All Products
Search
Document Center

Edge Security Acceleration:Match conditions

Last Updated:Jun 19, 2024

When you configure a whitelist rule or a custom rule, you need to configure match conditions for the rule and specify the characteristics of the requests that you want Web Application Firewall (WAF) to detect in the match conditions. This topic describes the fields that you can use in match conditions.

What are match conditions?

A match condition specifies the characteristics of the requests that you want WAF to match. When you configure a custom protection policy, whitelist, or IP address blacklist, you need to configure match conditions. For more information, see Configure custom protection policies, Configure a whitelist, and Configure an IP address blacklist. If a request matches the match conditions that are specified in a protection rule, the request matches the protection rule. Then, WAF performs the action that is specified in the rule on the request, such as Block, JavaScript Validation, or Monitor.

Supported match fields

The following table describes the match fields that are supported in match conditions.

Match field

Supported logical operator

Description

URI

  • Equals and Does Not Equal

  • Equals One of Multiple Values and Does Not Equal Any Value

  • Contains and Does Not Contain

  • Contains One of Multiple Values and Does Not Contain Any Value

  • Length Equal To, Length Greater Than, and Length Less Than

  • Prefix Match and Suffix Match

  • Regex Match and Regular Expression Mismatch

The Uniform Resource Identifier (URI) of the request. The URI indicates the path of the requested resource. The match content must start with a forward slash (/). The match content cannot contain a domain name. Example: /login.php.

IP

  • Belongs To and Does Not Belong To

  • In the List and Not in the List

The IP address of the client that sends the request.

The IP address that you specify must meet the following requirements:

  • You can enter IPv4 addresses such as 10.10.10.10 or CIDR blocks such as 10.10.10.10/16.

  • The IP address that is used to connect to the POPs is the value of remote_ip in DCDN access logs. For more information, see Log fields.

  • You can enter up to 50 IP addresses and CIDR blocks. Separate them with commas (,).

  • You can reference the IP address group that you configured. For more information, see Configure a WAF IP address group.

Referer

  • Equals and Does Not Equal

  • Equals One of Multiple Values and Does Not Equal Any Value

  • Contains and Does Not Contain

  • Contains One of Multiple Values and Does Not Contain Any Value

  • Exists and Does Not Exist

  • Empty

  • Length Equal To, Length Greater Than, and Length Less Than

  • Prefix Match and Suffix Match

  • Regex Match and Regular Expression Mismatch

The URL of the source page from which the access request is redirected.

User-Agent

  • Equals and Does Not Equal

  • Equals One of Multiple Values and Does Not Equal Any Value

  • Contains and Does Not Contain

  • Contains One of Multiple Values and Does Not Contain Any Value

  • Exists and Does Not Exist

  • Empty

  • Length Equal To, Length Greater Than, and Length Less Than

  • Prefix Match and Suffix Match

  • Regex Match and Regular Expression Mismatch

The browser information about the client that sends the request. The information includes the browser, rendering engine, and version.

Query String

  • Equals and Does Not Equal

  • Equals One of Multiple Values and Does Not Equal Any Value

  • Contains and Does Not Contain

  • Contains One of Multiple Values and Does Not Contain Any Value

  • Exists and Does Not Exist

  • Length Equal To, Length Greater Than, and Length Less Than

  • Prefix Match and Suffix Match

  • Regex Match and Regular Expression Mismatch

The query string in the request. The query string is the part that follows the question mark (?) in the URL.

Cookie

  • Equals and Does Not Equal

  • Equals One of Multiple Values and Does Not Equal Any Value

  • Contains and Does Not Contain

  • Contains One of Multiple Values and Does Not Contain Any Value

  • Exists and Does Not Exist

  • Length Equal To, Length Greater Than, and Length Less Than

  • Regex Match and Regular Expression Mismatch

The cookie information in an access request.

Content-Type

  • Equals and Does Not Equal

  • Equals One of Multiple Values and Does Not Equal Any Value

  • Contains and Does Not Contain

  • Contains One of Multiple Values and Does Not Contain Any Value

  • Length Equal To, Length Greater Than, and Length Less Than

  • Regex Match and Regular Expression Mismatch

The HTTP content type that is specified for the response. The HTTP content type is known as the Multipurpose Internet Mail Extensions (MIME) type.

Content-Length

Value Less Than, Equals, and Value Greater Than

The number of bytes in the response. Valid values: 0 to 8192.

X-Forwarded-For

  • Equals and Does Not Equal

  • Equals One of Multiple Values and Does Not Equal Any Value

  • Contains and Does Not Contain

  • Does Not Exist

  • Length Equal To, Length Greater Than, and Length Less Than

The originating IP address of the client that initiates access requests. The HTTP X-Forwarded-For (XFF) header is used to identify the originating IP address of the request that is forwarded by an HTTP proxy or a Server Load Balancer (SLB) instance. The XFF header is included only in the request that is forwarded by an HTTP proxy or an SLB instance.

Body

  • Equals and Does Not Equal

  • Contains and Does Not Contain

  • Does Not Exist

  • Prefix Match

  • Suffix Match

  • Regex Match

The request body. Requests whose body exceeds 8 KB are no longer blocked.

