You are here

Home » API reference » Fastly 8.3

netacea_integration_init.html.twig in Fastly 8.3 

backend F_MitSvc {
  .between_bytes_timeout = 0.5s;
  .connect_timeout = 1s;
  .dynamic = true;
  .first_byte_timeout = 1s;
  .host = "mitigations.netacea.net";
  .max_connections = 200;
  .port = "443";
  .share_key = "NETACEAmitigations";
  .ssl = true;
  .ssl_cert_hostname = "mitigations.netacea.net";
  .ssl_check_cert = always;
  .ssl_sni_hostname = "mitigations.netacea.net";
  .probe = {
    .dummy = true;
    .initial = 5;
    .request = "HEAD / HTTP/1.1"  "Host: mitigations.netacea.net" "Connection: close";
    .threshold = 1;
    .timeout = 2s;
    .window = 5;
  }
}

sub netacea_recv {
  # Change this value to false to bypass Netacea
  declare local var.netacea_mitSvc_enabled BOOL;
  set var.netacea_mitSvc_enabled = true;

  unset req.http.X-Netacea-UserId;

  # Unset headers Netacea Set
  unset req.http.netacea_processed;
  if (req.restarts == 0) {
    unset req.http.netacea_bctype_string;
    unset req.http.netacea_best_mitigation;
    unset req.http.netacea_match;
    unset req.http.netacea_mitigate;
    unset req.http.netacea_captcha;
  } else {
    if (req.http.netacea_best_mitigation == "block") {
      error 403;
    }
  }

  declare local var.netacea_mitSvc_forward BOOL;
  declare local var.netacea_mitSvc_apiKey STRING;
  declare local var.netacea_mitSvc_secret STRING;

  set var.netacea_mitSvc_apiKey = "{{ api_key }}";
  set var.netacea_mitSvc_secret = "{{ secret }}";

  declare local var.netacea_mitSvc_exp STRING;
  declare local var.netacea_mitSvc_sig STRING;
  declare local var.netacea_mitSvc_userId STRING;
  declare local var.netacea_valid_atacookie BOOL;
  declare local var.netacea_mitigation_code STRING;

  set var.netacea_mitSvc_forward = true;

  if (req.http.Cookie:_mitata) {
    if (req.http.Cookie:_mitata ~ "(.*)_\/@#\/(.*)_\/@#\/(.*)_\/@#\/((\d)(\d)(\d))") {
      set var.netacea_valid_atacookie = true;
      set var.netacea_mitSvc_sig = re.group.1;
      set var.netacea_mitSvc_exp = re.group.2;
      set var.netacea_mitSvc_userId = re.group.3;
      set var.netacea_mitigation_code = re.group.4;
      set req.http.netacea_match = re.group.5;
      set req.http.netacea_mitigate = re.group.6;
      set req.http.netacea_captcha = re.group.7;
    } else {
      set var.netacea_valid_atacookie = false;
    }
  }
  if (req.restarts == 0) {
    if (var.netacea_mitSvc_enabled) {
      if (var.netacea_valid_atacookie) {
        set var.netacea_mitSvc_forward = true;
        if (!time.is_after(now, std.time(var.netacea_mitSvc_exp, now))) {
          declare local var.netacea_mitSvc_stringValue STRING;
          declare local var.netacea_mitSvc_HMAC STRING;
          declare local var.netacea_mitSvc_B64 STRING;
          set var.netacea_mitSvc_stringValue = var.netacea_mitSvc_exp + "_/@#/" + var.netacea_mitSvc_userId + "_/@#/" + var.netacea_mitigation_code;
          set var.netacea_mitSvc_HMAC = digest.hmac_sha256(var.netacea_mitSvc_secret, var.netacea_mitSvc_stringValue);
          if (var.netacea_mitSvc_HMAC ~ "0x(.*)") {
            set var.netacea_mitSvc_HMAC = re.group.1;
          }
          set var.netacea_mitSvc_B64 = digest.base64(var.netacea_mitSvc_HMAC);
          if (var.netacea_mitSvc_sig == var.netacea_mitSvc_B64) {
            set var.netacea_mitSvc_forward = false;
          }
        }
      }
    } else {
    set var.netacea_mitSvc_forward = false;
    }
  } else {
  set var.netacea_mitSvc_forward = false;
  }
  set req.http.mitigation_user_id = var.netacea_mitSvc_userId;

