1 of 20
2 of 20
3 of 20
4 of 20
5 of 20
6 of 20
7 of 20
8 of 20
9 of 20
10 of 20
11 of 20
12 of 20
13 of 20
14 of 20
15 of 20
16 of 20
17 of 20
18 of 20
19 of 20
20 of 20

doc

Rules Engine for Edge Application

Rules Engine is an Edge Application capability that handles the conditional execution of behaviors through logical operators. By using Rules Engine, you can build an architecture that provides better performance to your users while consuming fewer resources by processing at the origin.

  1. How it works
  2. Processing phases
    2.1. Request phase
    2.2. Response phase
  3. Description
  4. Criteria
    4.1. Variables
    4.2. Comparison Operators
    4.3. Logical Operators
  5. Behaviors
  6. Functions
  7. Mutual Transport Layer Security (mTLS) variables
  8. Debugging rules

1. How it works

Each requisition made to an application built with Azion Real-Time Manager is processed in a fixed sequence of two phases: first the Request Phase, then the Response Phase.

At each processing phase, you can define a set of rules to handle the request according to the needs of your application or business. Once you have selected in which of the two phases your rule will be executed, you’ll be able to create a new rule.

Rules are designed to follow a conditional if-then logic. Every rule is composed of Criteria (if) that will define the set of conditions that must be met for the execution of Behaviors (then).

You can use a set of variables, comparison operators, and logical operators to trigger the desired behaviors for your application. If the conditions are met, the behaviors of each rule are executed until all the rules are processed.

Warning: some behaviors can finish the execution of rules. If a sequence of rules includes such behavior, any rules or behaviors that follow the finalizing behavior won’t be executed.

Before you create a rule, you should enable the Application Acceleration module, which extends the usability of Rules Engine by applying serverless computing features to Edge Application. If the module is disabled, only some variables and Behaviors will be available for your rule.

See Creating rules using Rules Engine for Edge Application for a step-by-step guide on how to use Rules Engine.


2. Processing phases

When creating a rule, you’ll be prompted to select one of the two available processing phases: Request Phase or Response Phase.

2.1. Request Phase

In the Request Phase, you can handle your user’s request according to your business rules and define which origins should handle the request in case the requested content isn’t cached.

You can use any variable related to the data sent by your user in the request as variables for Request Phase rules. As the response hasn’t been processed by your application yet, you don’t have access to variables related to the content that will be delivered to your user in this phase.

You also define how Azion should manage your application’s cache in the Request Phase. If your application doesn’t allow any type of cache, you can define the conditions to ignore caching.

2.2. Response Phase

In the Response Phase, your application handles what will be delivered to your users. All handling processed in the Response Phase is dynamic and will be performed individually for each user.


3. Description

Aside from the name of the rule, you can add a description to your rule using the Description field. Your description will be visible from the rule list and can be used to help you identify what the rule does.


4. Criteria

The Criteria section of Rules Engine is where you define the conditions for executing the rule.Criteria are composed of:

  • variables
  • comparison operators
  • arguments, when applicable

The inclusion of arguments in a criteria depends on the comparison operators chosen. The format of the arguments is described in the variables and comparison operators sections below. You can also add logical operators to increase the amount of comparisons that the rule will execute.

For example, this criteria identifies whether a user is accessing your application via a desktop web browser using a regular expression as an argument:

  Variable Comparison operator Argument
If ${http_user_agent} matches (Chrome|Mozilla)

