Envoy
DataDome Envoy module detects and protects against bot activity.
As part of the regular Envoy process, the module makes a call to one of our Regional Endpoints using a Keep-Alive connection.
Depending on the response, the module will either block the query or let Envoy proceed with the regular process.
The module has been developed to protect the visitors' experience: If any errors were to occur during the process, or if the timeout is reached, the module will automatically disable its blocking process and allow those hits.
Compatibility
DataDome supports Envoy Module since version 1.9.0.
Configuration
Follow the below instructions:
- Download the latest DataDome module from the following link https://package.datadome.co/linux/DataDome-EnvoyModule-latest.tgz and unzip it in a chosen location. This archive includes:
- demo: a folder containing examples of docker containers for easy testing
- datadome.lua: a LUA script to implement the module
- Place datadome.lua in a chosen location on the server, for example:
/etc/envoy/datadome.lua
. - Update your envoy configuration with the following content:
static_resources:
listeners:
- name: main
[...]
filter_chains:
- filters:
- name: envoy.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
use_remote_address: true
[...]
http_filters:
- name: envoy.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
assert(loadfile("/etc/envoy/datadome.lua"))({
['API_KEY'] = 'YOUR KEY HERE',
['API_TIMEOUT'] = 150,
})
[...]
clusters:
- name: datadome
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
load_assignment:
cluster_name: datadome
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: api.datadome.co
port_value: 80
[..]
Remote Address configuration
use_remote_address
is mandatory to allow the module to correctly lookup for the remote IP address. If you use a complex configuration, you may setup this header at Edge proxy.
Settings
Our module supports the following settings:
Name | Default value | Description |
API_KEY | The key to the API server. Must be a valid key. | |
API_TIMEOUT | 100 | Timeout for the response from the DataDome APIServer (in ms). |
URI_PATTERNS | Only send requests matching these patterns. An empty list means any request is sent. | |
URI_PATTERNS_EXCLUSION | { '%.js$', '%.css$', '%.jpg$', '%.jpeg$', '%.png$', '%.ico$', '%.gif$', '%.tiff$', '%.svg$', '%.woff$', '%.woff2$', '%.ttf$', '%.eot$', '%.mp4$', '%.otf$' } | Never send requests that match these patterns to the APISever. An empty list means all requests are sent. |
Updated about 2 months ago