  if (var.netacea_mitSvc_forward) {
    set req.backend = F_MitSvc;
    if (req.backend.healthy) {
      unset req.http.netacea_match;
      unset req.http.netacea_mitigate;
      unset req.http.netacea_captcha;

      set req.http.netacea_origin_method = req.method;
      set req.http.netacea_processed = "1";
      set req.http.netacea_origin_host = req.http.host;
      set req.http.X-Netacea-Client-IP = client.ip;
      set req.http.netacea_origin_url = req.url;
      if (req.url != "/AtaVerifyCaptcha") {
        set req.method = "GET";
        set req.url = "/";
      }
      set req.http.X-Netacea-Api-Key = var.netacea_mitSvc_apiKey;
      return(pass);
    }
  }
}

sub netacea_deliver {
  call netacea_calculate_best_mitigation;

  if (req.http.netacea_processed == "1") {
    set req.http.mit_status = resp.status;
    if (resp.status != 200) {
      // Unset these because we're not mitigating anything.
      set req.http.netacea_best_mitigation = "";
      set req.http.netacea_bctype_string = "";
    }
    set req.http.host = req.http.netacea_origin_host;
    set req.url = req.http.netacea_origin_url;
    set req.method = req.http.netacea_origin_method;
    set req.http.netacea_cookies = resp.http.set-cookie;
    set req.http.netacea_mitata_cookie_value = resp.http.x-netacea-mitata-value;
    set req.http.netacea_mitata_cookie_expiry = resp.http.x-netacea-mitata-expiry;
    set req.http.netacea_mitata_captcha_cookie_value = resp.http.x-netacea-mitatacaptcha-value;
    set req.http.netacea_mitata_captcha_cookie_expiry = resp.http.x-netacea-mitatacaptcha-expiry;

    unset req.http.netacea_mitSvc_forward;
    unset req.http.netacea_origin_url;
    unset req.http.netacea_origin_host;
    unset req.http.netacea_origin_method;
    unset req.http.x-netacea-api-key;
    call set_netacea_cookies;
    if (req.http.netacea_best_mitigation != "captcha") {
      restart;
    }
    set resp.status = 403;
    set resp.http.content-type = "text/html; charset=UTF-8";
    return(deliver);
  }
  call set_netacea_cookies;
}

sub set_netacea_cookies {
  # Builds netacea cookies
  if (req.http.netacea_cookies) {
    if (req.http.netacea_mitata_cookie_value && req.http.netacea_mitata_cookie_expiry) {
      if (req.http.netacea_mitata_cookie_value ~ "(.*)_\/@#\/(.*)_\/@#\/(.*)_\/@#\/((\d)(\d)(\d))") {
        set req.http.mitigation_user_id = re.group.3;
      }
      add resp.http.Set-Cookie= "_mitata=" + req.http.netacea_mitata_cookie_value + "; Max-Age=" + req.http.netacea_mitata_cookie_expiry + "; Path=/;";
    }
    if (req.http.netacea_mitata_captcha_cookie_value && req.http.netacea_mitata_captcha_cookie_expiry) {
      add resp.http.Set-Cookie= "_mitatacaptcha=" + req.http.netacea_mitata_captcha_cookie_value + "; Max-Age=" + req.http.netacea_mitata_captcha_cookie_expiry + "; Path=/;";
    }
  }
}

table Netacea_Match_Dict {
  "0": "",
  "1": "ua",
  "2": "ip",
  "3": "visitor",
  "4": "datacenter",
  "5": "sev"
}

table Netacea_Mitigate_Dict {
  "0": "",
  "1": "blocked",
  "2": "allow",
  "3": "hardblocked"
}

