Match conditions for DCDN WAF protection policies - Edge Security Acceleration

When you configure a whitelist rule or a custom rule, you need to configure match conditions for the rule and specify the characteristics of the requests that you want Web Application Firewall (WAF) to detect in the match conditions. This topic describes the fields that you can use in match conditions.

What are match conditions?

A match condition specifies the characteristics of the requests that you want WAF to match. When you configure a custom protection policy, whitelist, or IP address blacklist, you need to configure match conditions. For more information, see Configure custom protection policies, Configure a whitelist, and Configure an IP address blacklist. If a request matches the match conditions that are specified in a protection rule, the request matches the protection rule. Then, WAF performs the action that is specified in the rule on the request, such as Block, JavaScript Validation, or Monitor.

Supported match fields

The following table describes the match fields that are supported in match conditions.

Match field	Supported logical operator	Description
URI	Equals and Does Not Equal Equals One of Multiple Values and Does Not Equal Any Value Contains and Does Not Contain Contains One of Multiple Values and Does Not Contain Any Value Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regex Match and Regular Expression Mismatch	The Uniform Resource Identifier (URI) of the request. The URI indicates the path of the requested resource. The match content must start with a forward slash (`/`). The match content cannot contain a domain name. Example: `/login.php`.
IP	Belongs To and Does Not Belong To In the List and Not in the List	The IP address of the client that sends the request. The IP address that you specify must meet the following requirements: You can enter IPv4 addresses such as `10.10.10.10` or CIDR blocks such as `10.10.10.10/16`. The IP address that is used to connect to the POPs is the value of remote_ip in DCDN access logs. For more information, see Log fields. You can enter up to 50 IP addresses and CIDR blocks. Separate them with commas (,). You can reference the IP address group that you configured. For more information, see Configure a WAF IP address group.
Referer	Equals and Does Not Equal Equals One of Multiple Values and Does Not Equal Any Value Contains and Does Not Contain Contains One of Multiple Values and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regex Match and Regular Expression Mismatch	The URL of the source page from which the access request is redirected.
User-Agent	Equals and Does Not Equal Equals One of Multiple Values and Does Not Equal Any Value Contains and Does Not Contain Contains One of Multiple Values and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regex Match and Regular Expression Mismatch	The browser information about the client that sends the request. The information includes the browser, rendering engine, and version.
Query String	Equals and Does Not Equal Equals One of Multiple Values and Does Not Equal Any Value Contains and Does Not Contain Contains One of Multiple Values and Does Not Contain Any Value Exists and Does Not Exist Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regex Match and Regular Expression Mismatch	The query string in the request. The query string is the part that follows the question mark (?) in the URL.
Cookie	Equals and Does Not Equal Equals One of Multiple Values and Does Not Equal Any Value Contains and Does Not Contain Contains One of Multiple Values and Does Not Contain Any Value Exists and Does Not Exist Length Equal To, Length Greater Than, and Length Less Than Regex Match and Regular Expression Mismatch	The cookie information in an access request.
Content-Type	Equals and Does Not Equal Equals One of Multiple Values and Does Not Equal Any Value Contains and Does Not Contain Contains One of Multiple Values and Does Not Contain Any Value Length Equal To, Length Greater Than, and Length Less Than Regex Match and Regular Expression Mismatch	The HTTP content type that is specified for the response. The HTTP content type is known as the Multipurpose Internet Mail Extensions (MIME) type.
Content-Length	Value Less Than, Equals, and Value Greater Than	The number of bytes in the response. Valid values: 0 to 8192.
X-Forwarded-For	Equals and Does Not Equal Equals One of Multiple Values and Does Not Equal Any Value Contains and Does Not Contain Does Not Exist Length Equal To, Length Greater Than, and Length Less Than	The originating IP address of the client that initiates access requests. The HTTP X-Forwarded-For (XFF) header is used to identify the originating IP address of the request that is forwarded by an HTTP proxy or a Server Load Balancer (SLB) instance. The XFF header is included only in the request that is forwarded by an HTTP proxy or an SLB instance.
Body	Equals and Does Not Equal Contains and Does Not Contain Does Not Exist Prefix Match Suffix Match Regex Match	The request body. Requests whose body exceeds 8 KB are no longer blocked.
Http-Method	Equals and Does Not Equal Equals One of Multiple Values and Does Not Equal Any Value	The request method. Valid values: GET, POST, DELETE, PUT, OPTIONS, CONNECT, HEAD, TRACE, and PATCH.
Header	Equals and Does Not Equal Equals One of Multiple Values and Does Not Equal Any Value Contains and Does Not Contain Contains One of Multiple Values and Does Not Contain Any Value Exists and Does Not Exist Length Equal To, Length Greater Than, and Length Less Than Regex Match and Regular Expression Mismatch	The request header. Custom headers are supported.
URI Path	Equals and Does Not Equal Equals One of Multiple Values and Does Not Equal Any Value Contains and Does Not Contain Contains One of Multiple Values and Does Not Contain Any Value Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regex Match and Regular Expression Mismatch	The URI path of the request.
Query String Parameter	Equals and Does Not Equal Equals One of Multiple Values and Does Not Equal Any Value Contains and Does Not Contain Contains One of Multiple Values and Does Not Contain Any Value Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regex Match	The request parameter in the request URL. The request parameter is the part that follows the question mark (?) in the URL. For example, `action=login` in `www.abc.com/index.html?action=login` is the query string.
Host	Equals and Does Not Equal Equals One of Multiple Values and Does Not Equal Any Value Contains and Does Not Contain Contains One of Multiple Values and Does Not Contain Any Value Exists Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regex Match and Regular Expression Mismatch	The requested domain name.
CookieName	Equals and Does Not Equal Equals One of Multiple Values and Does Not Equal Any Value Contains and Does Not Contain Contains One of Multiple Values and Does Not Contain Any Value Exists Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regex Match	The key of the cookie. For example, `awc_tc` in `acw_tc:111` is the key of the cookie.
BodyParameter	Equals and Does Not Equal Equals One of Multiple Values and Does Not Equal Any Value Contains and Does Not Contain Contains One of Multiple Values and Does Not Contain Any Value Exists Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regex Match	The names of the parameters in the request body. For example, if the request body contains `a=1&b=2`, `a` and `b` are parameter names.
Filename	Equals and Does Not Equal Equals One of Multiple Values and Does Not Equal Any Value Contains and Does Not Contain Contains One of Multiple Values and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regex Match and Regular Expression Mismatch	The file name at the end of the request path. For example, `index.php` in `/abc/index.php` is the file name.
File Extension	Equals and Does Not Equal Equals One of Multiple Values and Does Not Equal Any Value Contains and Does Not Contain Contains One of Multiple Values and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regex Match and Regular Expression Mismatch	The file name extension of the requested file. Examples: `.png` and `.php`.

