Akamai Edgeworker

This document provides a step-by-step guide to setting up data collection on Akamai using the Traceable Platform Agent (TPA). Integrating with Akamai's EdgeWorker allows you to capture and export request and response data to Traceable for monitoring and analysis.

Akamai EdgeWorker is a serverless environment that allows you to run JavaScript at the edge of the Akamai network. This enables efficient processing of web traffic closer to the end user, reducing latency and improving performance. By leveraging EdgeWorker with Traceable, you can capture rich insights directly at the edge, allowing for enhanced observability and faster real-time detection of potential security issues. Following is a high-level deployment diagram:

1. User Request:

   • User sends an API request, which is received by Akamai's edge.

2. Data Capture by Akamai EdgeWorker:

   • The Akamai EdgeWorker processes the request, capturing and duplicating the traffic data.

   • Original traffic continues to downstream applications (API Gateways, Load Balancers, or Apps).

3. Duplicate Traffic Sent to TPA:

   • The EdgeWorker sends duplicated traffic over HTTPS to a TCP Load Balancer in the data center/cloud.

4. Traffic Distribution to TPA Instances:

   • The TCP Load Balancer distributes traffic across multiple Traceable Platform Agent (TPA) instances.

5. Data Processing and Forwarding:

   • Each TPA instance processes the traffic data for security insights and forwards relevant data to the Traceable Platform for monitoring and analysis.

Before you begin

• TPA Deployment: Ensure a TPA instance is deployed and exposed on port 443.

Steps Overview

This integration involves four key steps:

1. Create EdgeWorker in Akamai

2. Add Property Manager Variables

3. Add Origin Connectivity Rule

4. Add Invoke EdgeWorker Rule

Note

• The EdgeWorker that will be created in Step 1 can be shared across multiple properties.

• However, Steps 2-4 (Property Variables, Origin Connectivity Rule, and EdgeWorker Rule) must be configured separately for each property.

Deployment steps

Step 1 — Create EdgeWorker in Akamai

An Akamai EdgeWorker is a serverless environment that enables JavaScript code execution at the edge of the Akamai network. We use EdgeWorker to capture data on incoming requests and responses in this setup.

1. Download the Latest EdgeWorker Script
   Obtain the latest traceable-akamai EdgeWorker JavaScript file.

2. Create EdgeWorker in Akamai

   • In Akamai, navigate to EdgeWorkers.

   • Click Create EdgeWorker ID.

   • Enter the required fields: Name, Contract, and Subscription.

     

3. Upload the EdgeWorker Code

   • Navigate to the newly created EdgeWorker.

   • Select Create Version and then Open Editor.

   • Paste the downloaded JavaScript bundle into the editor and save.

4. Activate EdgeWorker

   • Activate the EdgeWorker version in either Staging or Production.

     Note

     The EdgeWorker will not process traffic until attached to a property in later steps.

At this point, you have successfully deployed the EdgeWorker.

Step 2 — Configure Property Variables

Each property that uses the EdgeWorker needs to have specific Property Variables configured.

1. Navigate to Property Manager

   • In Akamai, go to Property Manager and select the property you want to integrate.

2. Create New Version

   • Click New Version to create a new version of the property.

3. Add Property Variables

   • Configure the following variables as shown below:

     Variable Name	Value	Default Value	Visibility	Note
     TRACEABLE_HOST	string	undefined	Visible	Must be supplied (e.g., agents.traceable.ai, ec2-1.2.3.4-us-east2.amazon.aws.com)
     TRACEABLE_GUID	string	undefined	Hidden	Required if exporting data directly to Traceable.
     TRACEABLE_TIMEOUT	int	100	Visible	Time in milliseconds to allow the async export to complete.
     TRACEABLE_SERVICE_NAME	string	Akamai	Visible	Service name that will appear in the Traceable UI.

Step 3 — Add Origin Connectivity Rule

The Origin Connectivity Rule ensures that the Traceable endpoint is recognized as part of the Akamai network. This is essential because EdgeWorkers can only make subrequests to HTTPS hosts within the Akamai network.

1. Navigate to Property Configuration Settings

   • In Property Manager, select Property Configuration Settings.

2. Create a New Rule

   • Click + Rules and select Blank Rule Template.

   • Provide a rule name, such as Traceable Origin Connectivity Rule.

3. Define Criteria and Behaviors

   • Criteria:

     • Set Path to Matches one of and add /ext_cap/v1/req_res_cap.

   • Behavior:

     • Click + Behavior and choose Standard Property Behavior.

     • Select Origin Server.

     • Configure the fields as follows:

       Field	Value
       Origin Type	Your Origin
       Origin Server Hostname	{{user.PMUSER_TRACEABLE_HOST}}
       Forward Host Header	Custom Value
       Custom Forward Host Header	{{user.PMUSER_TRACEABLE_HOST}}
       Cache Key Hostname	Origin Hostname
       IPv6 Origin Support	IPv4-Only
       Supports gzip Compression	Yes
       Send True Client IP Header	Yes
       True Client IP Header Name	True-Client-IP
       Verification Settings	Choose Your Own
       Use SNI TLS Extension	Yes
       Match CN/SAN to	{{Origin Hostname}}, {{Forward Host Header}}
       Trust	If using Traceable Hosted Platform Agent, use Akamai-managed Certificate Authorities Set If running TPA on your own infrastructure with custom or self-signed certificates, use Custom Certificate Authority Set and upload your rootCA.crt.
       HTTP Port	80
       HTTPS_PORT	443
       Minimum TLS version	Akamai Supported

Step 4 — Add EdgeWorker Invoke Rule

The EdgeWorker Invoke Rule specifies when the EdgeWorker should be triggered based on path patterns and exclusions for specific file types.

1. Navigate to Property Configuration Settings

   • In Property Manager, select Property Configuration Settings.

2. Create a New Rule

   • Click + Rules and select Blank Rule Template.

   • Provide a rule name, such as Invoke Traceable EdgeWorker.

3. Define Criteria for Invoking EdgeWorker

   • Criteria:

     • Set Path to Matches one of and add /* to capture all traffic.

     • Optionally, to narrow the scope, you can use patterns like /api/* to capture API traffic only.

   • Exclude Static Assets:

     • Add a condition to exclude static assets by setting:

       • File Extension to Is not one of with the following list:

         avi, flv, mka, mkv, mov, mp4, mpeg, mpg, mp3, flac, ogg, ogm, opus, wav, webm, webp,
         bmp, gif, ico, jpeg, jpg, png, svg, svgz, swf, eot, otf, ttf, woff, woff2, css, less, js

4. Select EdgeWorker Behavior

   • For Behaviors, select EdgeWorkers.

   • Ensure Enable is selected and choose the EdgeWorker created in Step 1.

5. Deploy the New Property Version

   • After setting the rule, deploy the new property version.

   • Activate it in Staging or Production, depending on the deployment stage.

6. Verify Data Collection

   • Once activated, wait up to 15 minutes for the configuration to go live.

   • Send some traffic and confirm that traces appear in the Traceable platform.