DataDome Bot protection can be integrated directly inside Fastly.
Before the regular Fastly process starts, a preflight request is performed on the closest DataDome endpoint. Depending on the API response, the module either blocks the request or lets Fastly proceed with the regular process.
The module has been implemented to ensure the best user experience: if any errors were to occur during the preflight, or if the timeout is reached, the module will automatically disable its blocking mechanism and allow the regular Fastly process to proceed.
DataDome provides 3 integration options:
- A. Regular VCL snippets through the Fastly dashboard
- B. Dynamic snippets through the Fastly API
- C. Custom VCL through the Fastly dashboard
You can find the code here
A. Regular VCL snippets on web UI
Before integrating DataDome, you should ask Fastly Support to enable DataDome support for your Fastly service as described here.
Create a Fastly service or use an existing one, then create a new version of your service by cloning the actual one.
Go to the VCL snippets category, and upload each VCL snippet there.
Start with the init one.
Do not forget to put your API key on line 5
Upload all the other snippets one by one, making sure to select the proper snippet type from the dropdown menu (recv, pass, deliver, etc..).
Once done, click the activate button to deploy your changes.
B. Dynamic VCL snippets with Terraform
Before integrating DataDome, you should ask Fastly Support to enable DataDome support for your Fastly service as described here.
You need to provide Terraform with your Fastly API key.
Follow the Fastly documentation to create it.
When you have your key, you must export a FASTLY_API_KEY environment variable in the shell from where you will launch Terraform commands
export FASTLY_API_KEY=<your API key>.
Next you can open the main.tf Terraform file and edit the following sections:
- Line 20: Input the DNS you want to use to access your service
- Line 25: Provide a DNS or an IP to your origin backend. Warning: the backend must be named
origin - Line 37: OPTIONAL Fastly defines a default priority of 100 for each snippet. You can add a
priorityfield here to override this value. You can see Terraform doc here
# main.tf
provider "fastly" {}
locals {
# We define all the snippets name that we need to include here
datadome_snippets = toset([
"init",
"recv",
"pass",
"fetch",
"deliver",
"miss"
])
}
# Create a Service
resource "fastly_service_v1" "main" {
name = "datadome_protected_service"
domain {
name = "<URL of your service>"
comment = "Test"
}
backend {
address = "<URL to your backend>"
name = "origin"
port = 80
}
# This dynamic block create a `dynamicsnippet` block
# for each datadome snippet that we definede in the locals
dynamic "dynamicsnippet" {
for_each = local.datadome_snippets
content {
name = format("datadome_%s", dynamicsnippet.value)
type = dynamicsnippet.value
}
}
force_destroy = true
}
# Here we provide the resource that send the snippet code to Fastly
# We create a resource for each datadome snippet.
# In the snippet_id argument, we recuperate it from the
# `dynamicsnippet` attribute on the service
resource "fastly_service_dynamic_snippet_content_v1" "datadome_snippets" {
for_each = local.datadome_snippets
service_id = fastly_service_v1.main.id
snippet_id = { for s in fastly_service_v1.main.dynamicsnippet : s.name => s.snippet_id }[format("datadome_%s", each.value)]
content = file("${path.module}/${each.value}.vcl")
depends_on = [fastly_service_v1.main]
}
Deploying the service for the first time
If you deploy this code for the first time, Terraform will fail on the
planstage, since the service needs to be created before we can provision the snippets code.
To deploy it for the first time you should first deploy the service and then the remaining code:
terraform apply -target fastly_service_v1.demoterraform apply
C. Custom VCL
Before integrating DataDome VCL you should ask Fastly Support to enable DataDome support for your Fastly service as described here.
- Download the latest version of the module
- Connect to your Fastly console, and go to the Configuration tab
- Switch to Required Services
- Click
configuration->clone active
- Go to
Origin->Hosts - Confirm that another upstream has the name
origin - Go to Custom VCL and click
Upload your first VCL file
- Input name, for example
datadome, and uploaddatadome.vclfrom the distribution
- Click Create
- Go into the file and update the code at the
Edit VCLblock. Here you should input your API key near line 48
- Update Shield Backend Name with the actual name near line 460. If you don't use it, feel free to comment this line
- Click the
Activatebutton on the top-right side
Settings
The Fastly module doesn't have a dedicated block for settings and you should update them in a different location in the file.