Logical operators

Logical operator	Description
Belongs To and Does Not Belong To	Checks whether the match field belongs to the match content.
Contains and Does Not Contain	Checks whether the match field contains the match content.
In the List and Not in the List	Checks whether the match field is in the list.
Contains One of Multiple Values and Does Not Contain Any Value	Checks whether the match field contains one value of the match content.
Equals and Does Not Equal	Checks whether the match field equals the match content.
Equals One of Multiple Values and Does Not Equal Any Value	Checks whether the match field equals one value of the match content.
Length Equal To, Length Greater Than, and Length Less Than	Checks whether the length of the match field is equal to, greater than, or less than that of the match content.
Exists and Does Not Exist	Checks whether the match field exists.
Value Less Than, Equals, and Value Greater Than	Checks whether the value of the match field is less than, equal to, or greater than the value of the match content.
Prefix Match and Suffix Match	Checks whether the prefix or suffix of the match field contains the match content.
Regex Match and Regular Expression Mismatch	Matches the regular expression of the field and does not match the regular expression of the field.
Empty	Checks whether the content of the match field is empty.

Configuration examples

Example 1: If you set Match Field to URI, Logical Operator to Contains, and Match Content to /login.php, a request matches the rule if the requested path contains /login.php.
Example 2: If you set Match Field to IP, Logical Operator to Belongs To, and Match Content to 192.168.0.1, a request matches the rule if the request is sent from the client whose IP address is 192.168.0.1.