout settings allow Reblaze to block unresponsive requestors, whether their unresponsiveness is malicious or not. For most Reblaze deployments, the default timeout settings work very well. They are sufficient to filter out hostile traffic, while still accommodating even those users with low bandwidth.
All times are specified in seconds.
Parameter
Timeout
Client Body Timeout
If the body is not obtained in one read-step, this timeout begins. If the timeout expires and the client has still sent nothing, the Reblaze Gateway returns error 'Request time out (408)'.
Client Header Timeout
How long to wait for the client to send a request header.
Keepalive Timeout
The timeout for keep-alive connections with the client. The Reblaze Gateway will close connections after this time. This setting increases server efficiency; it allows the server to re-use browser connections and save resources. When changing this value, special care should be taken; in some cases, it depends on specific cloud vendor and load balancer settings.
Send Timeout
Specifies the response timeout to the client. This timeout does not apply to the entire transfer but, rather, only between two subsequent client-read operations. Thus, if the client has not read any data for this amount of time, the Reblaze Gateway shuts down the connection.
You can place limits on the amount of data that users can upload to the system. The defaults usually work well; however, if your application accepts user-generated content or other large files, then changes to these settings might be necessary.
Please note that if you increase these settings within Reblaze, then the upstream server should also be configured to accept and store the quantity of data that Reblaze will (potentially) pass through.
Size
Functionality
Client Max Body Size
Specifies the maximum accepted body size of a client request, as indicated by the request header Content-Length. Size in MBs.
These settings allow you to limit the amount of resources consumed by an IP address. Reblaze can limit consumption by the average number of requests per second, while also allowing temporary bursts at a higher rate.
When a requestor exceeds any of these thresholds, subsequent requests will be answered with error code 503 (Service Unavailable).
Note that this rate limiting is a global metric; it applies across the entire application. For example, if one IP address is submitting requests to multiple URLs within a web application, all the requests are combined when determining if rate limits have been violated.
Request Rate Limits are active even when the domain is in Report-only mode.
IP Parameter
Functionality
Global Limit - Requests per second per IP address
Sets the allowable request rate per IP, per second: i.e., the allowable per-second average of incoming requests, enforced on an incremental basis (where "increment" refers to the number of milliseconds allowed for one request).
Example: This is set to 100. Thus, 100 requests are allowed per second. However, the system does not enforce rate limits on a per-second basis; it used a granularity of milliseconds. Therefore, it will allow one request every 10 milliseconds. (100 r/s, divided by 1000 ms/s, equals 1r/10ms.)
Global Limit - Burst for request per second per IP address
Sets the allowable additional burst rate per IP, per second.
Example: Let's say that the previous field (Global Limit - Requests per second per IP address) is set to 100. Without burst limits—i.e., if this field were set to zero—the system will reject every request that was received less than 10ms after the previous one. However, the burst limit is set to 20 instead. This means that Reblaze will accept 21 requests (1 original plus 20 additional) per 10 milliseconds. In other words, when a request is received, up to 20 more can be received and accepted within the following 10 ms. If instead 25 total requests are received during that time, the last four requests will be denied with a 503 error.
Reblaze can track a session by using a header, argument, or cookie. This parameter allows you to specify which one to use.
Size
Functionality
Session Key
Specified as header_YOURHEADERNAME, arg_YOURARGUMENTNAME, or cookie_YOURCOOKIENAME.
This section is for advanced configurations only. To use it, please contact support.
To delete the current site or application being displayed on the page, enter its name into the textbox and click on the Delete site button. Note: this action cannot be undone.
Before deleting a site from Reblaze, you should change your DNS settings to reroute your traffic, and then wait for the changes to propagate. Otherwise, Reblaze will still be receiving traffic, but the traffic will no longer be passed upstream to your server.
Administering your entire planet
The Planet Overview page enables the following actions:
Add and manage a site/application.
Generate an SSL certificate for a site/application using the Let's Encrypt service.
Note that in the discussion below, "site" and "web application" are synonymous.
This section allows you to add and modify web applications. It does not provide the ability to delete them.
Deleting a web application is done at the bottom of the Web Proxy page.
Creating a new web application is done in one of two methods:
Via the Create New Site Wizard
Duplicating an existing one, and then editing the one that is created.
Click the button on the right top corner of the table so the popup will appear.
The Create New Site Wizard helps to create a new site with predefined settings. It will have predefined ACLs, Security Profiles, and Rate Limits embedded into the new site and paths, depending on the chosen security level.
Security Level
Preset of settings (ACLs, Profiles, Rate Limits) to protect a new site. See the list of available settings below.
Domain Name
The list of domains that Reblaze will protect. The first domain in the field will be taken as a canonical name for the new site.
Backend Service
Backend Service will be embedded to all default Paths of the new site.
Certificate
An optional specification for an SSL certificate to use for the site. If selected, the certificate must be embedded into a Load Balancer so it will be used as a source for IP to create a DNS record for the new site.
Security levels:
Off
All protection is disabled
Low
DDoS Protection
Medium
DDoS Protection
Injection Proof
High
DDoS Protection
Injection Proof
Session hijacking
Credentials stuffing
Brute force
Enumeration (mapping)
Paranoid
DDoS Protection
Injection Proof
Session hijacking
Credentials stuffing
Brute force
Enumeration (mapping)
Bot mitigation
The available protection components are:
DDoS Protection
Volumetric distributed denial of service protection
Injection Proof
Malicious code injection, signatures filter protection
Session hijack
Control sessions (cookie/header/key) from unauthorized access
Credentials stuffing
Automated login requests, usually based on a list of stolen account credentials
Brute force
Attempts to guess an account and password/passphrase
Enumeration (mapping)
An attempt to guess and map valid user accounts
Bot mitigation
Detect and mitigate bot activity
After the site is created the page will be redirected to a Web Proxy editing form.
Select an existing site that is the most similar to the one you want to add.
Select its "Duplicate Application" button.
This will clone the site and create a new one with identical settings, which you can then edit.
Clicking on a site's name will open it in the Web Proxy page, where it can be edited.
Reblaze integrates with Let's Encrypt to provide free SSL Certificates.
By clicking on the "Generate Certificate" button at the end of an entry in the site list, you can:
Generate a new certificate without attaching it to a site
Generate a new certificate and immediately attach it to a site. If the site has an existing certificate, it will be replaced by the new one.
In either case, this is the dialog you will see:
Just choose the button for the activity you want.
This section describes best practices for some common tasks.
Purging of caches
Sometimes it is beneficial to purge a Content Delivery Network (CDN) cache. Reblaze provides this ability on this page.
You can purge a single cache or multiple caches, across one CDN or multiple CDNs simultaneously. Both AWS and GCP CDNs are supported.
Once initial configuration is complete, purging becomes available on this page.
The top part of the window shows a list of caches to purge.
To add an entry:
Select the + button.
In the Path field, enter a relative path (such as /*
) or a fixed path (such as /static/image.png
). If you leave this field empty, all caches will be purged.
Select the add button at the end of the entry.
When the cache list has at least one item, the Purge button becomes available.
When there is more one CDN provider configured, by default Reblaze will purge all of them.
If instead you wish to select a certain CDN provider, check the Select CDN manually checkbox. A dropdown list will appear where you can select the provider.
Selecting the Purge button will send purge commands to the selected provider(s). The cache list will be moved to the PURGE STATUS list at the bottom of the window, and the status for each purge will be shown.
The completion time will vary by the provider. To update the statuses in the list, select the Refresh control at the top right of the list.
Once you have launched a purge, you can exit this page. The purge(s) will run in the background; you do not need to wait here for them to complete.
The entries in the status list will be retained for one week.
