Default Preferences
From v2.9.0 of DiscrimiNAT, certain behavioural preferences can be set at global level per deployment. These are defined in JSON format in an SSM Parameter named DiscrimiNAT
(case-sensitive) and the default value if not defined or not accessible is:
{
"%default": {
"wildcard_exposure": "prohibit_public_suffix",
"flow_log_verbosity": "full",
"see_thru": null,
"x509_crls": "ignore"
}
}
Preferences you wish to leave at defaults can be excluded. Also, any additional JSON keys will simply be ignored.
Preferences are refreshed once every five minutes from the SSM Parameter.
Preferences​
wildcard_exposure​
Generally, ?
represents one character match exactly which isn't a .
, and *
matches any number of characters except .
.
Options​
none
: no wildcard characters such as ?
or *
are allowed at all
prohibit_asterisk
: ?
is allowed; *
is not allowed
prohibit_public_suffix
: ?
is allowed; *
is allowed as long as the possibility of resulting domain names are not publicly registrable. For example, *.github.com
is okay but *.github.io
is not. Another example would be *.cloudflare.net
being effecticely public. This is determined using Mozilla's Public Suffix List (PSL) bundled into DiscrimiNAT. The version of the PSL bundled will be in the Release Notes and will be updated with every release.
If a wildcard pattern is not accepted because it could have led to a Public Suffix List match, a config log message like the following will be emitted:
{addr: "*.github.io", cat: "addr", outcome: "publicsuffix[.]org list matched with `github.io`"}
nuclear
: ?
is allowed; *
is allowed with no public suffix list safeguard
Default​
prohibit_public_suffix
flow_log_verbosity​
This setting only impacts the flow logs. config logs verbosity and behaviour will not be affected.
Options​
full
: all allowed and disallowed flows for both the client requests and the server responses are logged in the flow logs
only_disallowed
: only disallowed flows will be logged
none
: no logs at all
Default​
full
see_thru​
The see_thru
non-blocking, monitoring mode can be enabled for an entire deployment rather than per Security Group from this level. This is only the default and does not override a see-thru mode defined at a more granular level – even if the one the granular level may have expired.
See see-thru mode docs for understanding this non-blocking, monitoring mode in detail.
Options​
yyyy-mm-dd
formatted date
null
to not enable see_thru at the default level. null
value to be specified without quotes or this top-level key can be left out completely.
Default​
null
x509_crls​
Options​
auto_allow
: Automatically allow plaintext HTTP CRL Endpoints of x509 SSL certificates for all TLS FQDNs allowlisted.
ignore
: Do not allow CRL Endpoints automatically.
Default​
ignore
Examples​
It may be useful to turn on the non-blocking, monitoring see_thru
mode on until a specified date on a new deployment of DiscrimiNAT. This would ensure apps continue to work while data is captured for building an allowlist from eventually:
{"%default":{"see_thru":"2025-02-19"}}
Ultimately, when allowlists are built and enforced, you may want to turn off flow logs for allowed connections, saving on logging costs:
{"%default":{"flow_log_verbosity":"only_disallowed"}}
To also enable automatic allowing of X509 CRL Endpoints:
{"%default":{"flow_log_verbosity":"only_disallowed","x509_crls":"auto_allow"}}