F5 iRules
DataDome F5 iRules integration detects and protects against bot activity.
This module is dedicated to be used on F5 iRules engine, for example at Big IP.
Before the regular process starts, an event is triggered and processes the DataDome logic in the iRules engine.
The module makes a call to one of our Regional Endpoints using a KeepAlive connection. Depending on the response, the module either blocks the request or allows the regular process to proceed.
The module has been developed to protect the visitors' experience: if any errors were to occur during the process, or if the timeout is reached, the module will automatically disable its blocking process and allow the regular process to proceed.
Compatibility
This module is compatible with Big IP >= 12
How to install and configure
- Login to your Admin console
- Download the latest distribution from the link here
- Create the DataDome-SSL-Helper iRule at: Local Traffic > iRules > iRule List > +
- Create a new pool that connects to the Geo-Proximity endpoint. Or if you prefer, select the closest API endpoint. List of endpoints.
- Create a new virtual server (Local Traffic > Virtual Servers > Virtual Server List > +) with the name datadome_api_ssl_vs and the following settings:
- Destination address/mask: any un-routed IP
- Service port: any un-used port.
- Http Profile: http
- Source Address Translation: Auto MAP
- To establish an SSL connection between Big IP and the DataDome API, use only the server SSL profile:
And then:
- add the DataDome-SSL-Helper to the virtual server
- assign the connection pool created in step 4
- Upload the DataDome iRule , and set the license key that is available in your DataDome dashboard.
If you want to use the Javascript injection method you should un-comment the corresponding block and set the JS Key.
- On the virtual server on which you want to add DataDome
Enable the streaming profile on the virtual servers for which you would like to use DataDome. To do that, go to Configuration, switch to Advanced
and select any stream profile. Default stream
is accepted.
And then add the DataDome iRule
Settings
Setting | Description | Required | Default |
---|---|---|---|
DATADOME_LICENSE_KEY | Your DataDome License key | Yes | |
DATADOME_TIMEOUT | The request timeout for DataDome API, in milliseconds | Optional | 150 |
DATADOME_URI_REGEX | Processes matching URIs only | Optional | |
DATADOME_URI_REGEX_EXCLUSION | Ignores all matching URIs | Optional | exclude static asset |
DATADOME_js | A piece of JS code for injecting the DataDome tag to the page (see https://docs.datadome.co/docs/protect-singlepage-app#ajax-listener) | Optional |
FAQ
Can I have multiple iRules on my virtual server?
Yes, you can attach multiple iRules to a single virtual server and they will be executed following the defined order.
Although it is very difficult to control the GUI, it is made possible through TMSH.
You can update all iRules by assigning priority.
Two syntaxes are supported:
- Setup a global priority to the complete iRule
priority nnn
when <event_name> {
...
}
when <event_name> {
...
}
- Setup a local priority to a specified iRule's event:
when <event_name> priority nnn {
...
}
when <event_name> priority nnn {
...
}
It is possible to use a mix of both, but the second syntax will overwrite the first one.
Note that nnn
is a value from 1 to 1000. By default each event has a value of 500.
Events are executed in order of priority from 1 to 1000. If more than one event have the same priority, they will be executed following the defined order.
Can I add another filter like a Host Header into the condition when DataDome is executed?
Yes, you can. You need to add your condition inside the HTTP_REQUEST
event after set datadome_matched 0
.
Can I have multiple DataDome iRules running on different Virtual Servers within the same BIG-IP?
Yes, it is possible to have multiple DataDome iRules in different Virtual Servers within the same BIG-IP.
The static/global variables inside DataDome irules are shared within the BIG-IP and across Virtual Servers therefore all have the same value.
- Example: If one DataDome iRules used in a virtual server has a different value for
DATADOME_URI_REGEX_EXCLUSION
, it can overwrite the values in other virtual server and cause an unexpected behavior.
In this case, our recommendation is to give static/global variables a unique identifier to avoid overwrite issues.
Can I get Bot Name, Bot Type and Bot/Human flags in my application?
The DataDome module inject headers in the HTTP request and can be logged by F5 using HSL (High Speed Logging) for Log Enrichment.
Below a simple example is provided, but every F5 configuration is unique and depending on the environment, specific customizations may be required to ensure the behavior of Log Enrichment
- Open
DataDome.tcl
- Uncomment the lines of HSL:
- Use a log publisher
or - Use the UDP pool
- Use a log publisher
# HSL publisher
# You should create a log publisher in System->Logs->Configuration->Log Publishers.
# If this line is commented out, this module may flood the local log if you enabled logging for each request
#set static::DATADOME_LOG_PUBLISHER /Common/lpDataDome
# or you can use UDP pool
#set static::DATADOME_LOG_POOL syslog_server_pool
# init http client
call http_req_rule_init
}
when CLIENTSSL_HANDSHAKE {
set protocol "https"
if {[info exists static::DATADOME_LOG_PUBLISHER]} {
set hsl [HSL::open -publisher $static::DATADOME_LOG_PUBLISHER]
} elseif {[info exists static::DATADOME_LOG_POOL]} {
set hsl [HSL::open -proto UDP -pool $static::DATADOME_LOG_POOL]
}
}
- Uncomment the line below (
DataDome.tcl
)
# HSL::send $hsl "[HTTP::header Host],[IP::client_addr],[HTTP::header X-DataDome-botname],[HTTP::header X-DataDome-isbot],[HTTP::header X-DataDome-devicecheckpassed],[HTTP::header X-DataDome-captchapassed],[HTTP::header X-DataDome-Traffic-Rule-Response],[HTTP::header X-DataDome-ruletype]"
Updated 2 months ago