Installation

Install the module dependencies:

Ubuntu

$ apt update && apt install -y libcurl4 libapr1 libjansson4 libaprutil1 bzip2

Centos

$ yum update && yum install -y jansson libcurl apr apr-util pcre

Extract the module:

$ bunzip2 envoy.bz2

Copy the new Envoy binary to /usr/local/bin/ folder:

ShellShell

$ cp envoy /usr/local/bin/

In your config.yaml file add, a new filter in the http_filterssection:

YAMLYAML

1 http_filters:
2     ...
3     - name: perimeterx
4       typed_config:
5         "@type": type.googleapis.com/udpa.type.v1.TypedStruct
6         type_url: type.googleapis.com/perimeterx.Enforcer
7         value:
8           px_enabled: true
9           px_appid: "REPLACE_WITH_YOUR_APP_ID"
10           px_cookie_secret: "REPLACE_WITH_YOUR_COOKIE_SECRET"
11           px_auth_token: "REPLACE_WITH_YOUR_AUTH_TOKEN"

Make sure to update the following required properties:

app_id - The HUMAN application id in the format of PX__. The application id can be found at Platform Settings -> Applications section.
cookie_secret - The key used by the cookie signing page. The Cookie Key is generated in the Platform Settings -> Policies section.
auth_token - The JWT token for REST API. The Authentication Token is generated in the Platform Settings -> Applications section.

Add a new “clusters” section, replace your “appID” values in “sapi-[REPLACE with appID].perimeterx.net”

1 clusters:
2   ...
3   - name: px_collector
4     connect_timeout: 0.25s
5     type: LOGICAL_DNS
6     dns_lookup_family: V4_ONLY
7     load_assignment:
8       cluster_name: px_collector
9       endpoints:
10       - lb_endpoints:
11         - endpoint:
12             address:
13               socket_address:
14                 address: sapi-[REPLACE with appID].perimeterx.net
15                 port_value: 443
16     transport_socket:
17       name: envoy.transport_sockets.tls
18       typed_config:
19         "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
20         sni: sapi-[REPLACE with appID].perimeterx.net

HUMAN Envoy Enforcer Docker image

HUMAN Envoy Enforcer Docker image is based on envoyproxy/envoy:v1.32-latest (https://hub.docker.com/r/envoyproxy/envoy).
The only change is built-in “perimeterx” HTTP filter and installed system libraries (Enforcer dependencies).

HUMAN Envoy Enforcer Docker images are located in this repository: us-docker.pkg.dev/hmn-registry/docker-public/px-envoy

Versioning schema

All images use the following naming/versioning schema: px-envoy:vX.X.X-Y.Y.Y

Where:

vX.X.X: is Envoy version (Currently only v1.32 is available)
Y.Y.Y: is HUMAN Enforcer Enforcer version (ChangeLog: /applications/envoy/changelog). latest tag always contains the latest stable HUMAN Enforcer version.

To get v1.32 Envoy with the latest stable HUMAN Enforcer: docker pull us-docker.pkg.dev/hmn-registry/docker-public/px-envoy:v1.32-latest

Changes to Envoy configuration file:

Add a new “http_filters” section, replace values using information from HUMAN portal:

1           http_filters:
2             - name: perimeterx
3               typed_config:
4                 "@type": type.googleapis.com/udpa.type.v1.TypedStruct
5                 type_url: type.googleapis.com/perimeterx.Enforcer
6                 value:
7                   px_appid: "REPLACE_WITH_YOUR_APP_ID"
8                   px_cookie_secret: "REPLACE_WITH_YOUR_COOKIE_SECRET"
9                   px_auth_token: "REPLACE_WITH_YOUR_AUTH_TOKEN"

Envoy Enforcer Configuration Options: https://docs.humansecurity.com/applications-and-accounts/docs/envoy-configuration-options

Add a new “clusters” section, replace your “appID” values in sapi-[REPLACE with appID].perimeterx.net:

1   clusters:
2   - name: px_collector
3     connect_timeout: 0.25s
4     type: LOGICAL_DNS
5     dns_lookup_family: V4_ONLY
6     load_assignment:
7       cluster_name: px_collector
8       endpoints:
9       - lb_endpoints:
10         - endpoint:
11             address:
12               socket_address:
13                 address: sapi-[REPLACE with appID].perimeterx.net
14                 port_value: 443
15     transport_socket:
16       name: envoy.transport_sockets.tls
17       typed_config:
18         "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
19         sni: sapi-[REPLACE with appID].perimeterx.net