Whole planet settings
The Global parameters are planet-wide settings. This page has two sections: Site Settings and Notifications and Alerts.
There are global settings that will be applied to all Sites.
Trusted Sources
The ranges of IP addresses which are trusted for providing forwarded IP addresses: for example, the load balancers in front of Reblaze, or the CDN.
In addition, a cumulative report of the previous week's violations can be sent to one or more email addresses.
This section defines one or more Notification Groups for these notifications. Clicking on the "+" button on the right will display this dialog:
The settings for a Notification Group are as follows.
An existing Notification Group can be edited by clicking on its listing, or deleted by clicking on the trash button at the right end of its listing.
Whenever you change the configuration of the Reblaze platform, you must save your changes, and in almost all cases, you must publish them to the cloud as well.
If you do not save your changes, they will be lost when you go to a different page within the user interface. You will not be prompted or asked to confirm the abandonment of your changes.
The Publishing process checks the saved changes for errors. If no errors are found, they are pushed to the cloud.
The Reblaze interface has several ways in which to save changes.
In many places, this button appears on the upper right part of the screen:
In other places, the Save functionality is part of a pull-down menu, which is designated by three vertical dots:
Remember that you must select Save Changes, in whatever format the button is offered, whenever you make any edits within the Reblaze interface.
Also remember that in almost all cases, Save Changes only saves your changes within your local session. To push them to your planet in the cloud, you must Publish Changes as well.
In all other cases, after Saving your changes, you will also need to Publish them, which will push everything to the cloud.
Rather than trying to remember which activities require publishing and which do not, it is best to get into the habit of always Publishing after Saving.
In some cases, choosing the Save button will be followed by an immediate prompt to Publish. In other cases, it will not, but Publishing is still required. Again, it is recommended that you adopt the habit of always Publishing after Saving.
Publishing is done on the Planet Overview page, via the button on the upper right. The outcome will appear on the screen once it is complete.
As described in , out of the box Reblaze includes an Active Challenge process. This is very useful in distinguishing humans from bots.
Active Challenges work well, but an even better option is Passive Challenges.
Active Challenges temporarily redirect the user's browser. This can affect site metrics gathered by products such as Google Analytics. (Specifically, the initial referrer information is lost.) Passive Challenges are simple pieces of Javascript. They do not redirect the user's browser; they merely ask it to solve a challenge, and then insert the Reblaze cookies.
Active Challenges will not occur when site content is served from a CDN. Passive Challenges can still detect bots in this situation.
Most importantly, Passive Challenges allow Reblaze to use Biometric Bot Detection—an advanced and sophisticated means of distinguishing humans from automated traffic sources.
With Biometric Bot Detection, Reblaze continually gathers and analyzes stats such as client-side I/O events, triggered by the user’s keyboard, mouse, scroll, touch, zoom, device orientation, movements, and more. Based on these metrics, the platform uses Machine Learning to construct and maintain behavioral profiles of legitimate human visitors. Reblaze learns and understands how actual humans interact with the web apps it is protecting. Continuous multivariate analysis verifies that each user is indeed conforming to expected behavioral patterns, and is thus a human user with legitimate intentions.
We recommend that all customers enable Passive Challenges if it is possible to do so. Biometric Bot Detection provides much more robust detection of automated traffic than is possible without it.
Implementing Passive Challenges is simple. Place this Javascript code within the pages of your web applications:
The code snippet can go into the header or at the end of the page. The best practice is to place it within the header. This ensures that subsequent calls contain authenticating cookies.
(This matters for the first page served to a visitor. Subsequent pages will already have the authenticating cookies to include with their requests.)
Most customers set up the code snippet as a tag within their tag manager. This makes it simple to install it instantly across their entire site/application.
If desired, the script code can include async
and/or defer
attributes:
These usually are not necessary, and their effect will depend on the placement of the script within the page. Their use is left to your discretion.
To test the implementation, use a browser to visit a page containing the Javascript snippet. Once it runs, the browser should have a cookie named rbzid.
There are two primary situations where customers sometimes want to disable Active Challenges:
When a customer needs site analytics to correctly reflect all referrers. (Active Challenges can interfere with this.)
Other than those situations, Active Challenges can be very beneficial.
We recommend that you keep Active Challenges enabled if possible. They automatically eliminate almost all DDoS traffic, scanning tools, and other hostile bot traffic.
If you wish to turn off Active Challenges, do the following.
For an entire site/application: remove the "Deny Bot" ACL Policy from all Profiles within the site.
For specific traffic sources: Add an ACL Policy that will 'Allow' those specific requestors. The requestors should be defined as narrowly as possible.
Turning off Active Challenges will disable the direct blocking of bots (where a requestor is blocked merely for being identified as a bot). However, automated traffic will still be excluded via all other relevant means.
If you have not enabled Passive Challenges (and successfully tested them), disabling Active Challenges is not recommended.
Changing user settings
The Account Settings page allows you to manage your Reblaze user accounts.
From this tab, you can reset your password, name, and phone number.
Reblaze uses 2FA (two factor authentication). There are several options for sending an OTP when you login:
If only an email address is provided, the OTP will be sent via email.
If a phone number is provided, the OTP will be sent over SMS message.
This tab also offers a personal API key, to be used in all requests to the Reblaze API.
This tab allows you to manage users that are attached to your organization. It is only available to users with administrator permissions.
An admin can:
Create a new user
Edit an existing user
Reset a user's password
Delete a user
When a user account is being edited, this will appear:
The available Access Levels are:
Organization Admin: has all Editor permissions, and can also manage users via the Users Management page.
Reblaze Admin: has all Organization Admin permissions, and can also edit and view the Notes, Init and Run pages.
This tab allows SSO to be configured so that users have the ability to log into Reblaze with their Okta or Microsoft accounts.
Configuration options will vary depending on the type of account.
Go to https://{YOUR ACCOUNT}-admin.okta.com/admin/apps/active
Click Add Application
→ Create New App
Choose Platform: Web
, Sign on method: SAML 2.0
Single sign on URL:
RBZ_SSO_ASSERTION_URL
env var. Value should look like: https://{CUSTOMER_DOMAIN}/sso/saml20/signon
.
Audience URI (SP Entity ID):
RBZ_SSO_AUDIENCE_URL
env var. Value should look like: https://{CUSTOMER_DOMAIN}/sso/saml20/audience
Attribute Statements:
emailaddress: user.email
displayname: user.firstName + " " + user.lastName
groups: appuser.rbzgroups
In order to pass Admin group ID we need to add custom attribute to the user groups. Directory > Profile Editor > Apps > Click on Profile
Next step will be to map it.
Directory > Profile Editor > Apps > Click on Mappings
4. Assign the application to users
Create user groups for two possible access levels: Admin and Read-Only access.
Assign users to it. Group name is the string you need for RBZSSOSAML2_ADMINGROUP
or place the group name into the Reblaze console SSO settings.
And in your just-created Application settings:
On the assignment step, a value will be required for the custom attribute which we configured before. For the admin group the value will be same as on RBZSSOSAML2_ADMINGROUP
, while for the read-only group value it can be anything else.
RBZ_SSO_IDP_ISSUER
:Go to Applications, choose yours, Sign On
tab, click on View Setup Instructions
There you'll find Identity Provider Issuer:
2. Choose + New Application
→ + Create your own application
:
3. Choose option Integrate any other application you don't find in the gallery (Non-gallery)
(this option will create SSO app):
4. Go to Single sign-on
section and choose SAML
:
5. Set up appropriate links:
RBZ_SSO_IDP_ISSUER
should be provided by a customer and have to be unique for the customer’s SSO applications. The best option is to just use something like: customer_domain.com?sso=123
. (the IDP Issuer field (in the console) should be identical to the Identifier field (in Azure)and should be inserted without "https://")
6. Get Metadata XML link and add to RBZ_SSO_META_URL
environment variable:
7. Setup user.groups
in User Attributes & Claims, so it send all groups related to the user:
Click on “+ Add a group claim”, choose:
All groups
Source attribute: Group ID
8. Add a user as a member of the application:
9. Get admin group ID from Azure and put it into RBZ_SSO_ADMIN_GROUP
environment variable:
Go to Azure Active Directory
→ Groups
, create a group.