4.1. Variables

Variable Description Phase
${arg_name} The name argument sent by the user on the request line (query string). For example: for the GET /path?Search=test request, the variable will assume the value test. Request Phase
Response Phase
${args} All arguments sent by the user in the request string (query string). For example: for the GET /path?Search=test request, the variable will assume the value Search=test. Request Phase
Response Phase
${cookie_name} Value of the cookie name. For example, for cookie_icl_current_language = pt-br, the variable ${cookie_icl_current_language} will assume the value pt-br. Request Phase
Response Phase
${device_group} User device group. You can customize your device groups in the Device Groups tab of your application in Real-Time Manager. Request Phase
Response Phase
${geoip_city_continent_code} 2-letter continent code, using the geolocation base geoip_city. For example: EU for Europe, NA for North America. Request Phase
Response Phase
${geoip_city_country_code} 2-letter country code, using the geolocation base geoip_city. For example: RU for Russia, BR for Brazil. Request Phase
Response Phase
${geoip_city} Name of the city, using the geolocation base geoip_city. For example: Sao Paulo, London. Request Phase
Response Phase
${geoip_continent_code} 2-letter continent code. For example: EU for Europe, NA for North America. Request Phase
Response Phase
${geoip_city_country_name} Name of the country, using the geolocation base geoip_city. For example: United States, Brazil. Request Phase
Response Phase
${geoip_country_code} 2-letter country code, using the geolocation base geoip_country. For example: RU for Russia, BR for Brazil. Request Phase
Response Phase
${geoip_country_name} Name of the country, using the geolocation base geoip_country. For example: United States, Brazil. Request Phase
Response Phase
${geoip_region_name} Name of the country, using the geolocation base geoip_region. For example: Ontario, Sao Paulo. Request Phase
Response Phase
${geoip_region} 2-letter region code. For example: RS for Rio Grande do Sul, ON for Toronto. Request Phase
Response Phase
${host} In order of precedence: the host name of the request line, or the value of the Host header field of the request, or the name of the server serving the request. Request Phase
Response Phase
${http_name} The value of a request header. name must be a valid HTTP request header converted to lowercase; hyphens must be converted to underscore. For example: ${http_accept} will take the value of the Accept header of the HTTP request field. Request Phase
Response Phase
${remote_addr} The IP address of the client performing the HTTP request. Request Phase
Response Phase
${remote_user} The username provided by basic authentication, if any. Request Phase
Response Phase
${request} Complete request query. Request Phase
Response Phase
${request_body} POST arguments sent in the body of the request. Request Phase
Response Phase
${request_method} The HTTP method of the request. For example: GET. Request Phase
Response Phase
${request_uri} The complete URI of the request, with arguments (query string). Request Phase
Response Phase
${scheme} The scheme of the request. For example: http or https. Request Phase
Response Phase
${sent_http_name} The value of the response header field name. The name argument must be converted to lowercase and the hyphens must be converted to underscore. For example: ${sent_http_content_length} will take the value of the Content-Length header. Response Phase
${status} Status code of the response. Response Phase
${upstream_addr} The IP address and port of the queried origin for obtaining the response. If many origins are consulted during the processing of the request, the addresses will be separated by a comma. For example: 192.168.1.1:80, 192.168.1.2:80. If an internal redirect from one group of servers to another occurs, initiated by an X-Accel-Redirect or an error page, the addresses of the different groups will be separated by a colon. For example: 192.168.1.1:80, 192.168.1.2:80 : 192.168.10.1:80, 192.168.10.2:80. Response Phase
${upstream_cookie_name} Value of cookie name sent by the origin using the Set-Cookie header field. If many origins are consulted while the request is processed, only cookies from the last origin are stored. Response Phase
${upstream_http_name} Value of the name header field sent by the origin. The name argument must be converted to lowercase and the hyphens must be converted to underscore. If many origins are consulted while the request is processed, only headers from the last origin are stored. For example: ${upstream_http_server} will assume the value of the Server header field sent by the last queried origin. Response Phase
${upstream_status} Status code of the origin response sent to RTM. If many origins are consulted while the request is processed, the status codes will be separated by a comma. If an internal redirect from one group of servers to another is initiated by an X-Accel-Redirect or an error page, the status codes of the different groups will be separated by a colon. Response Phase
${uri} The normalized (urldecoded) URI of the request. The value of ${uri} can change during the processing of a request, for example, when an internal redirect occurs or when index files are used. For query string parameters, use ${request_uri}. Request Phase
Response Phase

4.2. Comparison Operators

Operator Description Argument type
is equal The value of the variable is exactly the same as the argument. string
is not equal The value of the variable isn’t the same as the argument. string
starts with The value of the variable starts with the argument. string
does not start with The value of the variable doesn’t start with the argument. string
matches The value of the variable matches the regular expression entered as an argument. regular expression
does not match The value of the variable doesn’t match the regular expression entered as an argument. regular expression
exists The variable has a defined value. For example: ${arg_search} exists if a search argument was sent in the request query string. -
does not exist The variable doesn’t have a defined value. For example: ${arg_search} doesn’t exist if a search argument wasn’t sent in the request query string. -

4.3. Logical Operators

Multiple criteria can be defined using the logical operators AND and OR. Each rule can have up to 10 criteria.

The operator AND has implicit precedence over the operator OR. If explicit precedence is required, you can add more criteria groups using the AND operator only.


5. Behaviors

In the Behaviors section of the Rules Engine, you must add the behaviors you want your rule to perform if the conditions defined in the criteria are met.

For example, this behavior redirects the user to an English version of an FAQ location:

Behavior Argument
Redirect To (302 Found) /en-us/faq

Each rule can perform up to 10 behaviors.

Each behavior has their own set of requirements, described in the table below.

Behavior Description Phase Requirements
Add Request Cookie Adds a cookie in the Set-Cookie request header. The cookie must be inputted as an argument in the format cookie-name=cookie-value.

You may use a variable as a cookie value, for example: cookie-name=${arg_cookie}.
Request Phase Application Acceleration
Add Response Cookie Adds a cookie and policies in the Set-Cookie response header. The cookie must be inputted as an argument in the format cookie-name=cookie-value.

