search close

Edge Deployment

access_time Updated Jun 29, 2022

About Edge deployment

The Edge deployment method allows you to add the Signal Sciences as an edge security service onto Fastly’s Edge Cloud Platform without needing to make any modifications to your own hosting environment.

Important: The Edge deployment method is currently only supported for the Essential platform. Professional and Premiere platforms only use Core and Cloud WAF deployment types.

Requirements

Deploying at the edge

To deploy at the edge, you will need a Signal Sciences corp and at least one site to protect. Setup involves making calls to the Signal Sciences API and modifying VCL on the Fastly service.

Creating the edge security service

Create a new edge security service by calling the edgeDeployment API endpoint. This API call creates a new edge security service associated with your corp and site. You will need to replace {corpName} and {siteName} with those of the corp and site you are adding the edge security service to. Your {corpname} and {siteName} are both present in the address of your Signal Sciences console, such as https://dashboard.signalsciences.net/corps/{corpName}/sites/{siteName}.

curl -H "x-api-user:$SIGSCI_EMAIL" -H "x-api-token:$ACCESS_TOKEN" \
-H "Content-Type: application/json" -X PUT \
https://dashboard.signalsciences.net/api/v0/corps/{corpName}/sites/{siteName}/edgeDeployment

Run this API call again for each site you want to deploy on.

Mapping to the Fastly service

Map your corp and site to an existing Fastly service and synchronize the origins by calling the edgeDeployment/{fastlySID} API endpoint. You will need to replace {fastlySID} with the ID of the Fastly service.

Note: This API call requires Fastly-Key for authentication. The Fastly API key must have write access to the Fastly Service ID.

curl -H "x-api-user:$SIGSCI_EMAIL" -H "x-api-token:$ACCESS_TOKEN" \
-H "Fastly-Key: $FASTLY_KEY" -H 'Content-Type: application/json' -X PUT \
https://dashboard.signalsciences.net/api/v0/corps/{corpName}/sites/{siteName}/edgeDeployment/{fastlySID}

Run this API call again for each Fastly service you want to deploy on. If your origins change, you will need to run this API call again to resynchronize the backends.

This API call makes changes and adds a new sigsci_config custom VCL file to your Fastly service. After making the API call, these changes will be left in an unactivated draft version. Activate the draft service version for the changes to take effect.

Synchronizing origins

Some conditions cause origin syncing to occur automatically:

  • Site configuration changes
  • Agent mode changes (e.g., blocking, not blocking)
  • Enabling or disabling IP Anonymization
  • Rule changes (e.g., request rules, signal exclusion rules, CVE rules)
  • Rule list changes (only if the list is being used by a rule)
  • IPs flagged

If you change your origins in the Fastly Console, you will need to take additional action to synchronize your changes using an API call. The API call makes sure origin changes applied in the Fastly Console are reflected in the edge security service. For example:

curl -v -H "x-api-user:$SIGSCI_EMAIL" -H "x-api-token:$ACCESS_TOKEN" -H "Fastly-Key: $FASTLY_KEY" -H "Content-Type:application/json" -X PUT https://dashboard.signalsciences.net/api/v0/corps/{corpName}/sites/{siteName}/edgeDeployment/{fastlySID}/backends

IMPORTANT: Failure to synchronize origins may result in your traffic not being inspected properly. Requests sent to a backend that does not exist in the edge security service will be served a 503 Unknown wasm backend error. You can correct this issue by running the API call to properly sync origins after any changes.

Calling the edge security service

You will need to call the new sigsci_config VCL file for your Fastly service to load it. Add the following line to your main VCL file:

include "sigsci_config";

Then add the following line to both the vcl_miss and vcl_pass subroutines of your service to call the edge security service.

call edge_security;

After adding the lines, activate the draft service version for the changes to take effect.

Traffic ramping

You can control the amount of traffic inspected by the edge security service using the Enabled dictionary key. This value is available in the Edge_Security dictionary and is automatically created when you attach a delivery service.

The default value is 100, expressed as a percentage. If the value is set to 100, all traffic will be passed through the edge security service. If the value is less than 100, a random sample of traffic will be sent through the edge security service.

Note: The Edge_Security Edge dictionary no longer uses The DISABLED field. To control blocking and logging behavior of an edge security service or turn off agent configurations entirely, use the web interface instead.