Versions Compared

Old Version 4

changes.mady.by.user John Gerlock

Saved on

compared with

New Version 5

changes.mady.by.user John Gerlock

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Because API Protect does not send any of your request data to Data Theorem, our API Protect agent needs to be deployed in your environment. We package our agent for deployment as a RHEL VM, a Kubernetes Service, a Docker Compose service, and a Podman pod. We can also quickly and easily provide different packages on request.

Deploy Agent as VM

Upon downloading the agent VM package in from our portal

...

languagebash

...

.

...

Deploy Agent as Kubernetes Service

...

Deploy Agent as Docker Compose Service

Extract the archive

Code Block
languagebash
# unzip the agent software you download from our portal
unzip API_PROTECT_AGENT_DOCKER_COMPOSE.zip

# start the docker-compose service
docker-compose --env-file .dt_env up

...

unzip network_analyzer.zip

Now we must generate an API Key for our the Cloudflare worker to talk to our services. This is to be a unique string which is not easily guessable. An example of how to retrieve such as string would be Keep track of this value for later to set during the worker setup

Code Block
languagebash
FORWARDER_TOKEN=$(python3 -c "import uuid; print(uuid.uuid4())")
echo $FORWARDER_TOKEN # save for later

In the directory where the archive has been uncompressed, to start the services of the network traffic analyzer run the following command:

Code Block
languagebash
FORWARD_URL="http://ps:8081/cfw/" FORWARDER_TOKEN="${FORWARDER_TOKEN}" BEARER_TOKEN=[DATA_THEOREM_API_PROTECT_API_KEY] \
docker-compose -f docker-compose.yml -f docker-compose-forwarder.yml up -d

To verify the network traffic analyzer services have started properly run the following command:

Code Block
languagebash
#docker container unzip the agent software you download from our portal
unzip API_PROTECT_AGENT_PODMAN.zip

# run the install script to create the podman pod
./create_vtap_agent_pod.sh --env-file .dt_envls -a

If the services have started properly you should see something mostly the same as the following:

Code Block
CONTAINER ID   IMAGE                                                                                                   COMMAND                  CREATED       STATUS                   PORTS                                       NAMES
a93a4aa47f56   us-central1-docker.pkg.dev/dev-api-protect-api/cloud-protect-registry/request_forwarder:latest          "sh -c 'uvicorn main…"   3 hours ago   Up 3 hours               0.0.0.0:8080->8080/tcp, :::8080->8080/tcp   ubuntu_forwarder_1
54687934ebff   us-central1-docker.pkg.dev/dev-api-protect-api/cloud-protect-registry/threat_detection_service:latest   "python main.py"         3 hours ago   Up 3 hours                                                           ubuntu_tds_1
72a6394feb74   us-central1-docker.pkg.dev/dev-api-protect-api/cloud-protect-registry/openapi_service:latest            "python main.py"         3 hours ago   Up 3 hours                                                           ubuntu_oas_1
c826c6dd3401   us-central1-docker.pkg.dev/dev-api-protect-api/cloud-protect-registry/parser_service:latest             "uvicorn main:app --…"   3 hours ago   Up 3 hours               0.0.0.0:8081->8081/tcp, :::8081->8081/tcp   ubuntu_ps_1
6a33c00250d8   us-central1-docker.pkg.dev/dev-api-protect-api/cloud-protect-registry/startup_tasks:latest              "python main.py"         3 hours ago   Exited (0) 3 hours ago                                               ubuntu_startup-tasks_1
1f35cc793563   redis:alpine                                                                                            "docker-entrypoint.s…"   3 hours ago   Up 3 hours               6379/tcp                                    ubuntu_redis_1

Once the agent is deployed, make note of the agent’s HTTPS URL so you can add it to the Cloudflare Worker’s environment as the DATA_THEOREM_SERVICE_URL

...

Deploy In Observability Mode

Extract the archive

Code Block
unzip CFW.zip

The network analyzer services are not HTTPS accessible by default and require a HTTPS Load balancer in place to direct traffic to it.

Edit the file worker/wrangler.toml to replace [DATA_THEOREM_SERVICE_URL] with your HTTPS hostname (no <https://)>

The API Protect for Cloudflare Workers software package you download from our portal will contain a client_id we generate to authenticate your
services with our system.

It will also contain instructions and code examples that demonstrate how to add our integration to your existing Cloudflare Worker code.

Code Block
languagebash
#npx unzipwrangler the agent software you download from our portal
unzip API_PROTECT_CLOUDFLARE_WORKERS.zip

# review README and code examples in ./examples to add our code to your worker

# update your wrangler.toml by setting DATA_THEOREM_SERVICE_URL to your deployed agent's url

# following these instructions for secrets to set the value of `DT_API_PROTECT_CLIENT` from the value in `.dt_client_id`
# https://developers.cloudflare.com/workers/platform/environment-variables#secrets-on-deployed-workers

# deploy your updated worker
wrangler publishpublish src/index.js --name my-worker

Now with the worker deployed you must add a secret for the FORWARDER_TOKEN through the UI.
Which would look like:

Code Block
CLIENT_ID=${FORWARDER_TOKEN}