table Netacea_Best_Mitigations_Dict {
  "0": "",
  "1": "block",
  "2": "allow",
  "3": "block"
}

table Netacea_Best_Mitigations_Captcha_Dict {
  "1": "captcha",
  "2": "",
  "3": "captcha",
  "4": "",
  "5": "captcha"
}

table Netacea_Captcha_Dict {
  "0": "",
  "1": "captcha_serve",
  "2": "captcha_pass",
  "3": "captcha_fail",
  "4": "captcha_cookiepass",
  "5": "captcha_cookiefail",
}

sub netacea_calculate_best_mitigation {
  if (!req.http.netacea_bctype_string) {
    declare local var.netacea_match STRING;
    declare local var.netacea_mitigate STRING;
    declare local var.netacea_captcha STRING;
    declare local var.netacea_match_string STRING;
    declare local var.netacea_mitigate_string STRING;
    declare local var.netacea_captcha_string STRING;
    declare local var.netacea_captcha_mitigate_string STRING;

    declare local var.netacea_best_mitigation STRING;
    declare local var.netacea_bctype_string STRING;

    if (resp.http.x-netacea-match) { # If netacea mitigation service returns a match, use this
      set var.netacea_match = resp.http.x-netacea-match;
    } elseif (req.http.netacea_match) { # If cookie has a match, use this
      set var.netacea_match = req.http.netacea_match;
    } else {
      set var.netacea_match = "0";
    }

    if (resp.http.x-netacea-mitigate) { # If netacea mitigation service returns a mitigate, use this
      set var.netacea_mitigate = resp.http.x-netacea-mitigate;
    } elseif (req.http.netacea_mitigate) { # If cookie has a mitigate, use this
      set var.netacea_mitigate = req.http.netacea_mitigate;
    } else {
      set var.netacea_mitigate = "0";
    }

    if (resp.http.x-netacea-captcha) { # If netacea mitigation service returns a captcha, use this
      set var.netacea_captcha = resp.http.x-netacea-captcha;
    } elseif (req.http.netacea_captcha) { # If cookie has a captcha, use this
      set var.netacea_captcha = req.http.netacea_captcha;
    } else {
      set var.netacea_captcha = "0";
    }


    # IP, UA, Visitor, Datacentre etc
    if (var.netacea_match) {
      set var.netacea_match_string = table.lookup(Netacea_Match_Dict, var.netacea_match, "unknown");

      if (var.netacea_match_string != "") {
        set var.netacea_bctype_string = var.netacea_match_string + "_";
      }
    }

    # BLOCK, TRUST, HARDBLOCK etc
    if (var.netacea_mitigate) {
      set var.netacea_mitigate_string = table.lookup(Netacea_Mitigate_Dict, var.netacea_mitigate, "unknown");

      if (var.netacea_mitigate_string != "") {
        set var.netacea_bctype_string = var.netacea_bctype_string + var.netacea_mitigate_string;
      }

      set var.netacea_best_mitigation = table.lookup(Netacea_Best_Mitigations_Dict, var.netacea_mitigate, "no-best-mitigation");
      if (var.netacea_best_mitigation == "no-best-mitigation") {
        set var.netacea_best_mitigation = "";
      }
    }

    if (var.netacea_captcha) {
      # 2 and 3 can only be set on /AtaVerifyCaptcha requests
      # If it's not 2 or 3 then set them to the cookie variant
      if (req.url != "/AtaVerifyCaptcha") {
        if (var.netacea_captcha == "2") {
          set var.netacea_captcha = "4";
        } elseif (var.netacea_captcha == "3") {
          set var.netacea_captcha = "5";
        }
      }
      set var.netacea_captcha_string = table.lookup(Netacea_Captcha_Dict, var.netacea_captcha, "unknown");

      if (var.netacea_captcha_string != "") {
        set var.netacea_bctype_string = var.netacea_bctype_string + "," + var.netacea_captcha_string;
      }
      set var.netacea_captcha_mitigate_string = table.lookup(Netacea_Best_Mitigations_Captcha_Dict, var.netacea_captcha, "no-best-captcha-mitigation");
      set req.http.captcha_mitigate_thing = var.netacea_captcha_mitigate_string;
      if (var.netacea_captcha_mitigate_string != "no-best-captcha-mitigation") {
        set var.netacea_best_mitigation = var.netacea_captcha_mitigate_string;
      }
    }

    set req.http.netacea_bctype_string = var.netacea_bctype_string;
    set req.http.netacea_best_mitigation = var.netacea_best_mitigation;