Object ID
is the string you need for RBZ_SSO_ADMIN_GROUP
or place the group ID into the Reblaze console SSO settings:
And assign a user to the group:
This field is populated when this certificate is chosen for use in the section.
To remove a Service from Reblaze, click on the button at the top of the window.
When a server fails, this is the length of time that Reblaze will wait before trying to send traffic to it again. Example: "10s" indicates a fail timeout of 10 seconds. This field uses .
This is the default. Requests will be distributed across the endpoints in a round-robin fashion, according to the Weights assigned to them (described above in the ).
An expression for the resource's location, expressed as PCRE (Perl Compatible Regular Expressions). This entry uses .
The applied to this resource. Its name will be displayed in green if it is active; if displayed in red, it is currently disabled.
The applied to this resource. Its name will be displayed in green if it is active; if displayed in red, it is currently disabled.
The number of assigned to this resource.
The number of assigned to this resource.
To add a resource definition, click on the "expand" button in an existing definition. Within the window that appears, click on the Fork Profile button.A new definition will be created for editing.
To delete a definition, expand its listing. In the window that appears, select the Delete button.
The name of the header that carries the user authentication token. It can not be empty. For more information, see .
Initial configuration of the CDN provider(s) within your planet is done by Reblaze personnel. Please for assistance with this.
In the Host field, enter the domain. If you leave this field empty, all hosts (i.e., all sites/applications shown in the ) will be purged.
When a is violated, Reblaze can send immediate alerts to a list of one or more email addresses, SMS numbers, and hooks (e.g., Slack).
When editing , saving your changes will apply them to your planet.
For API endpoints. Active Challenges are designed to verify the client's browser environment; for most API calls, there is no browser environment to verify. (For users of our , this is not a problem. They can still use active challenges for these endpoints.)
For specific URLs/locations: remove the default "Deny Bot" from all that are assigned to those locations.
If you merely remove the Deny Bot ACL Policy from the relevant Profiles, then bots will still be excluded by the other active , , , and so on. If instead you added an "Allow" ACL Policy to specific requestors, then other ACL Policies will not block those requestors; they will be exempted from ACL Policy filtering.
As an alternative, you can also get a QR code for use in apps such as Google Authenticator (available for both and ).
Viewer: can see the section, i.e. the Dashboard and View Log.
Editor: has all Viewer permissions, and can also configure security rulesets and policies in the and sections.
Add the URL to the XML metadata file to the RBZ_SSO_META_URL
env var (and/or for Provider URL field in admin)
The URL example:
1. Go to → Enterprise applications
Setting
Description
Group Name
A name you choose for display in the Group listing.
Sites
The site(s) for which alerts will be sent.
Rules
The Dynamic Rules which, when violated, will trigger alerts. When more than one rule is included, a violation of one or more will trigger the notification.
Alerts
Information for the recipients of alerts: their email addresses, hooks, and mobile numbers for SMS messages.
Reports
Email addresses for the recipients of cumulative weekly reports.
Sometimes a customer wishes to "attack" an application or server as part of a loadtest. Under normal circumstances, Reblaze would prevent this, because it would enforce rate limits and block the excessive requests from reaching the upstream network.
The test can be accomplished by creating an ACL Policy which allows the source IP (or range of IPs), then naming that ACL Policy with a suffix of "OC." (For example, the ACL Policy might be named "Loadtest OC.")
As discussed in the Special ACLs section, the "OC" suffix means that the IP will not be subjected to normal rate limit testing. This allows that IP to generate a large amount of traffic, which will be passed through upstream without being filtered by Reblaze.
Web clients can cache resources from a server. Afterwards, a client can access its local cache, which reduces the number of requests sent to the server.
Servers can instruct clients to implement caching in certain ways. Servers can also set separate caching policies for any intermediary proxies in-between the server and the client.
Reblaze is a proxy between the clients and the backend. When the backend responds to clients, the outgoing responses pass through Reblaze. You can instruct Reblaze to preserve or alter the caching instructions in those responses.
This can be done through Cloud Functions. A future update will provide multiple cache policy templates. Meanwhile, if you need immediate assistance in customizing Reblaze's caching behavior, contact support.
The Quarantine section shows a list of traffic sources (i.e., sources of incoming requests) that are currently banned, blacklisted, and whitelisted.
A traffic source is banned automatically when it violates a Dynamic Rule. You cannot manually ban a requestor.
However, you can accomplish the same effect by blacklisting the requestor. Instructions are here.
You can manually remove a requestor from the Banlist or Blacklist. Instructions are here.
Whitelisting a traffic source will make it exempt from Dynamic Rules. Instructions are here.
Leveraging Reblaze's traffic data
A typical security solution provides information about the traffic that it has blocked. Contrary to this, Reblaze shows all of the traffic that it receives.
This provides you with a powerful ability to dig into your traffic data and gain deep understanding about the nature and disposition of incoming requests.
Metrics about blocked requests are very useful, but their usefulness is multiplied when you can compare them to passed requests. By showing all requests, Reblaze allows you to understand what "normal" requests look like. This gives you more insights into abnormal traffic.
The discussion below assumes you have already read the best practices for using the Reblaze Query Box.
Reblaze provides multiple ways to view your traffic. The discussion below will focus on the View Log. Similar tactics can be applied when viewing different parts of the Dashboard.
Sometimes the View Log is used to answer a specific question about a request or a traffic source. At other times, it might be a more general exploration; for example, a beginning-of-the-day review of what happened over the last 24 hours.
Let's discuss the latter scenario (a general exploration). Because the View Log shows all requests, it can be overwhelming. It's helpful to start by excluding requests that aren't as relevant to your current purpose. Examples:
Exclude passed requests, and show only the challenges or blocked requests: reason:challenge
(to show only challenges), or is:blocked
(to show only blocked requests).
Exclude requests being rejected by the origin (i.e., the upstream server): reason:!by origin
Exclude requests from a banned IP: ip:!1.2.3.4 .
Another approach: reason:!autoban/etc.
Exclude requests that are obviously invalid, e.g. those with unrecognized host headers.
Eventually, you can filter the display down to a list of challenges or blocked requests that might produce some insights.
From this point, you are looking for possible patterns, or unusual outliers, and considering possible actions to take. For example:
Are there a lot of requests for a Wordpress file, but your site does not use Wordpress? These are coming from malicious traffic sources. It might be useful to set up a Dynamic Rule, e.g. to Ban requestors who submit more than one request for that file in a three-minute period.
Is the same IP failing multiple challenges? It might be interesting to filter on that IP only, and go through all of its activity, to see what that traffic source was trying to do. (You can see that a challenge is being failed when the challenge itself appears in the logs, but it is not followed by a successful request by the IP for the same URI.)
Are there many blocked requests for the same URI, but from different traffic sources? This might be a False Positive alarm. See below for more on this.
There is no set procedure for this process. Essentially, you are browsing the list of challenges or blocked requests, thinking about why you are seeing the entries there, and asking further questions.
Sometimes, request data will be encoded. Here's an example of a XSS attempt.
The script in the request is HTTP encoded. To see it in plain text:
Double-click on the reason (the yellow label beginning with XSS).
The full contents of the label will appear in the query box, decoded.