Example of a full Envoy configuration:

1 admin:
2   address:
3     socket_address:
4       protocol: TCP
5       address: 0.0.0.0
6       port_value: 9901
7 static_resources:
8   listeners:
9   - name: listener_0
10     address:
11       socket_address:
12         protocol: TCP
13         address: 0.0.0.0
14         port_value: 8080
15     filter_chains:
16     - filters:
17       - name: envoy.filters.network.http_connection_manager
18         typed_config:
19           "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
20           scheme_header_transformation:
21             scheme_to_overwrite: https
22           stat_prefix: ingress_http
23 
24           http_filters:
25             - name: perimeterx
26               typed_config:
27                 "@type": type.googleapis.com/udpa.type.v1.TypedStruct
28                 type_url: type.googleapis.com/perimeterx.Enforcer
29                 value:
30                   px_enabled: true
31                   px_appid: "REPLACE"
32                   px_cookie_secret: "REPLACE"
33                   px_auth_token: "REPLACE"
34                   px_debug: true
35                   px_block_enabled: true
36 
37             - name: envoy.filters.http.router
38               typed_config:
39                 "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
40 
41           route_config:
42             name: local_route
43             virtual_hosts:
44             - name: local_service
45               domains: ["*"]
46               routes:
47               - match:
48                   prefix: "/"
49                 route:
50                   host_rewrite_literal: www.envoyproxy.io
51                   cluster: service_envoyproxy_io
52 
53   clusters:
54   - name: service_envoyproxy_io
55     connect_timeout: 30s
56     type: LOGICAL_DNS
57     dns_lookup_family: V4_ONLY
58     lb_policy: ROUND_ROBIN
59     load_assignment:
60       cluster_name: service_envoyproxy_io
61       endpoints:
62       - lb_endpoints:
63         - endpoint:
64             address:
65               socket_address:
66                 address: www.envoyproxy.io
67                 port_value: 443
68     transport_socket:
69       name: envoy.transport_sockets.tls
70       typed_config:
71         "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
72         sni: www.envoyproxy.io
73 
74   - name: px_collector
75     connect_timeout: 0.25s
76     type: LOGICAL_DNS
77     dns_lookup_family: V4_ONLY
78     load_assignment:
79       cluster_name: px_collector
80       endpoints:
81       - lb_endpoints:
82         - endpoint:
83             address:
84               socket_address:
85                 address: sapi-REPLACE.perimeterx.net
86                 port_value: 443
87     transport_socket:
88       name: envoy.transport_sockets.tls
89       typed_config:
90         "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
91         sni: sapi-REPLACE.perimeterx.net

Install the module dependencies:

Ubuntu

$ apt update && apt install -y libcurl4 libapr1 libjansson4 libaprutil1 bzip2

Centos

$ yum update && yum install -y jansson libcurl apr apr-util pcre

Extract the module:

$ bunzip2 envoy.bz2

Copy the new Envoy binary to /usr/local/bin/ folder:

ShellShell

$ cp envoy /usr/local/bin/

In your config.yaml file add, a new filter in the http_filterssection:

YAMLYAML

1 http_filters:
2     ...
3     - name: perimeterx
4       typed_config:
5         "@type": type.googleapis.com/udpa.type.v1.TypedStruct
6         type_url: type.googleapis.com/perimeterx.Enforcer
7         value:
8           px_enabled: true
9           px_appid: "REPLACE_WITH_YOUR_APP_ID"
10           px_cookie_secret: "REPLACE_WITH_YOUR_COOKIE_SECRET"
11           px_auth_token: "REPLACE_WITH_YOUR_AUTH_TOKEN"

Make sure to update the following required properties:

app_id - The HUMAN application id in the format of PX__. The application id can be found at Platform Settings -> Applications section.
cookie_secret - The key used by the cookie signing page. The Cookie Key is generated in the Platform Settings -> Policies section.
auth_token - The JWT token for REST API. The Authentication Token is generated in the Platform Settings -> Applications section.

