Installation | HUMAN Documentation

Install the module dependencies:

Ubuntu

$ apt update && apt install -y libcurl4 libapr1 libjansson4 libaprutil1 bzip2

Centos

$ yum update && yum install -y jansson libcurl apr apr-util pcre

Extract the module:

$ bunzip2 envoy.bz2

Copy the new Envoy binary to /usr/local/bin/ folder:

ShellShell

$ cp envoy /usr/local/bin/

In your config.yaml file add, a new filter in the http_filterssection:

YAMLYAML

1 http_filters:
2     ...
3     - name: perimeterx
4       typed_config:
5         "@type": type.googleapis.com/udpa.type.v1.TypedStruct
6         type_url: type.googleapis.com/perimeterx.Enforcer
7         value:
8           px_enabled: true
9           px_appid: "REPLACE_WITH_YOUR_APP_ID"
10           px_cookie_secret: "REPLACE_WITH_YOUR_COOKIE_SECRET"
11           px_auth_token: "REPLACE_WITH_YOUR_AUTH_TOKEN"

Make sure to update the following required properties:

app_id - The HUMAN application id in the format of PX__. The application id can be found at Platform Settings -> Applications section.
cookie_secret - The key used by the cookie signing page. The Cookie Key is generated in the Platform Settings -> Policies section.
auth_token - The JWT token for REST API. The Authentication Token is generated in the Platform Settings -> Applications section.

Add a new “clusters” section, replace your “appID” values in “sapi-[REPLACE with appID].perimeterx.net”

1 clusters:
2   ...
3   - name: px_collector
4     connect_timeout: 0.25s
5     type: LOGICAL_DNS
6     dns_lookup_family: V4_ONLY
7     load_assignment:
8       cluster_name: px_collector
9       endpoints:
10       - lb_endpoints:
11         - endpoint:
12             address:
13               socket_address:
14                 address: sapi-[REPLACE with appID].perimeterx.net
15                 port_value: 443
16     transport_socket:
17       name: envoy.transport_sockets.tls
18       typed_config:
19         "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
20         sni: sapi-[REPLACE with appID].perimeterx.net

HUMAN Envoy Enforcer Docker image

HUMAN Envoy Enforcer Docker image is based on envoyproxy/envoy:v1.32-latest (https://hub.docker.com/r/envoyproxy/envoy).
The only change is built-in “perimeterx” HTTP filter and installed system libraries (Enforcer dependencies).

HUMAN Envoy Enforcer Docker images are located in this repository: us-docker.pkg.dev/hmn-registry/docker-public/px-envoy

Versioning schema

All images use the following naming/versioning schema: px-envoy:vX.X.X-Y.Y.Y

Where:

vX.X.X: is Envoy version (Currenty only v1.32 is available)
Y.Y.Y: is HUMAN Enforcer Enforcer version (ChangeLog: https://docs.humansecurity.com/applications-and-accounts/docs/whats-new-envoy) . latest tag always contains the latest stable HUMAN Enforcer version.

To get v1.32 Envoy with the latest stable HUMAN Enforcer: docker pull us-docker.pkg.dev/hmn-registry/docker-public/px-envoy:v1.32-latest

Changes to Envoy configuration file:

Add a new “http_filters” section, replace values using information from HUMAN portal:

1           http_filters:
2             - name: perimeterx
3               typed_config:
4                 "@type": type.googleapis.com/udpa.type.v1.TypedStruct
5                 type_url: type.googleapis.com/perimeterx.Enforcer
6                 value:
7                   px_appid: "REPLACE_WITH_YOUR_APP_ID"
8                   px_cookie_secret: "REPLACE_WITH_YOUR_COOKIE_SECRET"
9                   px_auth_token: "REPLACE_WITH_YOUR_AUTH_TOKEN"

Envoy Enforcer Configuration Options: https://docs.humansecurity.com/applications-and-accounts/docs/envoy-configuration-options

Add a new “clusters” section, replace your “appID” values in sapi-[REPLACE with appID].perimeterx.net:

1   clusters:
2   - name: px_collector
3     connect_timeout: 0.25s
4     type: LOGICAL_DNS
5     dns_lookup_family: V4_ONLY
6     load_assignment:
7       cluster_name: px_collector
8       endpoints:
9       - lb_endpoints:
10         - endpoint:
11             address:
12               socket_address:
13                 address: sapi-[REPLACE with appID].perimeterx.net
14                 port_value: 443
15     transport_socket:
16       name: envoy.transport_sockets.tls
17       typed_config:
18         "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
19         sni: sapi-[REPLACE with appID].perimeterx.net

Example of a full Envoy configuration:

1 admin:
2   address:
3     socket_address:
4       protocol: TCP
5       address: 0.0.0.0
6       port_value: 9901
7 static_resources:
8   listeners:
9   - name: listener_0
10     address:
11       socket_address:
12         protocol: TCP
13         address: 0.0.0.0
14         port_value: 8080
15     filter_chains:
16     - filters:
17       - name: envoy.filters.network.http_connection_manager
18         typed_config:
19           "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
20           scheme_header_transformation:
21             scheme_to_overwrite: https
22           stat_prefix: ingress_http
23 
24           http_filters:
25             - name: perimeterx
26               typed_config:
27                 "@type": type.googleapis.com/udpa.type.v1.TypedStruct
28                 type_url: type.googleapis.com/perimeterx.Enforcer
29                 value:
30                   px_enabled: true
31                   px_appid: "REPLACE"
32                   px_cookie_secret: "REPLACE"
33                   px_auth_token: "REPLACE"
34                   px_debug: true
35                   px_block_enabled: true
36 
37             - name: envoy.filters.http.router
38               typed_config:
39                 "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
40 
41           route_config:
42             name: local_route
43             virtual_hosts:
44             - name: local_service
45               domains: ["*"]
46               routes:
47               - match:
48                   prefix: "/"
49                 route:
50                   host_rewrite_literal: www.envoyproxy.io
51                   cluster: service_envoyproxy_io
52 
53   clusters:
54   - name: service_envoyproxy_io
55     connect_timeout: 30s
56     type: LOGICAL_DNS
57     dns_lookup_family: V4_ONLY
58     lb_policy: ROUND_ROBIN
59     load_assignment:
60       cluster_name: service_envoyproxy_io
61       endpoints:
62       - lb_endpoints:
63         - endpoint:
64             address:
65               socket_address:
66                 address: www.envoyproxy.io
67                 port_value: 443
68     transport_socket:
69       name: envoy.transport_sockets.tls
70       typed_config:
71         "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
72         sni: www.envoyproxy.io
73 
74   - name: px_collector
75     connect_timeout: 0.25s
76     type: LOGICAL_DNS
77     dns_lookup_family: V4_ONLY
78     load_assignment:
79       cluster_name: px_collector
80       endpoints:
81       - lb_endpoints:
82         - endpoint:
83             address:
84               socket_address:
85                 address: sapi-REPLACE.perimeterx.net
86                 port_value: 443
87     transport_socket:
88       name: envoy.transport_sockets.tls
89       typed_config:
90         "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
91         sni: sapi-REPLACE.perimeterx.net