For some forms of encoding, more processing is required.
Reblaze does not perform all possible forms of decoding in the interface.
Double-encoded requests will only have their first level of encoding undone.
In these cases, you can highlight the string in the query box, copy it, and run it through decoding tools. (For example, http://0xcc.net/jsescape/.)
A “False Positive” (FP) alarm occurs when a security system misinterprets a non-malicious activity as an attack. These errors are a critical issue for cybersecurity.
Although it might seem that FP errors do not necessarily have serious consequences, incorrect security alerts can lead to significant monetary losses. For example, an e-commerce site might incorrectly exclude real online shoppers. Or, it might reject "good" web crawlers, which would reduce its Internet visibility.
FP diagnosis is often done when Reblaze is first deployed, before it has been fine-tuned for the customer's applications. It can also be done later, when you discover that certain requests are being blocked, but you do not understand why.
When examining blocked request(s), it can be helpful to ask questions such as the following.
Sometimes an application will expect and accept inputs that Reblaze blocks by default. Example: the site might use a CMS which accepts HTML/Javascript POST requests. However, out of the box, Reblaze is often configured to block requests containing POST. Thus, Reblaze would need to be re-configured to match the application it is protecting. (In this example, it's a simple toggle switch in the WAF/IPS Policies interface.)
If the range of valid inputs has changed, but Reblaze was not re-configured, then FP errors can result.
Is the block happening to multiple users?
If a single IP is being blocked, but other requestors for the same URI are being allowed through, the block is more likely to be the correct response to this IP's request. This is especially true when the single IP has attempted other questionable activities.
Conversely, if multiple requestors are being blocked, and they seem to be innocuous otherwise, this indicates the problem might be a FP.
There are some situations where a request is blocked even though Reblaze has no obvious reason to be blocking it. This can occur when Reblaze is not actually the entity making the decision.
The upstream server can reject requests. These requests can be displayed in the View Log withreason:by origin
as the filter.
Reblaze can use ACLs with external sources of information, e.g. Spamhaus. Example: a request is blocked with a reason of acl-ip
. The reason indicates a Reblaze ACL blocked the request because of its IP—but what if you didn't configure any ACLs to reject specific IPs? The answer is that there are several ACLs which rely on external lists of hostile IPs, such as Spamhaus DROP and eDrop.
Example: a web user visited a landing page, entered contact details into a form, and then tried to proceed to the next page. However, the request to proceed was blocked.
This could be a FP due to "junk input." Perhaps the user entered a phone number of "1111111111" and it was rejected by the upstream application. Or perhaps the page itself autocompleted a field and inadvertently created junk input on its own.
If requestors are being blocked for violating rate limits, and the rate limits are very stringent, then perhaps the limits are too tight, and they need to be relaxed.
Or, perhaps the block is the result of content filtering. This feature is powerful, and it is possible to mistakenly configure it to be too restrictive.
Example: requests are being blocked because of a Custom Signature (reason:acl-custom-sig
).
Looking up the custom signature shows that its "Is matching with" condition is the following regex:
(?i)(select|create|drop|\<|>|alert)\W
The admin wrote this regex in order to identify SQL injection attempts (i.e, SELECT, CREATE, and DROP commands. Normally SQL and code injection attempts are blocked automatically by the WAF, but occasionally customers choose to disable this).
Now let's examine one of the blocked requests in the View Log. Its Capture Vector is this:
https://www.pinterest.com/pin/create/button/?url=https%3A%2F%2Fexample.com%2Fpitbull-2012%3Frt%3Dstorefront%26rp%3Dpitbull%26rn%3DPitbull%26s%3Dhanes-S04V%26c%3DBlack%26p%3DFRONT&media=&description=
This can be decoded with a tool such as http://0xcc.net/jsescape/. It now becomes this:
https://www.pinterest.com/pin/create/button/?url=https://example.com/pitbull-2012?rt=storefront&rp=pitbull&rn=Pitbull&s=hanes-S04V&c=Black&p=FRONT&media=&description=
Now let's see why the regex condition matched the request. On https://www.debuggex.com/, it's possible to paste in regex and a string, and see if/where a match occurs.
Notice the highlighted (in yellow) part of the string in the bottom textbox. This shows which part of the bottom string matches with the regex in the box above it.
We see that the expression that was meant to identify an SQL command of CREATE, is also matching with the URL generated by a user who was trying to feature this site's product on Pinterest.
This indicates that the regex should probably be modified, so that it only accomplishes its intended purpose. In this example, it could be modified as follows:
(?i)(\sselect|\screate|\sdrop|\<|>|alert)\W
This would require a space to be found before each potential SQL command, thus eliminating matches when those words are found in a URL.
As mentioned earlier, there is no set procedure for the process of identifying the underlying reasons why requests are blocked. It requires digging into the requests, gathering data, and asking questions.
Hopefully the examples above are helpful in illustrating the necessary thought process, and some of the tools that are available.
A task-based FAQ
This section answers questions that often arise about using Reblaze.
How to filter results
The Reblaze query command box allows you to query the data in order to present only the records that you want. The structure of a filter is operator:value.
For example, to view only traffic from IP 10.11.12.13:
ip:10.11.12.13
An exclamation mark ("!") can be used with various filters as a "NOT" operator. So, to exclude requests from an IP, add "!" as a prefix:
ip:!10.11.12.13
Note that filters can be combined to fine-tune a search, by chaining them with a comma. For example, in order to show all traffic from France that was blocked:
country:France, is:blocked
The fastest way to build query strings is to double-click on labels of existing log entries. This will add the value of each label as a filter to the query box. When you have constructed the entire query string, click on the search button, or place the cursor into the text field and hit "Return" on your keyboard.
For example, when looking at this entry for a blocked request (the IPs have been censored for privacy reasons):
Let's say you wanted to quickly see what other requests produced a 403 error that came in from the United States on a cloud IP. Double-clicking on the "403" label, the "United States" label, and the "Cloud" label builds the query string for you automatically:
Then select the "search" button, or place the cursor within the query box and hit "Return" on your keyboard, to process the query.
In some situations, this technique has limited usefulness. In the example screenshot above, double-clicking on the label beginning with "XSS" would add a (very) long filter string to the query, because that label contains the full script from the injection attempt (although the label itself only displays the first few characters in the interface).
If this is what you want (perhaps you need to search only for logged requests which contain that exact script), then this is effective. But if you wanted to build a more general query, then this is not useful.
A better approach is to choose a representative substring.
Queries can be based on substrings. Internally, Reblaze executes a "contains" search, so queries will return everything that contains the string that was specified.
In some situations, you'll want to build queries that produce exact matches. But in many other situations, it's faster just to search for a relevant substring instead.
Examples:
reason:XSS
will show all records with "XSS" in their reason label.
url:login
will include all URLs that include "login".
ip:191
will display all IP addresses containing "191".
Regular expressions can be applied to the filter value to make the search more accurate. The regex matching is done by wrapping the search value with re(REGEX here). Examples:
is:re(200|401)
ua:re(iOS!iPhone!iPad)
If you wish to display login requests with method “POST” which were blocked, but not by the origin (upstream server):
url:/login,is:POST,is:blocked,is:!origin.
This displays those requests which produced 502-504 error codes:
is:re(502|504)
This displays the requests that contain a specific value in an argument:
arg_name:text, arg_value:free_text
Name
Explanation
After
Log records registered after a given date and time.
