Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Current »

Step 1: Deploy the Data Theorem Agent In Your Environment

Because API Protect does not send any of your request data to Data Theorem, our API Protect agent needs to be deployed in your environment. We package our agent for deployment as a Kubernetes Service, a Docker Compose service, and a Podman pod. We can also quickly and easily provide different packages on request.

Deploy Agent as Kubernetes Service

# unzip the agent software you download from our portal
unzip API_PROTECT_AGENT_HELM.zip

# untar the agent Helm chart
tar xf vtap_agent_helm_charts.tgz

# deploy the agent Helm chart to your Kuberenetes cluster
helm install vtap-agent \
    ./vtap_agent        \
    --create-namespace        \
    --namespace datatheorem   \
    --set bearerToken=$(cat .dt_client_id)

Deploy Agent as Docker Compose Service

Extract the archive

unzip network_analyzer.zip

Now we must generate an API Key for our the Cloudflare worker to talk to our services. This is to be a unique string which is not easily guessable. An example of how to retrieve such as string would be Keep track of this value for later to set during the worker setup

FORWARDER_TOKEN=$(python3 -c "import uuid; print(uuid.uuid4())")
echo $FORWARDER_TOKEN # save for later

In the directory where the archive has been uncompressed, to start the services of the network traffic analyzer run the following command: 

FORWARD_URL="http://ps:8081/cfw/" FORWARDER_TOKEN="${FORWARDER_TOKEN}" BEARER_TOKEN=[DATA_THEOREM_API_PROTECT_API_KEY] \
docker-compose -f docker-compose.yml -f docker-compose-forwarder.yml up -d

To verify the network traffic analyzer services have started properly run the following command: 

docker container ls -a

If the services have started properly you should see something mostly the same as the following:

CONTAINER ID   IMAGE                                                                                                   COMMAND                  CREATED       STATUS                   PORTS                                       NAMES
a93a4aa47f56   us-central1-docker.pkg.dev/dev-api-protect-api/cloud-protect-registry/request_forwarder:latest          "sh -c 'uvicorn main…"   3 hours ago   Up 3 hours               0.0.0.0:8080->8080/tcp, :::8080->8080/tcp   ubuntu_forwarder_1
54687934ebff   us-central1-docker.pkg.dev/dev-api-protect-api/cloud-protect-registry/threat_detection_service:latest   "python main.py"         3 hours ago   Up 3 hours                                                           ubuntu_tds_1
72a6394feb74   us-central1-docker.pkg.dev/dev-api-protect-api/cloud-protect-registry/openapi_service:latest            "python main.py"         3 hours ago   Up 3 hours                                                           ubuntu_oas_1
c826c6dd3401   us-central1-docker.pkg.dev/dev-api-protect-api/cloud-protect-registry/parser_service:latest             "uvicorn main:app --…"   3 hours ago   Up 3 hours               0.0.0.0:8081->8081/tcp, :::8081->8081/tcp   ubuntu_ps_1
6a33c00250d8   us-central1-docker.pkg.dev/dev-api-protect-api/cloud-protect-registry/startup_tasks:latest              "python main.py"         3 hours ago   Exited (0) 3 hours ago                                               ubuntu_startup-tasks_1
1f35cc793563   redis:alpine                                                                                            "docker-entrypoint.s…"   3 hours ago   Up 3 hours               6379/tcp                                    ubuntu_redis_1

Once the agent is deployed, make note of the agent’s HTTPS URL so you can add it to the Cloudflare Worker’s environment as the DATA_THEOREM_SERVICE_URL

Step 2: Add Data Theorem Integration Code to your Cloudflare Workers

API Protect has two modes of operation, observability mode and blocking mode. In observability mode, your API traffic is analyzed asynchronously, which minimizes latency, but cannot block requests even if we detect attacks or other malicious activity. In blocking mode, our analysis happens before the request is forwarded, so attacks will be blocked, but the latency will be slightly higher.

We recommend using observability mode initially then turning on blocking.

Deploy In Observability Mode

Extract the archive

unzip CFW.zip

The network analyzer services are not HTTPS accessible by default and require a HTTPS Load balancer in place to direct traffic to it.

Edit the file worker/wrangler.toml to replace [DATA_THEOREM_SERVICE_URL] with your HTTPS hostname (no <https://)>

The API Protect for Cloudflare Workers software package you download from our portal will contain a client_id we generate to authenticate your
services with our system.

It will also contain instructions and code examples that demonstrate how to add our integration to your existing Cloudflare Worker code.

npx wrangler publish src/index.js --name my-worker

Now with the worker deployed you must add a secret for the FORWARDER_TOKEN through the UI.
Which would look like:

CLIENT_ID=${FORWARDER_TOKEN}

  • No labels