For response cookies, the following Set-Cookie policies can be added to the argument, following the cookie value and a semicolon (;):
<li>Expires=date (EEE, d MMM yyyy HH:mm:ss Z)
<li>Domain=domain-value
<li>Path=path-value
<li>Max-age=number (TTL in seconds, takes precedence over Expires)
<li>SameSite=value; Secure
<li>HttpOnly

Multiple policies for the same cookie can be separated by semicolons (;). For example: cookie-name=cookie-value; Domain=domain-value; Path=path-value; SameSite=value.

You may also use variables as a cookie or policy value, for example: Path=${uri}; Domain=${host}.
Response Phase Application Acceleration
Add Request Header Adds a header field to the request that will be sent to the origin. The header field must be informed as an argument in the format Field:value Request Phase -
Add Response Header Adds a header field to the response that will be sent to the user. The header field must be informed as an argument in the format Field: value. Response Phase -
Bypass Cache Defines that Azion shouldn’t cache the response from its origin. The execution of this rule has no impact on the cache in the users’ browser, which must be defined using the Set Cache Policy behavior. Request Phase Application Acceleration
Capture Match Groups Support behavior for handling strings. Stores in a temporary variable the result of capturing correspondence groups defined by a regex applied to one of the available HTTP request fields. This temporary variable can be referenced later in the behavior Rewrite Request to assemble the rewrite string.
This behavior requires three arguments:
captured array name: the name you want to give the temporary variable where the array of captured strings will be stored.
subject: the HTTP request field where you want to capture a string.
regex: the regular expression used to capture the strings. Each captured group must be represented in parentheses.

For example, to capture the path and name of a file in an HTTP request, you could use:
captured array name: capture
subject: ${uri}
regex: ^(./)([^/])$

You may reference the capture variable as an array by using the notation %{variable[index]}. Because it’s a local variable, you can only use it within the same rule you are setting up. In this example, if the URI is /path/image.jpg, the capture variable will have the following values:
%{capture[0]} = “/path/image.jpg”
%{capture[1]} = “/path/”
%{capture[2]} = “image.jpg”

You can also name the indexes to reference them using names instead of a numeric index. To do so, use the ?&lt;name&gt; notation as in the example:
captured array name: capture
subject: ${uri}
regex: ^(?<path>.*/)(?<filename>[^/]*)$
Request Phase Application Acceleration
Deliver Finishes processing the request and delivers the content to the user, without executing any of the rules added later. You are forcing the processing to end immediately. Request Phase
Response Phase
-
Deny (403 Forbidden) Delivers a 403 Forbidden page to the user. Ends the request processing. Request Phase -
Enable Gzip Enables Gzip data compression, if supported by the user’s browser. See the guide on How to enable gzip compression for more information. Request Phase
Response Phase
-
Enable Sliced Files Enables segmentation of large objects into 1MB slices, if their origin supports HTTP range requests. You can use this behavior to optimize the performance of your website or application; if you deliver media larger than 1MB through the CDN so that the content reaches users before Azion has received the entire object from its origin.

When activating this functionality, Azion will request the objects for their origin via range requests and they’ll be cached in Azion with Advanced Cache Key.

If your origin doesn’t support range requests, Azion will only be able to start delivering your content to its users after your origin has completed the complete sending of the object.
Default Rule -
Enforce HLS cache This behavior is automatically included by Azion whenever you select a Live Ingest origin. Performs two actions: the bypass of all your Cache Phase rules and the imposition of the cache policy defined by Azion for live transmissions in HTTP Live Streaming (HLS).

Azion’s cache policy for live HLS streams is 5 seconds of cache for playlists (.m3u8) and 60 seconds of cache for chunks (.ts).
Request Phase Live Ingest
Filter Request Cookie Removes a cookie from the request header that would be sent to the origin. As an argument, add the name of the cookie you want to remove as cookie-name.

To remove only specific values, you must inform the name and value of the cookie as cookie-name=cookie-value.
Request Phase Application Acceleration
Filter Response Cookie Removes a cookie from the request header that would be sent to the user. As an argument, add the name of the cookie you want to remove as cookie-name.

To remove only specific values, you must inform the name and value of the cookie as cookie-name=cookie-value.
Response Phase Application Acceleration
Filter Request Header Removes a request header that would be sent to the origin. The name of the header field must be entered as an argument, for example: Header-Name. Request Phase -
Filter Response Header Removes a response header that would be sent to the user. The name of the header field must be entered as an argument, for example: Header-Name. Response Phase -
Forward Cookies By using the Forward Cookies behavior, you are determining that Azion forwards to the users the Set-Cookie header received from its origin, even in a cache content situation (cache hit).

