DocumentationAPIChangelogTest your siteWatch a demoDashboard
Documentation
Start typing to search…
  1. Platform Integrations: Server-side

F5 iRules

DataDome F5 iRules integration detects and protects against bot activity.

This module is dedicated to be used on Big IP F5 iRules engine.

Before the regular process starts, an event is triggered and processes the DataDome logic in the iRules engine.

The module makes a call to one of our Regional Endpoints using a KeepAlive connection. Depending on the response, the module either blocks the request or allows the regular process to proceed.

The module has been developed to protect the visitors' experience: if any errors were to occur during the process, or if the timeout is reached, the module will automatically disable its blocking process and allow the regular process to proceed.

Compatibility

This module is compatible with Big IP >= 12

How to install and configure

  1. Login to your Admin console
  2. Download the latest distribution from the link here
  3. Create the DataDome-SSL-Helper iRule at: Local Traffic > iRules > iRule List > +

  1. Create a new pool that connects to the Geo-Proximity endpoint.

  2. Create a new http profile (Local Traffic > Profile > Services > Create) with the name http-datadome. It will ensure OneConnect re-use connection (Keep-alive) though 200, 401, 403 response code. (On the default http profile, 403 is not included)

    1. Parent profile: http
    2. Settings : select Custom on OneConnect Status Reuse line
    3. Set the value: 200 401 403


  3. Create a new virtual server (Local Traffic > Virtual Servers > Virtual Server List > +) with the name datadome_api_ssl_vs and the following settings:

  • Destination address/mask: any un-routed IP

  • Service port: any un-used port.

  • Http Profile: http-datadome

  • Source Address Translation: Auto MAP

  • Acceleration > OneConnect Profile: oneconnect(It will enable Keep-alive between F5 and DataDome API)

  1. To establish an SSL connection between Big IP and the DataDome API, use only the server SSL profile:

And then:

  • add the DataDome-SSL-Helper to the virtual server
  • assign the connection pool created in step 4
  1. Upload the DataDome iRule , and set the license key that is available in your DataDome dashboard.

If you want to use the Javascript injection method you should un-comment the corresponding block and set the JS Key.

  1. On the virtual server on which you want to add DataDome

Enable the streaming profile on the virtual servers for which you would like to use DataDome. To do that, go to Configuration, switch to Advanced and select any stream profile. Default stream is accepted.

And then add the DataDome iRule

Settings

Setting

Description

Required

Default

DATADOME_LICENSE_KEY

Your DataDome License key

Yes

DATADOME_TIMEOUT

The request timeout for DataDome API, in milliseconds

Optional

150

DATADOME_URI_REGEX

Processes matching URIs only

Optional

DATADOME_URI_REGEX_EXCLUSION

Ignores all matching URIs

Optional

exclude static asset

DATADOME_js

A piece of JS code for injecting the DataDome tag to the page
(see https://docs.datadome.co/docs/protect-singlepage-app#ajax-listener)

Optional

FAQ

Can I have multiple iRules on my virtual server?

Yes, you can attach multiple iRules to a single virtual server and they will be executed following the defined order.

Although it is very difficult to control the GUI, it is made possible through TMSH.

You can update all iRules by assigning priority.

Two syntaxes are supported:

  1. Setup a global priority to the complete iRule
priority nnn
when <event_name> {
...
}

when <event_name> {
...
}
  1. Setup a local priority to a specified iRule's event:
when <event_name> priority nnn {
...
}

when <event_name> priority nnn {
...
}

It is possible to use a mix of both, but the second syntax will overwrite the first one.

Note that nnn is a value from 1 to 1000. By default each event has a value of 500.

Events are executed in order of priority from 1 to 1000. If more than one event have the same priority, they will be executed following the defined order.

Can I add another filter like a Host Header into the condition when DataDome is executed?

Yes, you can. You need to add your condition inside the HTTP_REQUEST event after set datadome_matched 0.

Can I have multiple DataDome iRules running on different Virtual Servers within the same BIG-IP?

Yes, it is possible to run multiple DataDome iRules on different Virtual Servers within the same BIG-IP.
However, you need to understand which components need to be duplicated and which can be shared.

Components you can share (create only once)

The following infrastructure components connect to the DataDome API and can be shared across all your Virtual Servers:

  • The DataDome-SSL-Helper iRule (SSL helper)
  • The datadome_api_ssl_vs Virtual Server (the internal VS used to route requests to the DataDome API)
  • The connection pool pointing to the DataDome Geo-Proximity endpoint
  • The http-datadome HTTP profile

You do not need to duplicate these components. A single set is sufficient for the entire BIG-IP.

Components you need to duplicate (one per Virtual Server)

  • The DataDome iRule must be attached to each Virtual Server you want to protect.

If you need different settings per Virtual Server (e.g. different DATADOME_URI_REGEX_EXCLUSION or license keys), you will need a separate copy of the iRule for each VS.

🚧

The static/global variables inside DataDome irules are shared within the BIG-IP and across Virtual Servers therefore all have the same value.

  • Example: If one DataDome iRules used in a virtual server has a different value for DATADOME_URI_REGEX_EXCLUSION, it can overwrite the values in other virtual server and cause an unexpected behavior.

In this case, our recommendation is to give static/global variables a unique identifier to avoid overwrite issues.

Summary table

ComponentDuplicate per VS?
DataDome iRule✅ Yes (one per VS, with unique variable names)
DataDome-SSL-Helper iRule❌ No, share the same one
datadome_api_ssl_vs Virtual Server❌ No, share the same one
Connection pool (DataDome API)❌ No, share the same one
http-datadome HTTP profile❌ No, share the same one

Can I get Bot Name, Bot Type and Bot/Human flags in my application?

The DataDome module inject headers in the HTTP request and can be logged by F5 using HSL (High Speed Logging) for Log Enrichment.

Below a simple example is provided, but every F5 configuration is unique and depending on the environment, specific customizations may be required to ensure the behavior of Log Enrichment

  • Open DataDome.tcl
  • Uncomment the lines of HSL:
    • Use a log publisher
      or
    • Use the UDP pool
# HSL publisher
    # You should create a log publisher in System->Logs->Configuration->Log Publishers.
    # If this line is commented out, this module may flood the local log if you enabled logging for each request
    #set static::DATADOME_LOG_PUBLISHER /Common/lpDataDome
    # or you can use UDP pool
    #set static::DATADOME_LOG_POOL syslog_server_pool

    # init http client
    call http_req_rule_init
}

when CLIENTSSL_HANDSHAKE {
    set protocol "https"
    if {[info exists static::DATADOME_LOG_PUBLISHER]} {
        set hsl [HSL::open -publisher $static::DATADOME_LOG_PUBLISHER]
    } elseif {[info exists static::DATADOME_LOG_POOL]} {
        set hsl [HSL::open -proto UDP -pool $static::DATADOME_LOG_POOL]
    }
}
  • Uncomment the line below (DataDome.tcl)
# HSL::send $hsl "[HTTP::header Host],[IP::client_addr],[HTTP::header X-DataDome-botname],[HTTP::header X-DataDome-isbot],[HTTP::header X-DataDome-devicecheckpassed],[HTTP::header X-DataDome-captchapassed],[HTTP::header X-DataDome-Traffic-Rule-Response],[HTTP::header X-DataDome-ruletype]"

Updated about 17 hours ago