Before
Log records registered before a given date and time.
arg_name
Search for an argument by name
arg_value
Search for an argument value
asn
Autonomous System Number for the IP
city
Abbreviation for the country. Example: "US" for the United States.
country
Name of the country
cookie_rbzid
Reblaze ID cookie value (base64)
cookie_name
Search by cookie name
cookie_value
Search by cookie value
domain_name
The main domain name in Reblaze (not necessarily the actual Host header).
ext
File extension
header_name
Name of header
header_value
Value found in header_name
host
HTTP Host header: usually, the domain name of the application.
id
Reblaze unique request ID.
ip
IP address of the web client.
is
IS is a special operator that can be used for almost all attributes of a request. It can be used to filter a certain HTTP method, "flags" and protocol version. For instance, to get blocked POST requests made by a human, type: is:blocked, is:human, is:post.
mime
Multipurpose Internet Mail Extensions
origin
The IP address of the origin server.
path
The path of the request (the URL without the query string part).
proxy
The IP address of the particular Reblazer server.
rbzid
Hash value of Reblaze ID cookie value (md5).
reason
Reason the request was blocked or passed.
ref
HTTP referer header.
sslcipher
The chosen SSL cipher.
sslprotocol
The chosen SSL protocol.
status
Response status code (regex is acceptable, e.g. [45]\d\d).
ua
HTTP User Agent header.
upstream_status
Response status code from upstream servers (regex is acceptable, e.g. [45]\d\d).
url
A substring to search for within the complete URL request line (including the query string).
Sometimes ACL Policies can make it difficult to find and block a specific attacker.
For example, let's say an ACL Policy (named "Allow US Traffic") for an ecommerce store allows all traffic originating from the United States. But then an attacker, using an IP within the US, begins to scrape prices and other data from the store.
If an ACL Policy were added to Deny that IP address, it wouldn't work. The hierarchy of ACL Policy enforcement means that the "Allow US Traffic" Policy will take precedence, and the 'Deny' Policy for that IP will never be invoked.
One way to quickly solve this problem is to add an ACL Policy with a name ending in a suffix of "XDeny" (for example, "Block US Scraper XDeny"). As was discussed in the "Special ACLs" section, that suffix moves the ACL Policy to the top of the hierarchy.
Therefore, that ACL Policy will be invoked and enforced for that IP address, and the attacking IP will be blocked, before the "Allow US Traffic" Policy has a chance to grant it access.
Long-term use of this capability is not optimal; using it too frequently can tend to create a collection of ACL policies that is messy, confusing, and difficult to manage. The optimal approach is to use it as a tool for solving a specific problem temporarily, while a robust set of ACL Policies are constructed and tested that will solve the problem correctly.
Blocking requests that do not conform to content policies
There are several ways to filter requests based on their content.
Create one or more lists of content filters in Session Profiling, with appropriate tags.
Create ACL Policies for each tag with appropriate actions (Bypass, Deny, or Allow).
Include the ACL Policies in one or more ACL Profiles.
Include the ACL Profiles in one or more Security Profiles.
Custom Signatures can be used for specifying content restrictions. They are included within ACL Policies, which are used within Profiles, which are assigned to various locations of your site/application on the Web Proxy page.
Args Analysis examines the characters found in arguments. Depending on its mode, it can block requests if unexpected characters are found, or pass them on to the WAF for further inspection. It can also act as an inverse content filter; those requests with arguments which contain only whitelisted characters can bypass WAF filtering.
Custom Signatures and Args Analysis will be deprecated in a future release. For content filtering, it is recommended that you use the first method based on Session Profiling instead.
Often, a web application will use external pages. For example, within digital marketing campaigns, it’s common to use landing pages that are provided by a third-party service.
Since these pages are generally hosted by the service provider, they are not directly protected by Reblaze. However, a customer can still use Reblaze to scrub traffic coming from them, and block hostile visitors from affecting the parent site (i.e., the site/application that is using the third-party service).
For example, bots can stuff false information into landing-page forms and submit it to the parent site. Reblaze cannot prevent the bots from accessing the third-party landing page. However, it can interdict the form submissions, and prevent them from passing through to the parent site.
Most third-party services allow code to be embedded into their pages. The following process takes advantage of this.
Add the following code to the page (ideally and if possible, in the page header):
Explanation:
“www.example.com” is your site.
“pixel-path” is a non-existent path. In other words, the overall address won’t actually resolve to a page or resource within your site.
The purpose of this request is not to return a resource or page; it is merely to trigger a call into the parent site. The call will trigger an active challenge.
If the visitor is a bot, the challenge will fail. Subsequent access attempts to the parent site (e.g., form submission attempts by a bot) will be blocked.
If the visitor is a human, the web browser will receive Reblaze’s authenticating cookies. Subsequent actions by the visitor will include the cookies, and will be accepted by Reblaze.
Note that Reblaze needs to be configured so that active challenges occur on the pixel-path
URL given above.
Reblaze integrates with a wide range of SIEM [Security Information and Events Management] and SOC [Security Operation Center] solutions. Nearly 80% of our enterprise clients stream Reblaze events to their SoC, such as ArcSight, RSA, IBM, and Splunk.
Reblaze sends logs over TLS using the Syslog protocol.
The variety of available integrations makes it impossible to describe the process for each of them here. Our team will assist you with the integration, to ensure your platforms get the relevant information as soon as it becomes available.
To make the connection, Reblaze requires the following:
Destination IP/FQDN
Destination port
Destination's public SSL certificate in PEM format. (To prevent a MITM vulnerability, Reblaze performs SSL pinning.)
Please have this information available when you contact us to begin the integration.
Raw logs are sent in the format described here.
Restricting consumption of resources and rate of requests
Different types of rate limits are defined in different parts of the Reblaze interface.
Static rate limits for each application: Timeouts and request limits per IP are set for each application on the Advanced Frontend Settings on the Web Proxy page.
By location: Rate limits for specific locations/URLs can be created in Rate Limiting Rules and then including them in Security Profiles.
By traffic source: Requestors who are submitting excessive requests across the planet can be banned for configured lengths of time. This can be done via Dynamic Rules.
In some situations, either Rate Limiting Rules or Dynamic Rules could be used. Rate Limiting Rules are the preferable option. They are more powerful, more flexible, and in a future release, they will fully replace Dynamic Rules.
Creating exemptions from rate limits is done differently, depending on the scope of the rate limits being addressed.
Global: Create an ACL Policy with an OC suffix.
By location: Create an ACL Policy with the name "Rate Limit Whitelist". This can exempt any combination of IP, Country, and ASN. The Policy should then be included in a Profile, and the Profile should be assigned to the appropriate location(s) or portions of your site/application. Example:
By traffic source: A traffic source can be exempted from Dynamic Rule filtering either by adding an Ignore parameter to the Rule itself, or by adding the traffic source to the Whitelist within the Quarantine section.
Used in this Product Manual
Acronym
Meaning
ACL
Access Control List
API
Application Programming Interface
ASN
Autonomous System Number
AWS
Amazon Web Services
BL
Blacklist
BQ
BigQuery
BQML
BigQuery Machine Learning
CA
Cloud Armor
CDN
Content Delivery Network
FP
False Positive
GCP
Google Cloud Platform
IPS
Intrusion Prevention System
LB
Load Balancer
ML
Machine Learning
RFC
Request for Comments
SIEM
Security Information and Events Management
SOC
Security Operation Center
TTL
Time to Live
VPC
Virtual Private Cloud
WAF
Web Application Firewall
WL
Whitelist
Log line structure is as follows, note that some fields are quoted and some are not.if we will add more fields in the future, they'll be added on the right side.