To prevent a user from receiving another user’s Set-Cookie session, see the guide on Forward Cookies.
Request Phase Application Acceleration
Optimize Images Enables Image Processor. Request Phase Image Processor
Redirect HTTP to HTTPS Redirects the HTTP request to the respective HTTPS URL. If the request is already HTTPS, it doesn’t execute any behavior. Request Phase HTTPS application.
Redirect To (301 Moved Permanently)

Redirect To (302 Found)
These behaviors redirect the user to another URL entered as an argument, returning the status code 301 Moved Permanently or 302 Found.

It is recommended that these behaviors be used for path changes; 301 Moved Permanently for permanent changes and 302 Found for temporary changes.

This behavior ends the request processing.

Warning: in the Response Phase, Redirect To behaviors are only executed when the origin returns a 404 error.
Request Phase
Response Phase
-
Rewrite Request Modifies the resource path that will be requested for the origin. You can rewrite the resource path using:
a string
the requisition variables (which can also be used in Criteria)
the local variables, in the format %{name [index]}, with the result of capturing strings, when using the auxiliary behavior Capture Match Groups.

For example, if you want a user’s request for the /original/image.jpg resource to be sent to its origin as /new/image.jpg, you can:
<li>Use the Capture Match Groups auxiliary behavior with the arguments:
captured array name: capture
subject: ${uri}
regex: /original/(.)
<li>Use the Rewrite Request behavior with the argument /new/%{capture[1]}.
Request Phase Application Acceleration
Run Function Runs a function created using Edge Functions and instantiated in the Edge Functions tab for the edge application. See the guide on How to run serverless functions for more information. Request Phase
Response Phase
Application Acceleration
Edge Functions
Set Cache Policy Assigns the cache policy that should be used for the request. Before configuring this behavior, you must set up the cache policies in the Cache Settings tab. In the Cache Policies section, you can set up the time that an object will be stored in cache and the rules for the variation of objects in cache with the Advanced Cache Key. Request Phase -
Set Origin Assigns an origin that must be consulted by the Intelligent Edge. Before configuring this behavior, you must set up the origins in the Origins tab. Request Phase -

6. Functions

For behaviors that request a mandatory argument, you can use the same variables available for both processing phases. This way, you can compose cookies or HTTP headers via a Response using data collected from a Request, such as the user’s device group or their geolocation.

Azion also provides some functions to simplify the handling of your arguments:

Function and Argument Description
${cookie_time_offset(number)} Returns the current date plus an offset in seconds, entered as an argument, to be used to define the expiration time of a cookie. For example, if you want the cookie to expire in 1 hour, use the Add Response Cookie behavior with the argument: cookie-name=cookie-value; Expires=${cookie_time_offset(3600)}
${encode_base64(string)} Returns the arguments coded in base64. For example: ${encode_base64(http://www.yourdomain.com/)} will return the value d3d3LmRvbWFpbi5jb20K

7. Mutual Transport Layer Security (mTLS) variables

Add those variables inside the Rules Engine of your edge application to configure Mutual Transport Layer Security (mTLS).

Find out more about support for mTLS and the difference between Enforce (standard) and Permissive modes.

Variable Description Phase
${ssl_client_fingerprint} Returns the Secure Hash Algorithm 1 (SHA-1) of the client certificate. Request
${ssl_client_escaped_cert} Returns the client certificate in Private Enhanced Mail (PEM) format as URL encoded string. Request
${ssl_client_s_dn} Returns the “subject DN” string of the client certificate. Request
${ssl_client_s_dn_parsed} Returns the extracted “subject CN” value of the client certificate. Request
${ssl_client_cert} Returns the client certificate (PEM format). This variable is deprecated. Use $ssl_client_escaped_cert instead. Request
${ssl_client_i_dn} Returns the “issuer DN” string of the client certificate. Request
${ssl_client_serial} Returns the serial number of the client certificate. Request
${ssl_client_v_end} Returns the end date (expiration date) of the client certificate. Request
${ssl_client_v_remain} Returns the number of days until the client certificate expires. Request
${ssl_client_v_start} Returns the start date of the client certificate. Request
${ssl_client_verify} Returns the result of the client certificate verification. It can be SUCESS, FAILED:reason, or NONE. Request

Tip: most mTLS services rely on receiving the user certificate. Using Real-Time Manager (RTM), you can send the ${ssl_client_escaped_cert} variable as a Request Header (known as X-Forward-Client-Cert [XFCC]) to the origin, then configure your edge application to use this header with the certificate data.


8. Debugging rules

Note: this functionality is in early access. Contact our Sales team to enable it for your account.

You can debug rules created in Rules Engine for Edge Application through the GraphQL API, Data Streaming, or Real-Time Events.

See How to debug rules created with Rules Engine for detailed information and instructions on how to activate and use this functionality.


Didn’t find what you were looking for? Open a support ticket.