Add a new “clusters” section, replace your “appID” values in “sapi-[REPLACE with appID].perimeterx.net”

1 clusters:
2   ...
3   - name: px_collector
4     connect_timeout: 0.25s
5     type: LOGICAL_DNS
6     dns_lookup_family: V4_ONLY
7     load_assignment:
8       cluster_name: px_collector
9       endpoints:
10       - lb_endpoints:
11         - endpoint:
12             address:
13               socket_address:
14                 address: sapi-[REPLACE with appID].perimeterx.net
15                 port_value: 443
16     transport_socket:
17       name: envoy.transport_sockets.tls
18       typed_config:
19         "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
20         sni: sapi-[REPLACE with appID].perimeterx.net

HUMAN Envoy Enforcer Docker image

HUMAN Envoy Enforcer Docker images are located in this repository: us-docker.pkg.dev/hmn-registry/docker-public/px-envoy

Versioning schema

All images use the following naming/versioning schema: px-envoy:vX.X.X-Y.Y.Y

Where:

vX.X.X: is Envoy version (Currently only v1.32 is available)
Y.Y.Y: is HUMAN Enforcer Enforcer version (ChangeLog: /applications/envoy/changelog). latest tag always contains the latest stable HUMAN Enforcer version.

To get v1.32 Envoy with the latest stable HUMAN Enforcer: docker pull us-docker.pkg.dev/hmn-registry/docker-public/px-envoy:v1.32-latest

Changes to Envoy configuration file:

Add a new “http_filters” section, replace values using information from HUMAN portal:

1           http_filters:
2             - name: perimeterx
3               typed_config:
4                 "@type": type.googleapis.com/udpa.type.v1.TypedStruct
5                 type_url: type.googleapis.com/perimeterx.Enforcer
6                 value:
7                   px_appid: "REPLACE_WITH_YOUR_APP_ID"
8                   px_cookie_secret: "REPLACE_WITH_YOUR_COOKIE_SECRET"
9                   px_auth_token: "REPLACE_WITH_YOUR_AUTH_TOKEN"

Envoy Enforcer Configuration Options: https://docs.humansecurity.com/applications-and-accounts/docs/envoy-configuration-options

Add a new “clusters” section, replace your “appID” values in sapi-[REPLACE with appID].perimeterx.net:

1   clusters:
2   - name: px_collector
3     connect_timeout: 0.25s
4     type: LOGICAL_DNS
5     dns_lookup_family: V4_ONLY
6     load_assignment:
7       cluster_name: px_collector
8       endpoints:
9       - lb_endpoints:
10         - endpoint:
11             address:
12               socket_address:
13                 address: sapi-[REPLACE with appID].perimeterx.net
14                 port_value: 443
15     transport_socket:
16       name: envoy.transport_sockets.tls
17       typed_config:
18         "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
19         sni: sapi-[REPLACE with appID].perimeterx.net

Example of a full Envoy configuration:

1 admin:
2   address:
3     socket_address:
4       protocol: TCP
5       address: 0.0.0.0
6       port_value: 9901
7 static_resources:
8   listeners:
9   - name: listener_0
10     address:
11       socket_address:
12         protocol: TCP
13         address: 0.0.0.0
14         port_value: 8080
15     filter_chains:
16     - filters:
17       - name: envoy.filters.network.http_connection_manager
18         typed_config:
19           "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
20           scheme_header_transformation:
21             scheme_to_overwrite: https
22           stat_prefix: ingress_http
23 
24           http_filters:
25             - name: perimeterx
26               typed_config:
27                 "@type": type.googleapis.com/udpa.type.v1.TypedStruct
28                 type_url: type.googleapis.com/perimeterx.Enforcer
29                 value:
30                   px_enabled: true
31                   px_appid: "REPLACE"
32                   px_cookie_secret: "REPLACE"
33                   px_auth_token: "REPLACE"
34                   px_debug: true
35                   px_block_enabled: true
36 
37             - name: envoy.filters.http.router
38               typed_config:
39                 "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
40 
41           route_config:
42             name: local_route
43             virtual_hosts:
44             - name: local_service
45               domains: ["*"]
46               routes:
47               - match:
48                   prefix: "/"
49                 route:
50                   host_rewrite_literal: www.envoyproxy.io
51                   cluster: service_envoyproxy_io
52 
53   clusters:
54   - name: service_envoyproxy_io
55     connect_timeout: 30s
56     type: LOGICAL_DNS
57     dns_lookup_family: V4_ONLY
58     lb_policy: ROUND_ROBIN
59     load_assignment:
60       cluster_name: service_envoyproxy_io
61       endpoints:
62       - lb_endpoints:
63         - endpoint:
64             address:
65               socket_address:
66                 address: www.envoyproxy.io
67                 port_value: 443
68     transport_socket:
69       name: envoy.transport_sockets.tls
70       typed_config:
71         "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
72         sni: www.envoyproxy.io
73 
74   - name: px_collector
75     connect_timeout: 0.25s
76     type: LOGICAL_DNS
77     dns_lookup_family: V4_ONLY
78     load_assignment:
79       cluster_name: px_collector
80       endpoints:
81       - lb_endpoints:
82         - endpoint:
83             address:
84               socket_address:
85                 address: sapi-REPLACE.perimeterx.net
86                 port_value: 443
87     transport_socket:
88       name: envoy.transport_sockets.tls
89       typed_config:
90         "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
91         sni: sapi-REPLACE.perimeterx.net