    # Unset x-netacea headers
    unset resp.http.x-netacea-match;
    unset resp.http.x-netacea-mitigate;
    unset resp.http.x-netacea-captcha;

  }
}

File

fastly_edge_modules/templates/netacea_integration_init.html.twig
View source 
  1. backend F_MitSvc {

  2.   .between_bytes_timeout = 0.5s;

  3.   .connect_timeout = 1s;

  4.   .dynamic = true;

  5.   .first_byte_timeout = 1s;

  6.   .host = "mitigations.netacea.net";

  7.   .max_connections = 200;

  8.   .port = "443";

  9.   .share_key = "NETACEAmitigations";

  10.   .ssl = true;

  11.   .ssl_cert_hostname = "mitigations.netacea.net";

  12.   .ssl_check_cert = always;

  13.   .ssl_sni_hostname = "mitigations.netacea.net";

  14.   .probe = {

  15.     .dummy = true;

  16.     .initial = 5;

  17.     .request = "HEAD / HTTP/1.1"  "Host: mitigations.netacea.net" "Connection: close";

  18.     .threshold = 1;

  19.     .timeout = 2s;

  20.     .window = 5;

  21.   }

  22. }

  23. 

  24. sub netacea_recv {

  25.   # Change this value to false to bypass Netacea

  26.   declare local var.netacea_mitSvc_enabled BOOL;

  27.   set var.netacea_mitSvc_enabled = true;

  28. 

  29.   unset req.http.X-Netacea-UserId;

  30. 

  31.   # Unset headers Netacea Set

  32.   unset req.http.netacea_processed;

  33.   if (req.restarts == 0) {

  34.     unset req.http.netacea_bctype_string;

  35.     unset req.http.netacea_best_mitigation;

  36.     unset req.http.netacea_match;

  37.     unset req.http.netacea_mitigate;

  38.     unset req.http.netacea_captcha;

  39.   } else {

  40.     if (req.http.netacea_best_mitigation == "block") {

  41.       error 403;

  42.     }

  43.   }

  44. 

  45.   declare local var.netacea_mitSvc_forward BOOL;

  46.   declare local var.netacea_mitSvc_apiKey STRING;

  47.   declare local var.netacea_mitSvc_secret STRING;

  48. 

  49.   set var.netacea_mitSvc_apiKey = "{{ api_key }}";

  50.   set var.netacea_mitSvc_secret = "{{ secret }}";

  51. 

  52.   declare local var.netacea_mitSvc_exp STRING;

  53.   declare local var.netacea_mitSvc_sig STRING;

  54.   declare local var.netacea_mitSvc_userId STRING;

  55.   declare local var.netacea_valid_atacookie BOOL;

  56.   declare local var.netacea_mitigation_code STRING;

  57. 

  58.   set var.netacea_mitSvc_forward = true;

  59. 

