Installation

  1. Set the dependencies:
apt install -y libcurl4 libapr1 libjansson4 libaprutil1
yum install -y jansson apr apr-util pcre libcurl
  1. Copy the libvmod_px.so file to /usr/lib64/varnish/vmods/.

In your configuration .vcl file

  1. At the top of the file, add these two lines that will import the Enforcer:
    import px;
    import std;
  2. Add the following lines to the sub vcl_init block to enable the Enforcer and provide the required parameters:
    new px_module = px.px();
  
    px_module.setconf("px_enabled", "true");

    px_module.setconf("px_appId", "ENTER APP ID HERE");
    px_module.setconf("px_cookie_secret", "ENTER RISK COOKIE KEY HERE");
    px_module.setconf("px_auth_token", "ENTER AUTHENTICATION TOKEN HERE");
 
    if (!px_module.setup()) {
        std.syslog(9, "Failed to init PX module");
    }
  • px_enabled - Set to true to enable the Enforcer.
  • px_appId - Enter the HUMAN application ID.
    TO retrieve the ID:
    a. Open the HUMAN Console.
    b. Go to Platform Settings > Applications.
    c. Copy the ID from the Application ID field.
  • px_cookie_secret - Enter a risk cookie key used by the cookie signing page.
    TO generate a risk cookie key:
    a. Open the HUMAN Console.
    b. Go to Product Settings > Security Policy > Policy Information.
    c. Click Generate new.
  • px_auth_token - Enter a JWT authentication token for REST API.
    TO retrieve the authentication token:
    a. Open the HUMAN Console .
    b. Go to Platform Settings > Applications > Tokens > Server Tokens.
    c. Click Copy token.
  1. Add the following section to the existing sub vcl_recv block. This section enables the Enforcer to process requests.
     if (px_module.is_first_party(req.url)) {
        std.cache_req_body(10KB);
    }

    px_module.process_request(req.url, req.method, regsub(req.proto, "^.*/", ""), client.ip, req.http.host);

    if (px_module.get_result() > 0) {
        return (synth(px_module.get_result()));
    }
  1. Add the following new block. This block allows to display a CAPTCHA, if a request is blocked.
sub vcl_synth {
    set resp.status = px_module.get_resp_status();
    px_module.set_resp_headers();

    if (px_module.get_resp_body_len()) {
        synthetic(px_module.get_resp_body());
    }

    return(deliver);
}