Http-Method

  • Equals and Does Not Equal

  • Equals One of Multiple Values and Does Not Equal Any Value

The request method. Valid values: GET, POST, DELETE, PUT, OPTIONS, CONNECT, HEAD, TRACE, and PATCH.

Header

  • Equals and Does Not Equal

  • Equals One of Multiple Values and Does Not Equal Any Value

  • Contains and Does Not Contain

  • Contains One of Multiple Values and Does Not Contain Any Value

  • Exists and Does Not Exist

  • Length Equal To, Length Greater Than, and Length Less Than

  • Regex Match and Regular Expression Mismatch

The request header. Custom headers are supported.

URI Path

  • Equals and Does Not Equal

  • Equals One of Multiple Values and Does Not Equal Any Value

  • Contains and Does Not Contain

  • Contains One of Multiple Values and Does Not Contain Any Value

  • Length Equal To, Length Greater Than, and Length Less Than

  • Prefix Match and Suffix Match

  • Regex Match and Regular Expression Mismatch

The URI path of the request.

Query String Parameter

  • Equals and Does Not Equal

  • Equals One of Multiple Values and Does Not Equal Any Value

  • Contains and Does Not Contain

  • Contains One of Multiple Values and Does Not Contain Any Value

  • Length Equal To, Length Greater Than, and Length Less Than

  • Prefix Match and Suffix Match

  • Regex Match

The request parameter in the request URL. The request parameter is the part that follows the question mark (?) in the URL. For example, action=login in www.abc.com/index.html?action=login is the query string.

Host

  • Equals and Does Not Equal

  • Equals One of Multiple Values and Does Not Equal Any Value

  • Contains and Does Not Contain

  • Contains One of Multiple Values and Does Not Contain Any Value

  • Exists

  • Length Equal To, Length Greater Than, and Length Less Than

  • Prefix Match and Suffix Match

  • Regex Match and Regular Expression Mismatch

The requested domain name.

CookieName

  • Equals and Does Not Equal

  • Equals One of Multiple Values and Does Not Equal Any Value

  • Contains and Does Not Contain

  • Contains One of Multiple Values and Does Not Contain Any Value

  • Exists

  • Length Equal To, Length Greater Than, and Length Less Than

  • Prefix Match and Suffix Match

  • Regex Match

The key of the cookie. For example, awc_tc in acw_tc:111 is the key of the cookie.

BodyParameter

  • Equals and Does Not Equal

  • Equals One of Multiple Values and Does Not Equal Any Value

  • Contains and Does Not Contain

  • Contains One of Multiple Values and Does Not Contain Any Value

  • Exists

  • Length Equal To, Length Greater Than, and Length Less Than

  • Prefix Match and Suffix Match

  • Regex Match

The names of the parameters in the request body. For example, if the request body contains a=1&b=2, a and b are parameter names.

Filename

  • Equals and Does Not Equal

  • Equals One of Multiple Values and Does Not Equal Any Value

  • Contains and Does Not Contain

  • Contains One of Multiple Values and Does Not Contain Any Value

  • Exists and Does Not Exist

  • Empty

  • Length Equal To, Length Greater Than, and Length Less Than

  • Prefix Match and Suffix Match

  • Regex Match and Regular Expression Mismatch

The file name at the end of the request path. For example, index.php in /abc/index.php is the file name.

File Extension

  • Equals and Does Not Equal

  • Equals One of Multiple Values and Does Not Equal Any Value

  • Contains and Does Not Contain

  • Contains One of Multiple Values and Does Not Contain Any Value

  • Exists and Does Not Exist

  • Empty

  • Length Equal To, Length Greater Than, and Length Less Than

  • Prefix Match and Suffix Match

  • Regex Match and Regular Expression Mismatch

The file name extension of the requested file. Examples: .png and .php.

Logical operators

Logical operator

Description

Belongs To and Does Not Belong To

Checks whether the match field belongs to the match content.

Contains and Does Not Contain

Checks whether the match field contains the match content.

In the List and Not in the List

Checks whether the match field is in the list.

Contains One of Multiple Values and Does Not Contain Any Value

Checks whether the match field contains one value of the match content.

Equals and Does Not Equal

Checks whether the match field equals the match content.

Equals One of Multiple Values and Does Not Equal Any Value

Checks whether the match field equals one value of the match content.

Length Equal To, Length Greater Than, and Length Less Than

Checks whether the length of the match field is equal to, greater than, or less than that of the match content.

Exists and Does Not Exist

Checks whether the match field exists.

Value Less Than, Equals, and Value Greater Than

Checks whether the value of the match field is less than, equal to, or greater than the value of the match content.

Prefix Match and Suffix Match

Checks whether the prefix or suffix of the match field contains the match content.

Regex Match and Regular Expression Mismatch

Matches the regular expression of the field and does not match the regular expression of the field.

Empty

Checks whether the content of the match field is empty.

Configuration examples

  • Example 1: If you set Match Field to URI, Logical Operator to Contains, and Match Content to /login.php, a request matches the rule if the requested path contains /login.php.

  • Example 2: If you set Match Field to IP, Logical Operator to Belongs To, and Match Content to 192.168.0.1, a request matches the rule if the request is sent from the client whose IP address is 192.168.0.1.