Setting | Line number | Comments |
|---|---|---|
License key | ~48 | Your license key |
Timeout | Backend configuration | Fastly uses standard varnish timeouts. You can find the details here |
Regex | ~381 | Regex that should be matched or not matched to process the request in DataDome |
Shielding
If you use shielding you should update the shield backend name and the region name at the if condition. This is region specific, and the backend name depends on your use of SSL/TLS to connect to your upstream. All theses values are actual for 2020-03-04T12:12:44Z
| Name | Condition | Backend | SSL Backend |
|---|---|---|---|
| Amsterdam | -AMS | shield_amsterdam_nl | ssl_shield_amsterdam_nl |
| Ashburn - BWI | -BWI | shield_bwi_va_us | ssl_shield_bwi_va_us |
| Ashburn - DCA | -DCA | shield_dca_dc_us | ssl_shield_dca_dc_us |
| Atlanta - FTY | -FTY | shield_fty_ga_us | ssl_shield_fty_ga_us |
| Atlanta - PDK | -PDK | shield_pdk_ga_us | ssl_shield_pdk_ga_us |
| Auckland | -AKL | shield_auckland_akl | ssl_shield_auckland_akl |
| Bogota | -BOG | shield_bog_bogota_co | ssl_shield_bog_bogota_co |
| Boston | -BOS | shield_bos_ma_us | ssl_shield_bos_ma_us |
| Brisbane | -BNE | shield_brisbane_au | ssl_shield_brisbane_au |
| Cape Town | -CPT | shield_cpt_capetown_za | ssl_shield_cpt_capetown_za |
| Chicago - CHI | -CHI | shield_chi_il_us | ssl_shield_chi_il_us |
| Chicago - MDW | -MDW | shield_mdw_il_us | ssl_shield_mdw_il_us |
| Chicago - PWK | -PWK | shield_pwk_il_us | ssl_shield_pwk_il_us |
| Copenhagen | -CPH | shield_cph_copenhagen_dk | ssl_shield_cph_copenhagen_dk |
| Dallas | -DFW | shield_dallas_tx_us | ssl_shield_dallas_tx_us |
| Dallas - DAL | -DAL | shield_dal_tx_us | ssl_shield_dal_tx_us |
| Denver | -DEN | shield_den_co_us | ssl_shield_den_co_us |
| Dublin | -DUB | shield_dub_dublin_ie | ssl_shield_dub_dublin_ie |
| Frankfurt | -FRA | shield_frankfurt_de | ssl_shield_frankfurt_de |
| Frankfurt - Interxion | -HHN | shield_hhn_frankfurt_de | ssl_shield_hhn_frankfurt_de |
| Fujairah Al Mahta | -FJR | shield_fjr_ae | ssl_shield_fjr_ae |
| Helsinki | -HEL | shield_hel_helsinki_fi | ssl_shield_hel_helsinki_fi |
| Hong Kong | -HKG | shield_hongkong_hk | ssl_shield_hongkong_hk |
| Houston | -IAH | shield_iah_tx_us | ssl_shield_iah_tx_us |
| Jacksonville | -JAX | shield_jax_fl_us | ssl_shield_jax_fl_us |
| Johannesburg | -JNB | shield_jnb_johannesburg_za | ssl_shield_jnb_johannesburg_za |
| London - LCY | -LCY | shield_london_city_uk | ssl_shield_london_city_uk |
| London - LON | -LON | shield_lon_london_uk | ssl_shield_lon_london_uk |
| London - Slough | -LHR | shield_london_uk | ssl_shield_london_uk |
| Los Angeles - BUR | -BUR | shield_bur_ca_us | ssl_shield_bur_ca_us |
| Los Angeles - LAX | -LAX | shield_lax_ca_us | ssl_shield_lax_ca_us |
| Madrid | -MAD | shield_mad_madrid_es | ssl_shield_mad_madrid_es |
| Manchester | -MAN | shield_man_manchester_uk | ssl_shield_man_manchester_uk |
| Melbourne | -MEL | shield_melbourne_au | ssl_shield_melbourne_au |
| Miami | -MIA | shield_miami_fl_us | ssl_shield_miami_fl_us |
| Milan | -MXP | shield_mxp_milan_it | ssl_shield_mxp_milan_it |
| Minneapolis | -MSP | shield_msp_mn_us | ssl_shield_msp_mn_us |
| Montreal | -YUL | shield_yul_montreal_ca | ssl_shield_yul_montreal_ca |
| New York City | -JFK | shield_jfk_ny_us | ssl_shield_jfk_ny_us |
| New York City - LGA | -LGA | shield_lga_ny_us | ssl_shield_lga_ny_us |
| Newark | -EWR | shield_ewr_nj_us | ssl_shield_ewr_nj_us |
| Osaka | -ITM | shield_osaka_jp | ssl_shield_osaka_jp |
| Oslo | -OSL | shield_osl_oslo_no | ssl_shield_osl_oslo_no |
| Palo Alto | -PAO | shield_pao_ca_us | ssl_shield_pao_ca_us |
| Paris | -CDG | shield_cdg_par_fr | ssl_shield_cdg_par_fr |
| Perth | -PER | shield_perth_au | ssl_shield_perth_au |
| San Jose | -SJC | shield_sjc_ca_us | ssl_shield_sjc_ca_us |
| Sao Paulo | -GRU | shield_gru_br_sa | ssl_shield_gru_br_sa |
| Seattle | -SEA | shield_sea_wa_us | ssl_shield_sea_wa_us |
| Singapore | -SIN | shield_singapore_sg | ssl_shield_singapore_sg |
| Stockholm | -BMA | shield_stockholm_bma | ssl_shield_stockholm_bma |
| Sydney | -SYD | shield_sydney_au | ssl_shield_sydney_au |
| Tokyo | -TYO | shield_tyo_tokyo_jp | ssl_shield_tyo_tokyo_jp |
| Tokyo - HND | -HND | shield_hnd_tokyo_jp | ssl_shield_hnd_tokyo_jp |
| Toronto | -YYZ | shield_yyz_on_ca | ssl_shield_yyz_on_ca |
| Vienna | -VIE | shield_vie_vienna_at | ssl_shield_vie_vienna_at |
| Wellington | -WLG | shield_wellington_wlg | ssl_shield_wellington_wlg |
FAQ
How to request Fastly to enable DataDome support?
Send an email as follows:
- To: [email protected]
- Subject: Pragmas needed on Service XXXXXXXXXX for DataDome support
In order to enable DataDome support please set these pragmas:
ā¢ fix_unsent_body_drain
ā¢ no_body_if_bereq_is_get_or_head
on the following service:
ā¢ Service XXXXXXXXXX
ā¢ Account YYYYYYYYYY
Thanks!
Updated about a month ago