Envoy

DataDome Envoy module detects and protects against bot activity.

As part of the regular Envoy process, the module makes a call to one of our Regional Endpoints using a Keep-Alive connection.

Depending on the response, the module will either block the query or let Envoy proceed with the regular process.

The module has been developed to protect the visitors' experience: If any errors were to occur during the process, or if the timeout is reached, the module will automatically disable its blocking process and allow those hits.

Compatibility

DataDome supports Envoy Module since version 1.9.0.

Configuration

Follow the below instructions:

  • Download the latest DataDome module from the following link https://package.datadome.co/linux/DataDome-EnvoyModule-latest.tgz and unzip it in a chosen location. This archive includes:
    • demo: a folder containing examples of docker containers for easy testing
    • datadome.lua: a LUA script to implement the module
  • Place datadome.lua in a chosen location on the server, for example: /etc/envoy/datadome.lua.
  • Update your envoy configuration with the following content:
static_resources:
  listeners:
  - name: main
    [...]
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
          use_remote_address: true
          [...]
          http_filters:
          - name: envoy.lua
            typed_config:
              "@type": type.googleapis.com/envoy.config.filter.http.lua.v2.Lua
              inline_code: |
                assert(loadfile("/etc/envoy/datadome.lua"))({
                  ['API_KEY'] = 'YOUR KEY HERE',
                  ['API_TIMEOUT'] = 100,
                })
          [...]

  clusters:
  - name: datadome
    connect_timeout: 0.25s
    type: strict_dns
    lb_policy: round_robin
    load_assignment:
      cluster_name: datadome
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: api.datadome.co
                port_value: 80
[..]

Note that use_remote_address is important to allow the module to correctly lookup for X-Forwarder-For. If you use a complex configuration, you may setup this header at Edge proxy.

Settings

Our module supports the following settings:

NameDefault valueDescription
API_KEYThe key to the API server. Must be a valid key.
API_TIMEOUT100Timeout for the response from the DataDome APIServer (in ms).
URI_PATTERNSOnly send requests matching these patterns. An empty list means any request is sent.
URI_PATTERNS_EXCLUSION{
'%.js$',
'%.css$',
'%.jpg$',
'%.jpeg$',
'%.png$',
'%.ico$',
'%.gif$',
'%.tiff$',
'%.svg$',
'%.woff$',
'%.woff2$',
'%.ttf$',
'%.eot$',
'%.mp4$',
'%.otf$'
}
Never send requests that match these patterns to the APISever. An empty list means all requests are sent.