1	http_filters:
2	...
3	- name: perimeterx
4	typed_config:
5	"@type": type.googleapis.com/udpa.type.v1.TypedStruct
6	type_url: type.googleapis.com/perimeterx.Enforcer
7	value:
8	px_enabled: true
9	px_appid: "REPLACE_WITH_YOUR_APP_ID"
10	px_cookie_secret: "REPLACE_WITH_YOUR_COOKIE_SECRET"
11	px_auth_token: "REPLACE_WITH_YOUR_AUTH_TOKEN"

1	clusters:
2	...
3	- name: px_collector
4	connect_timeout: 0.25s
5	type: LOGICAL_DNS
6	dns_lookup_family: V4_ONLY
7	load_assignment:
8	cluster_name: px_collector
9	endpoints:
10	- lb_endpoints:
11	- endpoint:
12	address:
13	socket_address:
14	address: sapi-[REPLACE with appID].perimeterx.net
15	port_value: 443
16	transport_socket:
17	name: envoy.transport_sockets.tls
18	typed_config:
19	"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
20	sni: sapi-[REPLACE with appID].perimeterx.net

1	admin:
2	address:
3	socket_address:
4	protocol: TCP
5	address: 0.0.0.0
6	port_value: 9901
7	static_resources:
8	listeners:
9	- name: listener_0
10	address:
11	socket_address:
12	protocol: TCP
13	address: 0.0.0.0
14	port_value: 8080
15	filter_chains:
16	- filters:
17	- name: envoy.filters.network.http_connection_manager
18	typed_config:
19	"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
20	scheme_header_transformation:
21	scheme_to_overwrite: https
22	stat_prefix: ingress_http
23
24	http_filters:
25	- name: perimeterx
26	typed_config:
27	"@type": type.googleapis.com/udpa.type.v1.TypedStruct
28	type_url: type.googleapis.com/perimeterx.Enforcer
29	value:
30	px_enabled: true
31	px_appid: "REPLACE"
32	px_cookie_secret: "REPLACE"
33	px_auth_token: "REPLACE"
34	px_debug: true
35	px_block_enabled: true
36
37	- name: envoy.filters.http.router
38	typed_config:
39	"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
40
41	route_config:
42	name: local_route
43	virtual_hosts:
44	- name: local_service
45	domains: ["*"]
46	routes:
47	- match:
48	prefix: "/"
49	route:
50	host_rewrite_literal: www.envoyproxy.io
51	cluster: service_envoyproxy_io
52
53	clusters:
54	- name: service_envoyproxy_io
55	connect_timeout: 30s
56	type: LOGICAL_DNS
57	dns_lookup_family: V4_ONLY
58	lb_policy: ROUND_ROBIN
59	load_assignment:
60	cluster_name: service_envoyproxy_io
61	endpoints:
62	- lb_endpoints:
63	- endpoint:
64	address:
65	socket_address:
66	address: www.envoyproxy.io
67	port_value: 443
68	transport_socket:
69	name: envoy.transport_sockets.tls
70	typed_config:
71	"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
72	sni: www.envoyproxy.io
73
74	- name: px_collector
75	connect_timeout: 0.25s
76	type: LOGICAL_DNS
77	dns_lookup_family: V4_ONLY
78	load_assignment:
79	cluster_name: px_collector
80	endpoints:
81	- lb_endpoints:
82	- endpoint:
83	address:
84	socket_address:
85	address: sapi-REPLACE.perimeterx.net
86	port_value: 443
87	transport_socket:
88	name: envoy.transport_sockets.tls
89	typed_config:
90	"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
91	sni: sapi-REPLACE.perimeterx.net