  60.   if (req.http.Cookie:_mitata) {

  61.     if (req.http.Cookie:_mitata ~ "(.*)_\/@#\/(.*)_\/@#\/(.*)_\/@#\/((\d)(\d)(\d))") {

  62.       set var.netacea_valid_atacookie = true;

  63.       set var.netacea_mitSvc_sig = re.group.1;

  64.       set var.netacea_mitSvc_exp = re.group.2;

  65.       set var.netacea_mitSvc_userId = re.group.3;

  66.       set var.netacea_mitigation_code = re.group.4;

  67.       set req.http.netacea_match = re.group.5;

  68.       set req.http.netacea_mitigate = re.group.6;

  69.       set req.http.netacea_captcha = re.group.7;

  70.     } else {

  71.       set var.netacea_valid_atacookie = false;

  72.     }

  73.   }

  74.   if (req.restarts == 0) {

  75.     if (var.netacea_mitSvc_enabled) {

  76.       if (var.netacea_valid_atacookie) {

  77.         set var.netacea_mitSvc_forward = true;

  78.         if (!time.is_after(now, std.time(var.netacea_mitSvc_exp, now))) {

  79.           declare local var.netacea_mitSvc_stringValue STRING;

  80.           declare local var.netacea_mitSvc_HMAC STRING;

  81.           declare local var.netacea_mitSvc_B64 STRING;

  82.           set var.netacea_mitSvc_stringValue = var.netacea_mitSvc_exp + "_/@#/" + var.netacea_mitSvc_userId + "_/@#/" + var.netacea_mitigation_code;

  83.           set var.netacea_mitSvc_HMAC = digest.hmac_sha256(var.netacea_mitSvc_secret, var.netacea_mitSvc_stringValue);

  84.           if (var.netacea_mitSvc_HMAC ~ "0x(.*)") {

  85.             set var.netacea_mitSvc_HMAC = re.group.1;

  86.           }

  87.           set var.netacea_mitSvc_B64 = digest.base64(var.netacea_mitSvc_HMAC);

  88.           if (var.netacea_mitSvc_sig == var.netacea_mitSvc_B64) {

  89.             set var.netacea_mitSvc_forward = false;

  90.           }

  91.         }

  92.       }

  93.     } else {

  94.     set var.netacea_mitSvc_forward = false;

  95.     }

  96.   } else {

  97.   set var.netacea_mitSvc_forward = false;

  98.   }

  99.   set req.http.mitigation_user_id = var.netacea_mitSvc_userId;

  100. 

  101.   if (var.netacea_mitSvc_forward) {

  102.     set req.backend = F_MitSvc;

  103.     if (req.backend.healthy) {

  104.       unset req.http.netacea_match;

  105.       unset req.http.netacea_mitigate;

  106.       unset req.http.netacea_captcha;

  107. 

  108.       set req.http.netacea_origin_method = req.method;

  109.       set req.http.netacea_processed = "1";

  110.       set req.http.netacea_origin_host = req.http.host;

  111.       set req.http.X-Netacea-Client-IP = client.ip;

  112.       set req.http.netacea_origin_url = req.url;

  113.       if (req.url != "/AtaVerifyCaptcha") {

  114.         set req.method = "GET";

  115.         set req.url = "/";

  116.       }

  117.       set req.http.X-Netacea-Api-Key = var.netacea_mitSvc_apiKey;

  118.       return(pass);

  119.     }

  120.   }

  121. }

  122. 

  123. sub netacea_deliver {

  124.   call netacea_calculate_best_mitigation;

  125. 

  126.   if (req.http.netacea_processed == "1") {

  127.     set req.http.mit_status = resp.status;

  128.     if (resp.status != 200) {

  129.       // Unset these because we're not mitigating anything.

  130.       set req.http.netacea_best_mitigation = "";

  131.       set req.http.netacea_bctype_string = "";

  132.     }

  133.     set req.http.host = req.http.netacea_origin_host;

  134.     set req.url = req.http.netacea_origin_url;

  135.     set req.method = req.http.netacea_origin_method;

  136.     set req.http.netacea_cookies = resp.http.set-cookie;

  137.     set req.http.netacea_mitata_cookie_value = resp.http.x-netacea-mitata-value;

  138.     set req.http.netacea_mitata_cookie_expiry = resp.http.x-netacea-mitata-expiry;

  139.     set req.http.netacea_mitata_captcha_cookie_value = resp.http.x-netacea-mitatacaptcha-value;

  140.     set req.http.netacea_mitata_captcha_cookie_expiry = resp.http.x-netacea-mitatacaptcha-expiry;

  141. 