Field
Description
remote_addr
Client IP
timestamp
Timestamp
status
Response Status code sent to client
bytes_sent
Number of bytes sent in the response
method
HTTP Request method
request
The complete URL (including the query string)
proto_version
Protocol Version (1.0/1.1)
blocked
Was it blocked by Reblaze?
is_human
Was it marked as human?
block_reason
If blocked / Exceptionally passed - for what reason
geoip_country_name
Country Name
geoip_country_code
Country Code
request_id
Unique ID of this request within Reblaze
captured_vector
The vector attack we captured
request_time
The time it took our system to process the request
upstream_addr
The address of the upstream server(s) reblaze approached
upstream_response_time
The time Reblaze was waiting to the upstream server(s) to return the response
domain_name
The domain name of the server group in reblaze
host
The Host header of this request (same as domain name, or one of its aliases)
referer
The HTTP Referer header
http_user_agent
HTTP User Agent
http_cookie
The Cookie header string
request_headers
Request headers encoded in base6
organization
The complete organisation name owning the IP address
upstream_status
The status code returned by the upstream server
uri
The request URI without query part
hostname
The Proxy (Reblaze) server that process the request.
is_cloud
is_tor
is_vpn
is_anonymizer
is_proxy
rbzsessionid
Reblaze Session ID
request_length
The upload request size in bytes
sent_http_cache_control
The Cache-Control header we sent as part of the response
sent_http_expires
The Expires header we sent as part of the response
cookie_rbzid
Hash of the RBZID Cookie
sent_http_content_type
The MIME - Type (Content-Type response header)
browsersig
A unique signature of the visiting browser (future use)
ssl_protocol
SSL Protocol Version
ssl_cipher
Selected SSL Cipher
cache_status
Upstream Cache Status
anything_else
Future use place holder
Headers are base64 encoded JSON string contains headers names and values.
if we decided to block a request, either by ACL, or WAF/IPS it will be marked as "1" in the blocked field,
as well there will be a description at "block_reason" field.
Note that within the headers, we add an entry for the post_request_body.
This page provides information that will be helpful when setting up a Reblaze deployment. A basic Reblaze deployment can be created without changing these parameters.
Upstream Servers: The list is where you define the servers that Reblaze will protect. In other words, these are the servers to which Reblaze will send the (scrubbed) web traffic it receives.
This list provides robust capabilities for managing your traffic. You can enable and configure load balancing, which will weight and distribute traffic across your primary servers. You can define backup servers, to which Reblaze will failover your traffic when your primary servers aren’t available. You can take servers offline for maintenance by ticking a single box in the interface. You can even tell Reblaze to keep individual users connected to the same server throughout their sessions.
Adding and deleting servers from this list is straightforward. To add a server, enter its IP in the “New Server” box and click Add, then fill out the rest of the information in the new entry. To delete an existing entry, click on the Delete link next to that entry.
Here are explanations for each field in this list.
Host is the IP/FQDN for each server that Reblaze protects. This can be a normal web server, or it can be a load-balancing server. Note that Reblaze also provides load-balancing capabilities in its own right, as seen in the next field.
Weight is the relative weight of each server for load balancing purposes. Reblaze distributes traffic with a round-robin sequence, according to these weights.
For example, let’s say there are two servers in the list, with the weight of each servers set to one. Therefore, these servers will receive equal amounts of traffic. Suppose instead that the first server was set to three, while the second was set to one. This would mean that the first server would receive three visitors for every visitor sent to the second server.
Max Fails is the maximum number of failed communication attempts that are allowed for this server. Once this number of failures occurs, Reblaze will consider the server to be inactive. If other servers are available, Reblaze will failover the traffic to them. If this was the only server available, Reblaze will return an error to the client (either 504 Timeout, or 502 Bad Gateway).
Fail Timeout: When a server fails, this is the length of time that Reblaze will wait before trying to send traffic to it again. In the example, the timeout is ten seconds.
Is Down: When this box is checked, Reblaze will not attempt to communicate with this server. This allows you to easily take a server offline for temporary maintenance or some other purpose.
Is Backup: when this box is checked, Reblaze will treat this server as a backup. In other words, Reblaze will not attempt to communicate with it unless all the primary servers (i.e., those for which this box is not checked) are unavailable.
There are two APIs within Reblaze: the REST API to control the platform programmatically, and the one used internally by the Mobile SDK.
Most hostile bot activity involves headless browsers and mobile phone emulators. To detect these bots, most web security solutions rely on Javascript injection to detect the browser environment.
Unfortunately, these detection methods have become increasingly ineffective. The latest generations of bots use sophisticated software stacks, and they are able to masquerade as humans using normal browser environments.
To identify hostile bots, the Reblaze platform uses a variety of methods, collectively known as Reblaze Client Side Inspection (RCSI). Although Javascript plays a role within it, RCSI as a whole is unlike any other Javascript challenge in use today. RCSI is effective for protecting web applications, services/APIs, and mobile/native applications. (Some of the implementation details differ, depending on the context.)
RCSI detects bots via a multi-layered approach, described on the following pages:
For mobile/native applications, Reblaze authenticates the client itself and all communication with it.
At Reblaze, we provide an SDK (for both Android and iOS) to our customers, who rebuild and publish their applications with the SDK embedded. In use, it signs the application, authenticates the device, and verifies user identity.
All communications occur over TLS and include an HMAC signature (a cryptographic identity mechanism on the client side) to harden communications between the mobile/native application and the microservice/API endpoint. The signatures are non-reproducible, non-guessable, non-repeating (they are unique per session and per request), and are based on dozens of parameters (time-based, location-based, environment-based, and more). They provide a reliable, secure mechanism to verify that the packets are originating from a legitimate user, and not from an emulator or other bot.
Instructions and code samples for the Reblaze Mobile SDK are available here:
When a new user session is initiated, RCSI detects and verifies the authenticity of the environment.
The user’s browser is subjected to several dozen tests, verifying the features known to be supported by that browser. This includes hidden canvases, video and audio in various formats, WebRTC and other advanced networking protocols, screen resolution, and more.
The browser is subjected to an invisible “attack”: subtle errors are injected into the environment, and the browser engine’s reactions are captured and analyzed. Reblaze verifies that the exceptions and error messages are those which should be generated, if the browser is what it claims to be. (It is very difficult for threat actors to spoof this behavior using headless browsers and emulators, since there is an infinite number of possible errors to which any browser can be subjected, and threat actors need to replicate the actual reactions for each possible input.)
The above process only takes milliseconds, and it is completely transparent to the end user.
Once a browser has passed these tests, Reblaze signs it cryptographically. This signature accompanies all subsequent activity.
This process applies to browser-based applications.
It does not apply to mobile/native applications, because there is no browser to detect. For these applications, the environment is verified via the process instead.
Reblaze does not limit its traffic analysis to the user environment and client session. It also performs extensive, continual analysis of the user’s behavior.
Every HTTP request that Reblaze receives is anonymized and then analyzed according to numerous factors, including (partial list):
Device and software data (the user’s hardware, its screen resolution and orientation, the software used, battery level, stack trace, fronts and extensions, emulator detection, window size, hidden iframes, etc.)
User interface and events (mouse/pointer movements, clicks, taps, zooms, scrolls, keystrokes, speed of entry, etc.)
Session data (requests sent, IPs used, timing, frequency, etc.)
Consumption analytics (pages viewed, time spent, resources requested, etc.)
Application-specific events (and other results of user actions.)
Reblaze understands the patterns, typical values, and common relationships of these metrics for legitimate users of each protected application and API. The amount of data that Reblaze processes (over four billion requests per day) is far beyond the capability of human analysts. Therefore, cloud-based compute resources are used, applying Machine Learning in order to recognize patterns that analysts could not have identified on their own, or for which they might not have thought to look.
Reblaze performs this analysis to an extremely granular level: not only per app, but even down to individual pages, screens, and so on. This reveals patterns of behavior unique to that particular context.
