Versions Compared

Old Version 5

changes.mady.by.user John Gerlock

Saved on

compared with

New Version Current

changes.mady.by.user Philip Deegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Because API Protect does not send any of your request data to Data Theorem, our API Protect agent needs to be deployed in your environment. We package our agent for deployment as a Kubernetes Service, a Docker Compose service, and a Podman pod. We can also quickly and easily provide different packages on request.

Deploy Agent as

...

Code Block
languagebash
# unzip the agent software you download from our portal
unzip API_PROTECT_AGENT_HELM.zip

# untar the agent Helm chart
tar xf vtap_agent_helm_charts.tgz

# deploy the agent Helm chart to your Kuberenetes cluster
helm install vtap-agent \
    ./vtap_agent        \
    --create-namespace        \
    --namespace datatheorem   \
    --set bearerToken=$(cat .dt_client_id)

Deploy Agent as Docker Compose Service

Extract the archive

language
Code Block
bash
unzip network_analyzer.zip

Now we must generate an API Key for our the Cloudflare worker to talk to our services. This is to be a unique string which is not easily guessable. An example of how to retrieve such as string would be Keep track of this value for later to set during the worker setup

Code Block
languagebash
FORWARDER_TOKEN=$(python3 -c "import uuid; print(uuid.uuid4())")
echo $FORWARDER_TOKEN # save for later

In the directory where the archive has been uncompressed, to start the services of the network traffic analyzer run the following command:

Code Block
languagebash
FORWARD_URL="http://ps:8081/cfw/" FORWARDER_TOKEN="${FORWARDER_TOKEN}" BEARER_TOKEN=[DATA_THEOREM_API_PROTECT_API_KEY] \
docker-compose -f docker-compose.yml -f docker-compose-forwarder.yml up -d

To verify the network traffic analyzer services have started properly run the following command:

bash
Code Block
language
docker container ls -a-compose ps

If the services have service has started properly you should see something mostly the same as the following:

Code Block
CONTAINER ID   IMAGE                                                                                                   COMMAND                  CREATED       STATUS                   PORTS                                      NAMES
NAMES
a93a4aa47f56360db972caa9   us-central1-docker.pkg.dev/dev-api-protect-api/cloud-protect-registry/request_forwarderanalyzer:latest          "shsupervisord -c 'uvicorn main…/etc…"   31 hours ago   Up 31 hours          (healthy)     0.0.0.0:80808081->8080>8081/tcp, :::80808081->8080>8081/tcp   ubuntu_forwarder_1
54687934ebff   us-central1-docker.pkg.dev/dev-api-protect-api/cloud-protect-registry/threat_detection_service:latest   "python main.py"         3 hours ago   Up 3 hours                                                           ubuntu_tds_1
72a6394feb74   us-central1-docker.pkg.dev/dev-api-protect-api/cloud-protect-registry/openapi_service:latest            "python main.py"         3 hours ago   Up 3 hours                                                           ubuntu_oas_1
c826c6dd3401   us-central1-docker.pkg.dev/dev-api-protect-api/cloud-protect-registry/parser_service:latest             "uvicorn main:app --…"   3 hours ago   Up 3 hours               0.0.0.0:8081->8081/tcp, :::8081->8081/tcp   ubuntu_ps_1
6a33c00250d8   us-central1-docker.pkg.dev/dev-api-protect-api/cloud-protect-registry/startup_tasks:latest              "python main.py"         3 hours ago   Exited (0) 3 hours ago                                               ubuntu_startup-tasks_1
1f35cc793563   redis:alpine                                                                                            "docker-entrypoint.s…"   3 hours ago   Up 3 hours               6379/tcp                                    ubuntu_redis_1

Once the agent is deployed, make note of the agent’s HTTPS URL so you can add it to the Cloudflare Worker’s environment as the DATA_THEOREM_SERVICE_URL

Step 2: Add Data Theorem Integration Code to your Cloudflare Workers

API Protect has two modes of operation, observability mode and blocking mode. In observability mode, your API traffic is analyzed asynchronously, which minimizes latency, but cannot block requests even if we detect attacks or other malicious activity. In blocking mode, our analysis happens before the request is forwarded, so attacks will be blocked, but the latency will be slightly higher.

We recommend using observability mode initially then turning on blocking.

Deploy In Observability Mode

Extract the archive

Code Block
unzip CFW.zip

The network analyzer services are not HTTPS accessible by default and require a HTTPS Load balancer in place to direct traffic to it.

Edit the file worker/wrangler.toml to replace [DATA_THEOREM_SERVICE_URL] with your HTTPS hostname (no <https://)>

The API Protect for Cloudflare Workers software package you download from our portal will contain a client_id we generate to authenticate your
services with our system.

It will also contain instructions and code examples that demonstrate how to add our integration to your existing Cloudflare Worker code.

code
analyzer-1

Once the agent is deployed, make note of the agent’s HTTPS URL so you can add it to the Cloudflare Worker’s environment as the DATA_THEOREM_SERVICE_URL

Step 2: Add Data Theorem Integration Code to your Cloudflare Workers

Creating and deploying a new Cloudflare Worker on Cloudflare site

Extract the archive

Code Block
languagenone
unzip CFW.zip

From the data_theorem_forwarder directory, view the contents of the file wrangler.toml and determine your FORWARD_URL

Code Block
languagetoml
[vars]
CLIENT_ID=<randomly generated value>

# Update FORWARD_URL to the domain you have configured with '/relayed' as the path
# Example: if your domain is `sub.domain.com`, the below line should be: `FORWARD_URL = "<https://sub.domain.com/relayed"`>
FORWARD_URL = "<https://[ANALYZER_DOMAIN]/relayed">

On http://cloudflare.com from the workers page:

  1. click 'Create a Service'

  2. from the 'Select a starter' panel, choose 'HTTP Router' and click 'Create Service'

  3. switch to the 'Setting' tab and click 'Add Variable'

  4. create a variable named CLIENT_ID using the value from the CLIENT_ID key in data_theorem_forwarder/wrangler.toml

  5. create a second variable named FORWARD_URL using value from the instructions in data_theorem_forwarder/wrangler.toml

  6. click 'Save and deploy'

  7. click 'Quick edit'

  8. replace the contents of the left-most code panel by pasting the contents of data_theorem_forwarder/src/index.js then click 'Save and Deploy'

Creating and deploying a new Cloudflare Worker with Wrangler CLI

Extract the archive

Code Block
unzip CFW.zip

From the data_theorem_forwarder directory

Edit the file wrangler.toml to replace [ANALYZER_DOMAIN] with your domain

Code Block
languagetoml
[vars]
CLIENT_ID=<randomly generated value>

# Update FORWARD_URL to the domain you have configured with '/relayed' as the path
# Example: if your domain is `sub.domain.com`, the below line should be: `FORWARD_URL = "<https://sub.domain.com/relayed"`>
FORWARD_URL = "<https://[ANALYZER_DOMAIN]/relayed">
Code Block
languagebash
npx wrangler publish src/index.js --name my-worker

...

worker

...

Code Block
CLIENT_ID=${FORWARDER_TOKEN}