Envoy
DataDome Envoy module detects and protects against bot activity.
As part of the regular Envoy process, the module makes a call to one of our Regional Endpoints using a Keep-Alive connection.
Depending on the response, the module will either block the query or let Envoy proceed with the regular process.
The module has been developed to protect the visitors' experience: If any errors were to occur during the process, or if the timeout is reached, the module will automatically disable its blocking process and allow those hits.
Compatibility
DataDome supports Envoy module since version 1.9.0.
Configuration
Follow the below instructions:
- Download the latest DataDome module from the following link https://package.datadome.co/linux/DataDome-EnvoyModule-latest.tgz and unzip it in a chosen location. This archive includes:
- demo: a folder containing examples of docker containers for easy testing
- datadome.lua: a Lua script to implement the module
- Place datadome.lua in a chosen location on the server, for example:
/etc/envoy/datadome.lua. - Update your envoy configuration with the following content:
static_resources:
listeners:
- name: main
[...]
filter_chains:
- filters:
- name: envoy.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
use_remote_address: true
[...]
http_filters:
- name: envoy.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
assert(loadfile("/etc/envoy/datadome.lua"))({
['API_KEY'] = 'YOUR KEY HERE',
['API_TIMEOUT'] = 150,
})
[...]
clusters:
- name: datadome
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
load_assignment:
cluster_name: datadome
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: api.datadome.co
port_value: 80
[..]
Remote Address configuration
use_remote_addressis mandatory to allow the module to correctly lookup for the remote IP address. If you use a complex configuration, you may setup this header at Edge proxy.
Settings
Our module supports the following settings:
| Option name | Default value | Description |
|---|---|---|
| API_KEY | The key to the Protection API. Must be a valid key. | |
| API_TIMEOUT | 100 | Timeout in milliseconds for responses from the Protection API. |
| DATADOME_CLUSTER_NAME | datadome | The name of the cluster that will connect to DataDome as defined in the configuration file. |
| DATADOME_ENDPOINT | api.datadome.co | Host of the Protection API. |
| DATADOME_TENANT_NAME | default | The unique name of the instance in a multi-tenancy environment. This value identifies tenants and ensures proper assignment of resources. |
| ENABLE_UNPROTECTED_CACHED_RESPONSE | false | Omit Set-Cookie and enriched headers from responses that can be cached. |
| URI_PATTERNS | Only send requests matching these patterns (host and path). An empty list means any request is sent. | |
| URI_PATTERNS_EXCLUSION | { '%.js$', '%.css$', '%.jpg$', '%.jpeg$', '%.png$', '%.ico$', '%.gif$', '%.tiff$', '%.svg$', '%.woff$', '%.woff2$', '%.ttf$', '%.eot$', '%.mp4$', '%.otf$' } | Never send requests that match these patterns (host and path) to the Protection API. An empty list means all requests are sent. |
Updated 23 days ago