Reblaze continually analyzes the activities and behaviors of every requestor in every session. By definition, every hostile user (whether human or bot), must, at some point, deviate from the behavior of a legitimate user. As soon as this occurs, Reblaze blocks that requestor.
Using this approach, Reblaze’s bot detection accuracy is not only high, it is also robust and resistant to reverse-engineering by threat actors. Behavioral profiles are constructed based on private analytics data, and threat actors have no realistic way of obtaining this information.
Biometric behavioral verification is part of the passive challenge process. To enable behavioral analysis, .
used for specifying matching conditions
Within the Reblaze interface, there are several features that require matching conditions to be specified.
The text boxes accept strings or PCRE (Perl Compatible Regular Expressions). If you are unsure of PCRE syntax, you can test your expression at sites such as https://regex101.com, which will show you how it will be parsed.
Below are some examples of syntax for specifying matching patterns.
Functionality
Syntax
Remarks
Match /Images/ or /images/ or /IMAGES/
~* /images/
Case insensitive, regular expression matching.
Match URLs that ends with .DOC or .PDF
~ \.(DOC|PDF)$
Case sensitive, regular expression matching.
Match URLs that ends with .gif or .jpg
~* \.(gif|jpg)$
Case insensitive, regular expression matching.
Match exact URL, e.g. Root / or /admin
= /
or = /admin
Searching stops immediately (this match is top priority).
Match all URLs starting with /documents/
/documents/
System will continue search for a regular expression match. This will be matched only if none will be found.
Prioritize URLs starting with /documents/
^~ /documents/
^~ means - match and halt searching, i.e. regular expressions will not be checked.
Match 'entire site' (anything else)
/
Matches any URL since all begins with "/". However, regular expressions and longer entries will take priority.
A common pattern is for matching all static content. This pattern in full is:
HTTP defines forty standard status codes that can be used to convey the results of a client’s request. The status codes are divided into the five categories presented below.
CATEGORY
DESCRIPTION
1xx: Informational
Indicates that the client's request is being processed.
2xx: Success
Indicates that the client’s request was accepted successfully.
3xx: Redirection
Indicates that the client must take some additional action in order to complete their request.
4xx: Client Error
Indicates an error for which the client is responsible.
5xx: Server Error
Indicates an error for which the server is responsible.
Below are examples of the most common HTTP codes you will encounter in the logs:
HTTP Code
Description
200
OK: the standard response for successful HTTP requests.
301
Used for URL redirection
400
Bad Request
401
Unauthorized—authentication has failed
403
Forbidden—request refused by Reblaze or origin server
404
Destination not found
405
Method not allowed
408
Request timeout
413
Payload too large
414
Request-URI too long
444
No Response (nginx)
499
Client Closed Request (nginx)
500
Internal Server Error
503
Service Unavailable—Server is unable to handle the request
505
HTTP version not supported
Specifying Time-To-Live values.
The following table includes a list of TTL expressions:
Custom expiration syntax examples
Description
30m
Expires after 30 minutes.
24h
Expires after 24 hours.
5d
Expires after 5 days.
1w
Expires after 1 week.
3M
Expires after 3 months (3*30 days).
1y
Expires after 1 year (365 days).
modified +24h
Calculate 24 hours since modification time, and set expiration accordingly.
The Reblaze system blocks traffic if it matches configured WAF signatures, exceeds triggering thresholds, matches ACL rules, or violates RFC specifications. When a blocking event occurs, Reblaze reports it according to reference IDs.
The reference IDs are listed below, categorized into groups according to their description. In some cases, external links are included with more details on the specific type of attack being described.
OSCI attacks are aimed at the operating system. The attacker seeks to manipulate the operation of the system, or to take control completely. For example, an attacker might attempt to get the content of OS files such as /etc/shadow. An OCSI attack can be included in the request headers, arguments, or cookies. More details on this type of attack can be found on the OWASP website.
Reblaze reference ID 400000-499999
RFI attacks target applications that allow scripts to be included in files. These attacks are typically used for planting backdoors. Here's an example of an RFI attack using PHP.
Reblaze reference ID 300000-399999
An LFI attack is similar to RFI, but it includes one or more local files instead of remote links. The attacker seeks to upload a file to the server. Read more about LFI.
Reblaze reference ID 300000-399999
Threat actors use SQL injection to attack databases by executing SQL commands. SQLi is a common attack, with many possible ways for attackers to exploit vulnerabilities. Read more about SQLi.
Reblaze reference ID 1000000-1999999
XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted sites and applications. Read more about XSS.
Reblaze reference ID 2000000-2999999
Many attacks take advantage of vulnerabilities in the OS or in the targeted application, without falling into one of the more prominent categories. Reblaze classifies them into this “generic” category.
Reblaze reference ID 3000000-3999999
This signature refers to a violation of HTTP protocol RFC-2616. For example, the RFC requires requests to contain a content-length header; a request that does not include one violates the RFC.
Reblaze reference ID 3000000-3999999
This signature refers to the recognition of user-agent headers of known attack tools and applications: for example, the “Grabber” vulnerability scanner.
Reblaze reference ID 3000000-3999999
This attack is sometimes referred to as Direct Dynamic Code Evaluation. It exploits an application that does not properly validate user inputs. More information can be found at OWASP here.
Reblaze blocks requests when a capacity threshold is exceeded: for example, the number of requests per second from a single IP. Usually, these thresholds reflect Reblaze’s DDoS protection. However, in some cases, some of this may be coming from the upstream server rather than Reblaze; in this situation, a “by origin” is added to the event description in the logs.
Reblaze reference ID: None. This block results in HTTP error 503.
Reblaze blocks headers for any site not found in its list of configured sites: for example, a proxy request. (This includes IP addresses as well.) Only FQDN (fully qualified domain names) are allowed.
Reblaze reference ID: None
A common penetration technique is to encode a hostile request multiple times (for example, URL encode and base64), in an attempt to evade detection and filtering by the WAF or other security measures. Read more about multiple encoding attacks here.
Reblaze reference ID: 8888001
This refers to requests that are blocked because they fail Reblaze’s bot/human detection challenges.
This refers to traffic that is blocked by the application. It does not include categories such as HTTP errors 400, 408 or 500.
A blocking event that resulted from an ACL containing an IP or subnet.
A blocking event that resulted from an ACL containing an IP or subnet that matched geographical criteria.
A blocking event that resulted from an ACL containing an IP or subnet that is part of an anonymous proxy provider.
A blocking event that resulted from an ACL containing an IP or subnet found on a list of TOR gateways.
A blocking event that resulted from an ACL containing an IP or subnet known to be used by a VPN provider.
A blocking event that resulted from an ACL containing an IP or subnet from a specified AS number.
A blocking event that resulted from an ACL containing an IP or subnet known to be used by a cloud provider.
A request was rejected because it contained an HTTP method that the WAF was configured to reject. For example, a common configuration is to accept HEAD, GET, and POST requests, while rejecting all others.
A violator blocked by the ban list (via a Dynamic Rule).
When a request’s payload exceeds the configured threshold, the WAF signatures are bypassed. This mechanism ensures that the WAF will not loop forever and consume 100% of the CPU.
This blocking event occurs when rate limits are triggered. The text is taken from the name of the rule that triggered the event.
This message notes that the IP is in the rate limit whitelist ACL.
This message notes that this organization’s AS number is in the rate limit whitelist ACL.
When an incoming request is received, Reblaze generates internal tags and assigns them to it.
Some tags are assigned early, and are used to make decisions about how the request is handled. For example, if a request's IP is found on the Spamhaus DROP list, it might be assigned a tag of "spamhaus". Then an ACL Profile might block the request because it contains that tag.
Some tags can be generated during processing; they reflect the decisions that were made. For example, a request that was blocked because it violated a Rate Limit will be assigned a tag containing that Rate Limit's name. The tag will be shown in the View Log.