  142.     unset req.http.netacea_mitSvc_forward;

  143.     unset req.http.netacea_origin_url;

  144.     unset req.http.netacea_origin_host;

  145.     unset req.http.netacea_origin_method;

  146.     unset req.http.x-netacea-api-key;

  147.     call set_netacea_cookies;

  148.     if (req.http.netacea_best_mitigation != "captcha") {

  149.       restart;

  150.     }

  151.     set resp.status = 403;

  152.     set resp.http.content-type = "text/html; charset=UTF-8";

  153.     return(deliver);

  154.   }

  155.   call set_netacea_cookies;

  156. }

  157. 

  158. sub set_netacea_cookies {

  159.   # Builds netacea cookies

  160.   if (req.http.netacea_cookies) {

  161.     if (req.http.netacea_mitata_cookie_value && req.http.netacea_mitata_cookie_expiry) {

  162.       if (req.http.netacea_mitata_cookie_value ~ "(.*)_\/@#\/(.*)_\/@#\/(.*)_\/@#\/((\d)(\d)(\d))") {

  163.         set req.http.mitigation_user_id = re.group.3;

  164.       }

  165.       add resp.http.Set-Cookie= "_mitata=" + req.http.netacea_mitata_cookie_value + "; Max-Age=" + req.http.netacea_mitata_cookie_expiry + "; Path=/;";

  166.     }

  167.     if (req.http.netacea_mitata_captcha_cookie_value && req.http.netacea_mitata_captcha_cookie_expiry) {

  168.       add resp.http.Set-Cookie= "_mitatacaptcha=" + req.http.netacea_mitata_captcha_cookie_value + "; Max-Age=" + req.http.netacea_mitata_captcha_cookie_expiry + "; Path=/;";

  169.     }

  170.   }

  171. }

  172. 

  173. table Netacea_Match_Dict {

  174.   "0": "",

  175.   "1": "ua",

  176.   "2": "ip",

  177.   "3": "visitor",

  178.   "4": "datacenter",

  179.   "5": "sev"

  180. }

  181. 

  182. table Netacea_Mitigate_Dict {

  183.   "0": "",

  184.   "1": "blocked",

  185.   "2": "allow",

  186.   "3": "hardblocked"

  187. }

  188. 

  189. table Netacea_Best_Mitigations_Dict {

  190.   "0": "",

  191.   "1": "block",

  192.   "2": "allow",

  193.   "3": "block"

  194. }

  195. 

  196. table Netacea_Best_Mitigations_Captcha_Dict {

  197.   "1": "captcha",

  198.   "2": "",

  199.   "3": "captcha",

  200.   "4": "",

  201.   "5": "captcha"

  202. }

  203. 

  204. table Netacea_Captcha_Dict {

  205.   "0": "",

  206.   "1": "captcha_serve",

  207.   "2": "captcha_pass",

  208.   "3": "captcha_fail",

  209.   "4": "captcha_cookiepass",

  210.   "5": "captcha_cookiefail",

  211. }

  212. 

  213. sub netacea_calculate_best_mitigation {

  214.   if (!req.http.netacea_bctype_string) {

  215.     declare local var.netacea_match STRING;

  216.     declare local var.netacea_mitigate STRING;

  217.     declare local var.netacea_captcha STRING;

  218.     declare local var.netacea_match_string STRING;

  219.     declare local var.netacea_mitigate_string STRING;

  220.     declare local var.netacea_captcha_string STRING;

  221.     declare local var.netacea_captcha_mitigate_string STRING;

  222. 

  223.     declare local var.netacea_best_mitigation STRING;

  224.     declare local var.netacea_bctype_string STRING;

  225. 

  226.     if (resp.http.x-netacea-match) { # If netacea mitigation service returns a match, use this

  227.       set var.netacea_match = resp.http.x-netacea-match;

  228.     } elseif (req.http.netacea_match) { # If cookie has a match, use this

  229.       set var.netacea_match = req.http.netacea_match;

  230.     } else {

  231.       set var.netacea_match = "0";

  232.     }

  233. 

