AWS

AWS Draft - Taken from Blog need further work

Reblaze Configuration Guide for AWS Marketplace

This document describes how to set up and configure the Reblaze platform, once you have deployed it via AWS Marketplace.

The post-deployment configuration process consists of four steps:

1. Creating a login account.

2. Setting initial parameters within Reblaze.

3. Setting up a load balancer.

4. Routing your traffic into the load balancer.

Step 1: Creating a login account

To begin configuration, the following screen should be visible:

Enter the requested information, then select “Complete Deployment.” This will create your account, along with some other components to complete the deployment process.

You will then be redirected to the Reblaze management console, where you will configure the platform itself.

Step 2: Setting initial parameters within Reblaze

You should now be seeing the Reblaze dashboard:

Within the Reblaze interface, you will be doing three tasks:

1. Specify the web assets you want to protect with Reblaze.

2. (Optional, but recommended): Set Reblaze in report-only mode. Doing so means that Reblaze will not block any traffic; it will merely report on what it would have blocked. This is useful during a new deployment, since you can fine-tune and optimize your settings while avoiding false positives.

3. Publish your changes.

Task 1: Specify the web assets

In the Reblaze interface, select “Web Proxy” under the “Settings” category in the left sidebar. The following screen will appear, set already to the “General Settings” tab:

For new deployments, most of the settings can be left at their defaults. On this page, you will need to fill out two lists (Upstream Servers and Domain Names), and select the Active Protocols setting.

Upstream Servers: This list is where you define the servers that Reblaze will protect. In other words, these are the servers to which Reblaze will send the (scrubbed) web traffic it receives.

This list provides robust capabilities for managing your traffic. You can enable and configure load balancing, which will weight and distribute traffic across your primary servers. You can define backup servers, to which Reblaze will failover your traffic when your primary servers aren’t available. You can take servers offline for maintenance by ticking a single box in the interface. You can even tell Reblaze to keep individual users connected to the same server throughout their sessions.

Adding and deleting servers from this list is straightforward. To add a server, enter its IP in the “New Server” box and click Add, then fill out the rest of the information in the new entry. To delete an existing entry, click on the Delete link next to that entry.

Here are explanations for each field in this list.

Host is the IP/FQDN for each server that Reblaze protects. This can be a normal web server, or it can be a load-balancing server. Note that Reblaze also provides load-balancing capabilities in its own right, as seen in the next field.

Weight is the relative weight of each server for load balancing purposes. Reblaze distributes traffic with a round-robin sequence, according to these weights.

For example, let’s say there are two servers in the list, with the weight of each servers set to one. Therefore, these servers will receive equal amounts of traffic. Suppose instead that the first server was set to three, while the second was set to one. This would mean that the first server would receive three visitors for every visitor sent to the second server.

A note on load balancing: Please note that the load balancing parameters shown here are separate from the load balancer that you will set up in Step 3. The load balancing within Reblaze (which is defined here) is done to distribute scrubbed traffic across the servers within your network. The load balancing outside of Reblaze (which is defined in Step 3) will dynamically create new instances of Reblaze as needed, in response to spikes of incoming traffic which has not yet been scrubbed.

Max Fails is the maximum number of failed communication attempts that are allowed for this server. Once this number of failures occurs, Reblaze will consider the server to be inactive. If other servers are available, Reblaze will failover the traffic to them. If this was the only server available, Reblaze will return an error to the client (either 504 Timeout, or 502 Bad Gateway).

Fail Timeout: When a server fails, this is the length of time that Reblaze will wait before trying to send traffic to it again. In the example, the timeout is ten seconds.

Is Down: When this box is checked, Reblaze will not attempt to communicate with this server. This allows you to easily take a server offline for temporary maintenance or some other purpose.

Is Backup: when this box is checked, Reblaze will treat this server as a backup. In other words, Reblaze will not attempt to communicate with it unless all the primary servers (i.e., those for which this box is not checked) are unavailable.

HTTP Port and HTTPS Port are self-explanatory.

As for Domain Names, this is the list of domains within this website that Reblaze will protect. It needs to be filled out according to the format shown.

Task 2: Set Reblaze in Report-Only Mode

As discussed above, this setting is optional (and if enabled, will only remain so for a period of testing). It is found on the Planet Overview page (which is under the “Settings” category in the left sidebar).

The red/green button displays the current state (Active, or Report-Only) for each domain. Clicking a button will toggle that domain to the other mode. After changing one or more of these settings, you must publish the changes for them to become effective.

Task 3: Publish Your Changes

Whenever you change the Reblaze platform’s configuration, you must push those changes to the cloud.

In the Reblaze interface, select “Planet Overview” under the “Settings” category in the left sidebar (as shown in the previous image).

This page provides three features: an overview of your “planet” (i.e., your entire Reblaze deployment), the ability to add a new site to your planet, and the ability to publish changes.

Select “Publish Changes” at the upper right to push your earlier edits to the cloud.

Step 3 : Setting up a load balancer

During initial deployment (i.e., the process that was completed before you began following the instructions in this document), an autoscale group for Reblaze was created. In this step, you will attach this group to an AWS Application Load Balancer.

Task 1: Create Load Balancer

In your AWS Management console, go to:

Services → EC2 → Load Balancing → Load Balancers → Create Load Balancer.

Select “Application Load Balancer”

Fill in all required fields and click “Next.”

Task 2: Choose/Upload SSL Certificate

If you added an HTTPS listener, attach the correct certificate and select the Security policy.

Then click “Next.”

Task 3: Select security group

Here you will allow access to the Load Balancer. Typically you will add a new security group for this, or you can select an existing one. Then click “Next.”

Task 4: Select target group

Select “Existing target group” and choose “Reblaze-80,” which will be available already from the Marketplace deployment.

Click “Next,” “Next,” review all settings, and then click “Create.”

Step 5: Update listeners

Now the Load Balancer has been created, and will appear on the page.

If you selected an HTTPS listener earlier, then the target group will require an update.

Select the LB and move to the “Listeners” page. You should see that both listeners are set to “Reblaze-80” — instead, you should point the HTTPS listener to “Reblaze-443.”

To do this, select HTTPS and click on edit.

Choose “Reblaze-443” on Default action, save and update.

Step 4: Routing your traffic into the load balancer

At this point, your deployment and setup are complete. The last remaining step is to route your traffic into the load balancer, which will send it to your Reblaze instance(s), which will scrub the traffic and forward it on to your servers.

To do this, just set your DNS record to the IP address which can be resolved from the LB DNS Name:

Back in Step 2, Task 2 you had the option of setting Reblaze into report-only mode. Assuming you did this, then Reblaze is not yet filtering your traffic; it is merely reporting on what it would have filtered, had it been set up in active mode. This gives you an opportunity to fine-tune Reblaze’s configuration, before any of your traffic is actually affected.

Going Forward: Customizing Reblaze

As you might notice from looking through the interface, the Reblaze web security platform is both powerful and highly customizable, with the ability to be fine-tuned for your specific needs.

However, it is beyond the scope of this document to describe this customization process. Furthermore, a full and correct customization is often rather daunting for new users.

We at Reblaze Technologies want you to have the best experience possible with the platform, so that you will enjoy the full benefits of comprehensive, intelligent, and effortless web security.

Therefore, please feel free to contact support at support@reblaze.com, for further one-on-one assistance in setting up your deployment. We’re available 24 hours per day to assist you.