Some tags are defined by the user, while others are generated automatically by Reblaze.
Session Profiling Lists are user-defined lists of criteria with one or more associated tags. Requests which match the criteria will be assigned those tags.
A Profiling List can be based on an external list (e.g., the Spamhaus DROP list), or a user-defined custom list (e.g., a list of IP addresses used by the internal QA team).
Many tags are generated automatically by Reblaze. Examples:
Every request receives a tag of "all".
Every request receives several tags according to its source (the IP address, geolocation, etc.)
Every request receives two tags for the Security Profile that it matched (both at the domain level and at the Path Map level).
Requests which violate a security policy or have other problems, receive tags with descriptive names (e.g., the name of the policy that was violated).
When tag names are generated from underlying values (IP addresses, security rule names, etc.), hyphens will replace spaces and special characters.
Value or Situation
Example tag
(Every request)
all
IP address
ip-192-168-0-2
ASN
asn-1680
Country
geo-canada
URL Map that the request matched
urlmap-default-entry
WAF signature #100039 was violated.
waf-sig-100039
A Rate Limit (named "Rate limit rule 5/60") is being evaluated.
rate-limit-rule-5-60
Sometimes a request will get two separate tags that seem to be redundant. For example:
urlmap-default-entry
urlmap-entry-default
When a Security Profile is matched with a request, a tag is generated for the Profile itself, and for the Profile that was used. If the names are similar (which is true for default values, as in the example), then the tags can appear to be redundant.
How to contact Reblaze
Reblaze is not a stand-alone platform; it is integrated with a dedicated support team which is available to you 24/7/365. Please contact us at any time if you need assistance.
Our support is not limited to daily operational use of our platform. We're happy to help with initial setup and configuration, ongoing administration, introductory or in-depth training, discussion of feature requests, and more.
You can contact support at any time via email: support@reblaze.com
Or by phone: our international number is +972 (73) 2005230.
Our US toll-free number is: +1 (888) 6155996.
Reblaze support will manage all tickets, and will be responsible for escalation as needed.
Please feel free to contact us. We're eager to help you achieve success, and to harness the full power of the platform!
Below are listed the available operations under Reblaze's API. The listings include descriptions, and examples using curl over Bash under Ubuntu 18.
The parameter $HOST refers to the console FQDN, while $KEY refers to the API key.
Lists all sites that are currently set up on the management console.
curl -s -XGET https://$HOST/api/$KEY/sites/list
Creates a new site based on passed parameters and the selected template.
curl -XPOST https://$HOST/api/$KEY/sites/create --data-urlencode 'template_id=TEMPLATE_ID' --data-urlencode 'domains=site1.com,site2.com' --data-urlencode 'certificate_id=CERT_ID' --data-urlencode 'upstream_id=UPSTREAM_ID'
Duplicates/creates new site based on an existing site. You can choose to overwrite the upstream, or use the one that is currently set on the source site. The duplicate site will also create a referring CNAME based on the source site DNS settings.
curl -s -XPOST https://$HOST/api/$KEY/sites/duplicate -d "canonicalname=src.example.com&newdomain=dst.example.com&upstreamhost=8.8.8.8"
Removes the site from the sites list. This operation also removes the referring CNAME.
curl -s
-XPOST https://$HOST/api/$KEY/sites/remove -d "canonical_name=src.example.com"
Sets the list of domains that a site supports, and replaces any that existed previously. You can add up to 100 domains per site. A domain can also contain wildcards (e.g, *.domain.name).
curl https://$HOST/api/$KEY/sites/setnames --data "canonicalname=src.example.com&names=www.example.com,www2.example.com"
Adds to the list of domains that a site supports, without replacing any that existed previously. You can have up to 100 domains per site. A domain can also contain wildcards (e.g, *.domain.name).
curl https://$HOST/api/$KEY/sites/addnames --data "canonicalname=src.example.com&names=www.example.com,www2.example.com"
Returns the list of domains that a site supports.
curl https://$HOST/api/$KEY/sites/getnames?canonicalname=src.example.com
Lists the upstream settings of a site.
curl https://$HOST/api/$KEY/sites/listupstream?canonicalname=www.example.com
Modifies upstream settings. You can add an upstream, change its state, or modify the upstream address. The upstream is a one-line JSON encoded in base64, as shown below. Parameters are described below the code example.
Argument
Description
http_port
Upstream HTTP listening port
https_port
Upstream HTTPS listening port
weight
The relative weight of the upstream for load-balancing purposes within a farm. Reblaze distributes traffic with a round-robin sequence, according to these weights. For example, if two servers are both set to 'weight=1', they will receive equal amounts of traffic. If the first is set to 'weight=3' while the second is set to 'weight=1', the first server will receive three requests for every single request that the second server receives.
fail_timeout
max_fails
The maximum number of failed communication attempts that are allowed for this server. Once this number of failures occurs, Reblaze will consider the server to be inactive. If other servers are available, Reblaze will failover the traffic to them. If this was the only server available, Reblaze will return an error to the client (either 504 Timeout, or 502 Bad Gateway).
monitor_state
This sets the state for Health Monitoring purposes. (This does not specify if the server is up or down; it merely sets the current state as if Health Monitoring had just checked the server and returned that state.) If backup is true, then this value should be either "backup_active" or "backup_down". If backup is false, then this should be 0, or "active_down." ("active_down" means the server is supposed to be active, but is down instead.)
down
The state of the server.
backup
If true, Reblaze will treat this server as a backup. In other words, Reblaze will not attempt to communicate with it unless all the primary servers (i.e., those for which the Backup setting is not set) are unavailable.
host
The server host, as IP/FQDN.
one_line_json_base64=$( echo $one_line_json | base64 )
curl https://$HOST/api/$KEY/sites/setupstream --data "back_hosts=$one_line_json_base64&canonicalname=www.example.com"
Adds a new certificate to the SSL Management.
curl $API_URL$API_ADD --data-urlencode "cert_body=$SSL_CRT" --data-urlencode "private_key=$SSL_KEY" | awk '{print $4}' | cut -d '"' -f2
Attaches a domain to a SSL certificate.
curl $API_URL$API_ATTACH --data "canonicalname=$CANONICAL_NAME&sslid=$CERT_ID"
Removes an attached domain from SSL.
curl $API_URL$API_DETACH --data "canonicalname=$CANONICAL_NAME"
curl -XPOST $API_URL$API_PUBLISH
Replace Certificate
Replace one certificate with another on a passed list of sites and all load balancers.
curl -XPOST https://$HOST/api/$KEY/ssl/replace --data-urlencode 'new_cert_id=NEW_CERT_ID' --data-urlencode 'old_cert_id=OLD_CERT_ID' --data-urlencode 'sites=site1.com,site2.com'
Trusted Sources
Get, Add, Delete, Edit trusted sources (nets) for a planet.
Get:
curl -XPOST https://$HOST/api/$KEY/planet/trusted_net
Add:
curl -XPOST https://$HOST/api/$KEY/planet/trusted_net --header 'Content-Type: application/json' --data-raw '{ "address": "127.0.0.1", "comment": "Local Host" }'
Edit:
curl PUT https://$HOST/api/$KEY/planet/trusted_net --header 'Content-Type: application/json' --data-raw '{ "address": "127.0.0.1", "comment": "Local Host" }'
Remove:
curl DELETE https://$HOST/api/$KEY/planet/trusted_net --header 'Content-Type: application/json' --data-raw '{ "address": "127.0.0.1"}'
When a server fails, this is the length of time that Reblaze will wait before trying to send traffic to it again. Example: "10s" indicates a fail timeout of 10 seconds. This field uses .