  234.     if (resp.http.x-netacea-mitigate) { # If netacea mitigation service returns a mitigate, use this

  235.       set var.netacea_mitigate = resp.http.x-netacea-mitigate;

  236.     } elseif (req.http.netacea_mitigate) { # If cookie has a mitigate, use this

  237.       set var.netacea_mitigate = req.http.netacea_mitigate;

  238.     } else {

  239.       set var.netacea_mitigate = "0";

  240.     }

  241. 

  242.     if (resp.http.x-netacea-captcha) { # If netacea mitigation service returns a captcha, use this

  243.       set var.netacea_captcha = resp.http.x-netacea-captcha;

  244.     } elseif (req.http.netacea_captcha) { # If cookie has a captcha, use this

  245.       set var.netacea_captcha = req.http.netacea_captcha;

  246.     } else {

  247.       set var.netacea_captcha = "0";

  248.     }

  249. 

  250. 

  251.     # IP, UA, Visitor, Datacentre etc

  252.     if (var.netacea_match) {

  253.       set var.netacea_match_string = table.lookup(Netacea_Match_Dict, var.netacea_match, "unknown");

  254. 

  255.       if (var.netacea_match_string != "") {

  256.         set var.netacea_bctype_string = var.netacea_match_string + "_";

  257.       }

  258.     }

  259. 

  260.     # BLOCK, TRUST, HARDBLOCK etc

  261.     if (var.netacea_mitigate) {

  262.       set var.netacea_mitigate_string = table.lookup(Netacea_Mitigate_Dict, var.netacea_mitigate, "unknown");

  263. 

  264.       if (var.netacea_mitigate_string != "") {

  265.         set var.netacea_bctype_string = var.netacea_bctype_string + var.netacea_mitigate_string;

  266.       }

  267. 

  268.       set var.netacea_best_mitigation = table.lookup(Netacea_Best_Mitigations_Dict, var.netacea_mitigate, "no-best-mitigation");

  269.       if (var.netacea_best_mitigation == "no-best-mitigation") {

  270.         set var.netacea_best_mitigation = "";

  271.       }

  272.     }

  273. 

  274.     if (var.netacea_captcha) {

  275.       # 2 and 3 can only be set on /AtaVerifyCaptcha requests

  276.       # If it's not 2 or 3 then set them to the cookie variant

  277.       if (req.url != "/AtaVerifyCaptcha") {

  278.         if (var.netacea_captcha == "2") {

  279.           set var.netacea_captcha = "4";

  280.         } elseif (var.netacea_captcha == "3") {

  281.           set var.netacea_captcha = "5";

  282.         }

  283.       }

  284.       set var.netacea_captcha_string = table.lookup(Netacea_Captcha_Dict, var.netacea_captcha, "unknown");

  285. 

  286.       if (var.netacea_captcha_string != "") {

  287.         set var.netacea_bctype_string = var.netacea_bctype_string + "," + var.netacea_captcha_string;

  288.       }

  289.       set var.netacea_captcha_mitigate_string = table.lookup(Netacea_Best_Mitigations_Captcha_Dict, var.netacea_captcha, "no-best-captcha-mitigation");

  290.       set req.http.captcha_mitigate_thing = var.netacea_captcha_mitigate_string;

  291.       if (var.netacea_captcha_mitigate_string != "no-best-captcha-mitigation") {

  292.         set var.netacea_best_mitigation = var.netacea_captcha_mitigate_string;

  293.       }

  294.     }

  295. 

  296.     set req.http.netacea_bctype_string = var.netacea_bctype_string;

  297.     set req.http.netacea_best_mitigation = var.netacea_best_mitigation;

  298. 

  299.     # Unset x-netacea headers

  300.     unset resp.http.x-netacea-match;

  301.     unset resp.http.x-netacea-mitigate;

  302.     unset resp.http.x-netacea-captcha;

  303. 

  304.   }

  305. }