Skip to main content
Datum’s AI Edge consists of two resources that work together:
  • HTTPProxy — Layer 7 routing and traffic control
  • TrafficProtectionPolicy — OWASP Core Rule Set WAF protection
The proxy determines where traffic goes and how requests are shaped before reaching your origin. The WAF determines whether traffic is observed or blocked based on security rules. The WAF attaches to a proxy using targetRefs.

HTTPProxy

The HTTPProxy resource handles Layer 7 routing and request processing. It supports hostname routing, path and header matching, redirects, rewrites, CORS, header manipulation, traffic mirroring, and TLS configuration to origin.

Inspect the Schema

datumctl explain httpproxy --recursive

List and Inspect Proxies

# List all proxies
datumctl get httpproxies --namespace default

# View a specific proxy
datumctl get httpproxy <name> --namespace default -o yaml

Feature Reference

HTTPProxy
 ├── metadata
 │    ├── name
 │    ├── namespace
 │    └── annotations

 └── spec
      ├── hostnames[]

      └── rules[]
           ├── name

           ├── matches[]
           │    ├── path
           │    │    ├── type (Exact | PathPrefix | RegularExpression)
           │    │    └── value
           │    ├── headers[]
           │    │    ├── name
           │    │    ├── type (Exact | RegularExpression)
           │    │    └── value
           │    ├── queryParams[]
           │    └── method (GET | POST | PUT | ...)

           ├── filters[] (rule-level)
           │    ├── RequestRedirect
           │    ├── RequestHeaderModifier
           │    ├── ResponseHeaderModifier
           │    ├── RequestMirror
           │    ├── URLRewrite
           │    ├── CORS
           │    └── ExtensionRef

           └── backends[]
                ├── endpoint
                ├── connector
                ├── tls
                └── filters[] (backend-level)
Each rule currently supports a single backend. Multiple backends per rule are not yet supported.

TrafficProtectionPolicy (WAF)

The TrafficProtectionPolicy resource provides application-layer security using the OWASP Core Rule Set. It attaches to the gateway.networking.k8s.io/v1 HTTPRoute that NSO creates from an HTTPProxy (using the same name), scoping the WAF to that proxy’s traffic. Use sectionName to target a specific named rule.

Inspect the Schema

datumctl explain trafficprotectionpolicy --recursive

List and Inspect WAF Policies

# List all WAF policies
datumctl get trafficprotectionpolicies --namespace default

# View a specific policy
datumctl get trafficprotectionpolicy <name> --namespace default -o yaml

Feature Reference

TrafficProtectionPolicy
 ├── metadata

 └── spec
      ├── mode (Observe | Enforce | Disabled)
      ├── samplingPercentage
      ├── ruleSets[]
      │    └── OWASPCoreRuleSet
      │         ├── paranoiaLevels
      │         │    ├── detection
      │         │    └── blocking
      │         ├── scoreThresholds
      │         │    ├── inbound
      │         │    └── outbound
      │         └── ruleExclusions
      │              ├── ids
      │              ├── idRanges
      │              └── tags

      └── targetRefs[]
           ├── group
           ├── kind
           ├── name
           └── sectionName (optional — target a specific rule)
Mode values:
  • Observe (default) — Logs rule matches without blocking traffic. Use this to evaluate impact before enforcing.
  • Enforce — Blocks requests that exceed the score threshold.
  • Disabled — WAF is inactive.
Paranoia levels control how aggressively rules are applied. Higher levels catch more threats but increase false-positive risk. Separate levels can be set for detection (logging) and blocking. samplingPercentage controls what fraction of traffic is evaluated by the WAF. Useful for gradual rollout or high-throughput environments.

Next Steps

Last modified on June 29, 2026